| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Connecting M071 via a client. |
« View previous topic :: View next topic » |
| Author |
Message
|
| jhues789 |
 Posted: Thu Nov 09, 2006 12:17 pm Post subject: Connecting M071 via a client. |
 |
|
Apprentice
Joined: 20 Jan 2004
Posts: 37
Location: Madison WI
|
We are trying to roll out M071 to our developers, limiting their authorities via a MQMON.aut file. Our problem is not with limiting their authorities within the M071, that works great. Our problem is getting them connected to the queue manager. The only way I have been successful is by adding their individual id's to the mqm group. A nested group did not work.
I have to find another way as this would be a maintenance nightmare having to manage these mqm groups on multiple servers with 80+ developers.
Anyone have any thoughts.
Thanks in advance.
MQ53 Intel platform
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Nov 09, 2006 1:29 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Nested groups do not work.
You can use setmqaut to give all the necessary permissions to another group, that is not nested.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jhues789 |
| Posted: Thu Nov 09, 2006 2:04 pm Post subject: |
|
|
Apprentice
Joined: 20 Jan 2004
Posts: 37
Location: Madison WI
|
Yes I did your responce that get that nested groups do not work. But now that I'm getting some conflicting information.
I got an e-mail from the listserv stating ( Thanks Neil)..........
Begin Extract from "System Admin" ...
Nested groups
Windows 2000 and Windows 2003 domain controllers by default are placed in function level 2000 mixed. When using this functional level users cannot add or nest local groups.
You can place Windows 2000 domain controllers in functional level 2000 native, or Windows 2003 domain controllers in functional levels 2000 native or Server 2003. This allows users to add or nest local groups, and also to perform multiple nesting of global and universal groups. The WebSphere MQ security model does not support either nested local groups, or multiple nesting of global and universal groups. This means that local and domain local groups are supported, as are any immediately nested global or universal groups. ...End Extract...
So, if you are running in a domain, then put your developers in a domain group, and put that domain group into a local mqm group. When checking user rights, Windows automatically promotes the check on the user to the domain level if a local user isn't found.
**********************************************************
I am now looking at using a domain group within the MQM group that can be managed in one place vs managing the group on each machine.
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Nov 09, 2006 2:20 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Yes, you can nest a domain group and that will work. If it didn't, then "domain mqm" would never work.
That's not really a "nested" group, though.
Regardless, you shoud avoid putting anyone in the mqm group at all.
And remember that Windows Administrators are automatically granted mqm permissions.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jhues789 |
| Posted: Thu Nov 09, 2006 2:26 pm Post subject: |
|
|
Apprentice
Joined: 20 Jan 2004
Posts: 37
Location: Madison WI
|
Thank you so much. Between mqseries.net and the listserv...........I am getting quite a quick education in MQ securities and where we are totally lacking.
I am going to take a bit more time to digest everything an come up with a solid solution that will meet the needs to the auditors and get my developers the access they need.
Thanks again
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sun Nov 12, 2006 1:05 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
As you have noted, your plan will not provide security for your queue managers.
Reason:
- The first thing I would do is delete your MQMON.aut file.
- Second if my UserId is in the mqm group then I can do whatever I want, whenever I want.
- Third, if my UserId is not in the mqm group then I would simply use MO71 with the dummy client exit list here:
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782
(This gives me 'mqm' UserId access.)
There are 3 solutions in the market-place that will properly protect your MQ Environment:
- Capitalware's MQ Authenticate User Security Exit
- IBM's WebSphere MQ Extended Security Edition
- IBM Tivoli's TAMBI
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun Nov 12, 2006 10:54 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| RogerLacroix wrote: |
- IBM's WebSphere MQ Extended Security Edition
- IBM Tivoli's TAMBI |
Roger, unless i'm completely off, there's no difference between TAMBI and IBM Extended Security. IBM has rather successfully managed to confused everyone into thinking it's another extension, but it's simply a package consisting of WMQ itself and TAMBI, nothing more.
From http://www-306.ibm.com/software/integration/wmq/securityedition:
| Quote: |
| IBM offers WebSphere MQ Extended Security Edition to address environments where application-level data protection is a critical need. It includes 100% of the function offered in WebSphere MQ V6 plus the extended security services of IBM Tivoli® Access Manager for Business Integration (TAMBI) V5.1.1. |
Also, add Primeur's DSMQ suite to the product list... |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Nov 13, 2006 10:07 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| hopsala wrote: |
| Also, add Primeur's DSMQ suite to the product list... |
Thanks for the info.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
