ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » mqsi user security

Post new topic  Reply to topic
 mqsi user security « View previous topic :: View next topic » 
Author Message
Lillian
PostPosted: Fri Aug 20, 2004 4:17 am    Post subject: mqsi user security Reply with quote

Centurion

Joined: 15 Apr 2002
Posts: 102
We are trying to implement some form of security on our mqsi systems. we require that developers only have access to development servers and with a stricter control on production.We have tried to duplicate the Domain mqbrXXX groups and adding these to to the local mqbrxxx groups defined on the dev servers only. It looks like mqsi does not like the name change of the domain groups (dev). If we add the developers on the existing domain groups they will have access to the prod servers as well.

Please advise on a way to best implement security between operations vs developers and prod vs dev.

regards
Lillian
Back to top
View user's profile Send private message
kirani
PostPosted: Sat Aug 21, 2004 11:55 am    Post subject: Reply with quote

Jedi Knight

Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
There is a WMQI control center security exit that you can use. Please take a look at supportpac pages.
_________________
Kiran


IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries

Back to top
View user's profile Send private message Visit poster's website
jefflowrey
PostPosted: Mon Aug 23, 2004 5:35 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981
You can also reconfigure your development configuration managers so that they are not aware of the domain, and only use the local groups.

I believe this is done by setting -l0 and then providing the domain name to the configuration manager using -d. This will cause it to authenticate domain users and authorize them based on the local groups.

But you might have to drop and recreate your configuration managers to do this. I don't remember if mqsichangeconfigmgr lets you change the -d option.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
slaney
PostPosted: Wed Aug 25, 2004 1:41 am    Post subject: Reply with quote

Novice

Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
Lillian

You question is a problem I have faced a number of times before.

The domain mqxxx groups are fixed names i.e. hard coded. Therefore using this security model members of domain mqbrkrs for example will have rights to all config managers and brokers that exist in the single windows domain or registry. So if you were to run both production and dev in the same domain then developers would have rights to the production environment.

You do not state if you are using WBIMB5. If so then you can overcome this problem by using mqsicreateaclgroup. This gives you much more granular role based access control. Have a look at the manual.

Otherwise the solution I have used in the 2.x days was simply to have totally seperate domains for each wmqi environment. So Dev took place on a Dev domain and prod was on a seperate domain. These domains can if required have trust relationships to allow your develpers logged into the dev domain have access to production NT servers for file and printing purposes. I like this solution because I believe it is best practice to have logical if not physical seperation between production networks and dev / test networks. So some the of the problem IMHO is about organising your network in a way to encompass this concept.

I agree with jefflowrey. It might be possible for force the config mgr to be only aware of the local groups (assuming the config mgr is not on a Windows DC). The add the domain users to the local groups and I guess that might work.

HTH
Kind Regards
Steve

_______________________________
Steven Lane MBCS
Information Security Consultant
________________________________
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » mqsi user security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.