| Author |
Message
|
| In_love_with_MQ |
 Posted: Fri Mar 24, 2006 3:35 am Post subject: MQEnvironment.userID= : USELESS ?? |
 |
|
Acolyte
Joined: 10 Jul 2005
Posts: 70
|
Hi ,
I am using a program in client mode .
I am trying to set the user id
MQEnvironment.userID= "xxxxxx";
But i set it or not the program is GETTING CONNECTED .
How can i pass the userid and password .
Since i am using SVRCONN channel . Anybody from any system can connect to my QM and is a security risk .
How to achieve this ? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Mar 24, 2006 3:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Have you seen this one:
http://www.mqseries.net/phpBB2/viewtopic.php?t=28329
When you say you're using SVRCONN, presumably you mean SYSTEM.DEF.SVRCONN? Are you able to define new one(s)?
There are a number of ways such access can be controlled; have a look at:
http://www.mqseries.net/phpBB2/viewtopic.php?t=27760
(That's not the only discussion of the subject in here, just the clearest & most relevant to your situation IMHO. I offer it without predudice or warrenty).
Client's don't pose that much of a risk with proper planning, organisation & methodology. I refer of course to applications, not humans...... 
_________________
Honesty is the best policy.
Insanity is the best defence.
Last edited by Vitor on Fri Mar 24, 2006 4:26 am; edited 1 time in total |
|
| Back to top |
|
|
| In_love_with_MQ |
| Posted: Fri Mar 24, 2006 4:11 am Post subject: any SIMPLER waysthan exits |
|
|
Acolyte
Joined: 10 Jul 2005
Posts: 70
|
HI ,
Does it mean that writing exits is the only way to provide security on a SVRCONN CHL ...
Is there any default options other than having a exit ? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Mar 24, 2006 4:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| In_love_with_MQ wrote: |
| Does it mean that writing exits is the only way to provide security on a SVRCONN CHL ... |
NO. It means that you have to know and understand how MQ Security works, and use normal mechanisms to secure your programs that include "run your code as the correct user".
Also, CapitalWare sells an exit that can help with security. So you don't have to write one.
Also, one can use SSL to secure all of one's channels.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 24, 2006 4:29 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Quote: |
Does it mean that writing exits is the only way to provide security on a SVRCONN CHL ...
|
That certainly wasn't what I was driving at, and I apologise if I was in any way misleading. There are a number of strategies that can be employed, especially if one avoids the default channel.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| In_love_with_MQ |
| Posted: Fri Mar 24, 2006 5:17 am Post subject: |
|
|
Acolyte
Joined: 10 Jul 2005
Posts: 70
|
hI jeff,
a) What do u mean by running the code with correct user .
In my java code :
MQEnvironment.userid = "john"
MQEnvironment.password = "password123"
User John is on the machine where my SVRCONN channel exists and his password is correct and is what i pass .
Then too this useid and password is not taken into account
Then what does it mean by passing correct user id ?
hI vitor ,
I am not using the default svrconn . I have defined a channel called JAVA.CHANNEL and using them . Can u please elaborate the multiple ways you suggested ? .
I want that only a valid clinet to access my channel using a userid and password .
We do not want to use SSL and Exits . So is there any poosible ways .
If i set the MCAUSER , then everybody can take advantage who ever knows the channel name ???
Then what else is ur ways u suggested . |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Mar 24, 2006 5:34 am Post subject: Re: MQEnvironment.userID= : USELESS ?? |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Mar 25, 2006 5:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can put the machine behind a firewall and ensure that only the right machines can establish network connections to the listener port.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
