| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Preventing MQ administration from outside |
« View previous topic :: View next topic » |
| Author |
Message
|
| techno |
 Posted: Mon Sep 13, 2004 11:09 am Post subject: Preventing MQ administration from outside |
 |
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
We have MQ server getting exposed by MQIPT in DMZ. Are there any precautions to be taken to avoid any administration requests from outside of our intranet?
Thanks. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Sep 13, 2004 1:59 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Do not run the command server.
This prevents the admin messages on the queue from being processed.
It means as well that you will have to telnet into the server and use runmqsc locally for admin. Anyway if you can avoid it you should have no svrconn channels on this server.
All transmissions should be made through sender receiver channels.
If possible using SSL.
Enjoy |
|
| Back to top |
|
|
| techno |
| Posted: Mon Sep 13, 2004 2:49 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
Not running command server - This makes the intranet remote admininstartion possible, which is not a good idea. Is there any other way?
Is it good idea to use securityexit: BlockIP2? But which channel? ?
Thanks
Last edited by techno on Thu Mar 24, 2005 10:56 am; edited 1 time in total |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Sep 14, 2004 12:17 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
If you want to run the cmd server, set up the security exit on the SYSTEM.ADMIN.SVRCONN channel which is what Explorer uses to put msgs on the cmd server input queue, SYSTEM.ADMIN.COMMAND.QUEUE.
Add security to this queue for OPEN & PUT. |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Sep 14, 2004 4:03 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Also be very careful...
1. Secure *EVERY* svrconn, not just system.admin.svrconn. One suggestion is to put an invalid security exit on the system.def.svrconn, so that any new svrconn you create is invalid until you fix up the security exit.
2. Remember a java client can come in with no userid and get mqm authority, so the security exit is a good blocking point, whereas no amount of setmqaut can stop mqm accessing things...
As I understand it, blockip2 will do this quite well, although I've never really used it. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
