| Author |
Message
|
| Shalini |
 Posted: Thu May 12, 2005 1:57 am Post subject: Authority based on application name not on uid ??? |
 |
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi,
We have a typical requirements we have n applications accessing a QM and queues with the uid "junk".
But I want to restrict only one application which is also running under "junk" uid.
My restrictions should be based on application type or application name.
I cannot take out the application from "junk" uid.
MQ auth commands is not of much help as in this case, it sets the authority based on uid but not based on the application type or application name..
Please suggest...
 |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu May 12, 2005 3:12 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I keep wanting to say that the only way to do this is to write code.
But I don't know that for sure.
Are the apps making client connections, or server connections?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PGoodhart |
| Posted: Thu May 12, 2005 3:16 am Post subject: |
|
|
Master
Joined: 17 Jun 2004
Posts: 278
Location: Harrisburg PA
|
I "think" that you might get this with one of the commercial security exits. I seem to recall that this was one of the options on one of them (security based on application name).
Does anyone else recall this or know which exit it might be?
_________________
Patrick Goodhart
MQ Admin/Web Developer/Consultant
WebSphere Application Server Admin |
|
| Back to top |
|
|
| Shalini |
| Posted: Fri May 13, 2005 12:02 am Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi,
| Quote: |
| Are the apps making client connections, or server connections? |
The application are making Server connection as well the client connection ie some are Java application and other are C applications
| Quote: |
| commercial security exits |
Is it free downloadable or $ based s/w
|
|
| Back to top |
|
|
| PGoodhart |
| Posted: Fri May 13, 2005 3:07 am Post subject: |
|
|
Master
Joined: 17 Jun 2004
Posts: 278
Location: Harrisburg PA
|
"Commerical" means pay to use....
Most of the best things in life aren't free.
_________________
Patrick Goodhart
MQ Admin/Web Developer/Consultant
WebSphere Application Server Admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri May 13, 2005 3:13 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If any apps are using server connections, then the only way to do this is to write or buy code.
If *all* apps were using client connections, you could have different apps use different svrconn channels and assign different MCAUsers to those different channels. This would replace the user information that's coming from the client with the MCAUser and you could then lock down different sets of queues from different apps.
But there would be no way to prevent app A from using App B's SVRCONN.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Fri May 13, 2005 4:13 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
If the applications are comming from different boxes or running under different users, you can control the connections very easy using BlockIP2 (one of the free tools) 
http://www.mrmq.dk/BlockIP2.htm
| Quote: |
| But there would be no way to prevent app A from using App B's SVRCONN. |
If they are comming from the same box, same userid it's more complicated.... It will require a way to pass a security token from the connecting application to the server/exits.
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri May 13, 2005 4:32 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| oz1ccg wrote: |
| If they are comming from the same box, same userid it's more complicated.... It will require a way to pass a security token from the connecting application to the server/exits. |
Like, perhaps, the process id in the mqmd?
| oz1ccg wrote: |
|
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Sat May 14, 2005 2:26 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Let's face a bit about security.....
I have some asumptions (nessesary):
1. the servers in a network grantewd access to a Queue manager should at some be trusted and authenticated in some way. Like security exits, etc.
2. on the queuemanager we're using access control, and only granting the applications access to the neded queues, based on the assigned userid.
If this is true we have two applications A (the good one) and B-(bad) running under user junk. on qmgr junk have access to Queue A, and not to queue B(used by program B).
If we're starting the B-program, and it have the security credentials to connect to qmgr, it will receive a 2035 when it tries to open queue 'B'.
This should be ok.
About using
| Quote: |
| Like, perhaps, the process id in the mqmd? |
I don't know how to check it on the queuemanager... But by using the program name xxxx.exe. A process id (just a number) is no good to me.
Program name chould be checked using a receiver or API exit, but it will require some administration.
My recomandation would be create some dedicated accounts, where the various applications are running so it's easy to segregate the queue access...
Next, I would expect that production applications are known to be trustworthy, this means at some level we have to trust the behaviour of the code running.... If we didn't trust any application, would we have any IT ??? 
But back to the beginning: why only use one user "junk" ??
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sun May 15, 2005 8:10 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| oz1ccg wrote: |
I don't know how to check it on the queuemanager... But by using the program name xxxx.exe. A process id (just a number) is no good to me.
Program name chould be checked using a receiver or API exit, but it will require some administration. |
Program name is what I meant. And since it's in the MQMD and the PID is not, that should have been mostly clear. 
My somewhat subtle suggestion was that BlockIP could be modified by someone to include checking this.
But yeah - the real solution to this problem is to change the user that the programs are running as. Jumping through any other hoops is just going to leave the hole open for even more layers of complexity and effort - "Well, I need this copy of this app on this box to only be able to access A,B,C and this other copy of the same app on the same box to only be able to access P,Q, and R.... can't you just tweak what you did last time to make this work for me?"
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
