| Author |
Message
|
| amita09 |
 Posted: Thu Oct 13, 2005 8:39 am Post subject: Restricting other Applications access to Queue Managers |
 |
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Hi,
We have the following problem in our project.
There is a Queue Manager which is being used by App-1 to connect to and put messages in a queue Q1.
I would like to restrict access to only App-1 and no other apps should have access to this MQ Resource (Queue manager, queue etc).
How can it be done ?
regards, |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Oct 13, 2005 8:41 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Oct 13, 2005 8:45 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Actually, it can't be done. Access is controlled by userid or groupid, not by application ID.
_________________
-wayne |
|
| Back to top |
|
|
| kishpool |
| Posted: Thu Oct 13, 2005 9:23 am Post subject: |
|
|
Newbie
Joined: 10 Oct 2005
Posts: 2
|
Hi ,
I think your idea is to give access to a particular user .
If it is the case it can be done, it cannot be done with an application.
Reply if it was the problem.
Regards |
|
| Back to top |
|
|
| markt |
| Posted: Thu Oct 13, 2005 9:58 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
>> Actually, it can't be done.
Actually, it can. Not saying it's trivial, but ...
With MQ V6 there's an authentication exit point which gets passed the application name at MQCONN time. Look at the MQZAC structure. You could write code to do something there. |
|
| Back to top |
|
|
| javagate |
| Posted: Thu Oct 13, 2005 11:19 am Post subject: |
|
|
Disciple
Joined: 15 Nov 2004
Posts: 159
|
MQSeries security on z/OS is very robust. Is there no security on the alternate platforms, such as MQCONN, MQADMIN, MQCMDS, MQQUEUE?
_________________
WebSphere Application Server 7.0 z/OS &
MQ 6.0. I work with WebSphere in the real world not in some IBM lab. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Oct 13, 2005 11:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| javagate wrote: |
| MQSeries security on z/OS is very robust. Is there no security on the alternate platforms, such as MQCONN, MQADMIN, MQCMDS, MQQUEUE? |
Yes, there is robust security on distributed MQ.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Oct 13, 2005 11:36 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
Actually, it can. Not saying it's trivial, but ...
With MQ V6 there's an authentication exit point which gets passed the application name at MQCONN time. Look at the MQZAC structure. You could write code to do something there. |
Yes, of course mark, you're correct. I'll rephrase my statement....
WebShpre MQ, as shipped, cannot control access based on application names, only users and groups.
_________________
-wayne |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 13, 2005 5:12 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Hi thanks for the replies, so can I check with you if this option of using an Application context is available on MQ version 5.3 ?
regards, |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 13, 2005 5:17 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Also can you clarify what type of Exit this is ? You mentioned it is an Authentication Exit... I know there are 3 types of exits available (Security, Message and Send/Recieve) Which one is this ?
Is there a sample code available as to what needs to be done to get this working on MQ v5.3.
Does it require a change in the existing application to set the Application Name in all messages ? I am not clear about this.
can you provide some more details.
thanks a lot ! |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Oct 13, 2005 5:19 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| amita09 wrote: |
Hi thanks for the replies, so can I check with you if this option of using an Application context is available on MQ version 5.3 ?
regards, |
Please rephrase your question.... are you referring to what markt said ? If so, then the answer is "no".
_________________
-wayne |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Oct 13, 2005 5:21 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Look.
You should read the security manual. That I *very* helpfully gave you a direct link to.
And then you should read the System Administration manual.
You really probably do not need to authenticate at the application level, rather than the user level.
If you read the documentation, and learn the product, you will save yourself time.
Your question was badly put - and I don't mean that your English was not good. It indicated that you had not taken the time to learn the product and read the manuals, but were coming here for free training. You therefore did not get very helpful answers.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Thu Oct 13, 2005 6:23 pm Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
I am confused here.......
Why would you need to do application level security rather than userid or group? Most security systems are user centric. (I know security can be placed on programs etc...but again this is based on userid).
Maybe I am being a little bit oversimplistic here but wouldn't it be easier to have the application just ignore (or redirect) non-application messages.  |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 13, 2005 6:32 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Hi..
Application level check is also required besides user-id and password...so that a rogue application does not write to my Queue Manager, considering the fact that userid of the application is based on the OS userid under which it is running.
Jeff : Thanks for the URL. Just so you know, I also do not appreciate people asking for cooked food; but just that I am in a hot seat right now. Sorry and thanks for the help. Just wanted to clarify that whether it is supported in MQ 5.3 or not. It seems from the manual that 3 new fields were added to MQ V6 MQZAG is one of them. I am not sure if an upgrade is advised in this case.
Anymore views and thoughts from the rest is also welcome. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Oct 13, 2005 6:42 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you can't control the applications that run on the box, then you can't secure your Queue Manager.
And by control, I mean ensure that only authorized processes are run with authorized configuration files that establish authorized connections as an authorized user.
If you *can* control what applications run on the QM machine, then you still do not need app level security.
You can fully ensure that only the application in question can access your QM, by configuring *all* of your QM channels to use SSL, generating a unique key for the app in question, and giving it it's own SVRCONN channel with an MCA.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
