| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security and MQSI. |
« View previous topic :: View next topic » |
| Author |
Message
|
| Steve_lane |
 Posted: Fri Feb 15, 2002 3:22 am Post subject: |
 |
|
Newbie
Joined: 22 May 2001
Posts: 4
|
Hi MQ'ers,
Does anybody have any experience of security in MQSI?
My environment is the control centre on a WINNT4 desktop, the config manager on an NT4 Server, and multiple brokers in the broker domain on AIX.
I can secure with exits easily between the config manager, and the brokers. I understand that with Datasecure and Tivoli PDMQ that it is possible to introduce a secure layer between the broker and the broker qmgr, but I have never done it, and I would be interested in hearing experiences of anyone who has.
Additionally I need to secure between my configuration manager and my control centre... now I hear crys of using NT security.. but no! I want to use a security exit or something to secure CC to CM server connection channel to make it bullet proof. Any offers of products or sample code how I can do this?
Kind Regards
Steve Lane
Think Corporation Ltd
steve.lane@thinkcorporation.com
http://www.thinkcorporation.com
[ This Message was edited by: Steve_lane on 2002-02-15 03:38 ] |
|
| Back to top |
|
 |
| mpuetz |
| Posted: Sat Feb 16, 2002 1:34 pm Post subject: |
|
|
Centurion
Joined: 05 Jul 2001
Posts: 149
Location: IBM/Central WebSphere Services
|
Hi,
I haven't used PDMQ with MQSI myself, but since PDMQ libraries
simply replaces the standard mqm.dll library, MQSI should note and
shouldn't care.
If you want to secure your SVRCONN channels have look at the SSPI
security exit that is shipped with MQ 5.2 including source code.
The source has been stripped of comments unfortunately. If you are
working in a pure NT or pure W2000 environment you might use the
SSPI exit right away.
Check the client manual and the intercommunication manual of MQSeries
to get familiar with both installation and writing channel exits.
_________________
Mathias Puetz
IBM/Central WebSphere Services
WebSphere Business Integration Specialist |
|
| Back to top |
|
|
| Steve_lane |
| Posted: Wed Feb 20, 2002 2:01 am Post subject: |
|
|
Newbie
Joined: 22 May 2001
Posts: 4
|
| Quote: |
On 2002-02-16 13:34, mpuetz wrote:
Hi,
I haven't used PDMQ with MQSI myself, but since PDMQ libraries
simply replaces the standard mqm.dll library, MQSI should note and
shouldn't care.
[ Steve comment's ] I agree with the above
If you want to secure your SVRCONN channels have look at the SSPI
security exit that is shipped with MQ 5.2 including source code.
The source has been stripped of comments unfortunately. If you are
working in a pure NT or pure W2000 environment you might use the
SSPI exit right away.
[Steve's comments ] But how do you secure the MQSI CC with an exit.... I am told it would require access to the source code...
Check the client manual and the intercommunication manual of MQSeries
to get familiar with both installation and writing channel exits.
|
|
|
| Back to top |
|
|
| ghost |
| Posted: Wed Feb 27, 2002 8:16 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2002
Posts: 7
|
| I have the same issue. I 've been told that since the CC is a snap-on to Microsoft Management Console and uses WinNT domain security, you don't have a solution at the GUI. However, you could restrict the server connection so that even if someone has CC, they won't be able to see the queue manager. Supposedly, MQSI version 2.1 was to address this, but the whitepapers don't mention it. |
|
| Back to top |
|
|
| ghost |
| Posted: Wed Feb 27, 2002 8:17 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2002
Posts: 7
|
I have the same issue. I 've been told that since the CC is a snap-on to Microsoft Management Console and uses WinNT domain security, you don't have a solution at the GUI. However, you could restrict the server connection so that even if someone has CC, they won't be able to see the queue manager. Supposedly, MQSI version 2.1 was to address this, but the whitepapers don't mention it.
If anyone has a solid solution without using Tivoli or other 3rd party packages, please drop me a note: jim_u_cho@hotmail.com |
|
| Back to top |
|
|
| Miriam Kaestner |
| Posted: Wed Feb 27, 2002 11:58 pm Post subject: |
|
|
Centurion
Joined: 26 Jun 2001
Posts: 103
Location: IBM IT Education Services, Germany
|
WMQI 2.1 indeed does supports security exits for Control Center connection.
At the CC side, you have to have Java security exit code and start CC with mqsilccsec.exe.
At the ConfigMgr, you must have C security exit code which is called by the SYSTEM.BKR.CONFIG channel |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Feb 28, 2002 12:40 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Policy Director at one point did not work with MQSI v2, due to the way MQSI used the DLLs or something. I believe Tivoli have fixed this. But all these products can cause problems with end-to-end security, since encrypted messages cannot be routed or transformed in MQSI.
If you decrypt them in the broker, then you tend to lose the digital signature of the original user when the broker forwards it on, as it has to use the broker id to re-encrypt, which the receiving application may not be happy about.
All this can make MQSI security designs complex. The products are evolving though to provide plug-ins for MQSI (Data Secure has these). |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
