| Author |
Message
|
| klamerus |
 Posted: Sun Apr 30, 2006 3:55 pm Post subject: MQConn suppling account/password |
 |
|
Disciple
Joined: 05 Jul 2004
Posts: 199
Location: Detroit, MI
|
Is there some way to connect to a queue manager with a supplier username/password?
We have a web site and would like to connect with an application from that to an MQ, however this site is Windows with IIS and Windows authentication. It will run under the user IDs of the users, who we don't want to provide permission for.
We could supply an account and password in the code though. |
|
| Back to top |
|
 |
| kevinf2349 |
| Posted: Sun Apr 30, 2006 5:11 pm Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
Couldn't you just userid and password protect the connecting program?  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sun Apr 30, 2006 9:39 pm Post subject: Re: MQConn suppling account/password |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| klamerus |
| Posted: Mon May 01, 2006 2:55 am Post subject: |
|
|
Disciple
Joined: 05 Jul 2004
Posts: 199
Location: Detroit, MI
|
Maybe I don't get it, but I don't think this will work.
I slightly typo'd my original post.
The detail is that we have users all over the company connecting in to this web site. The server code runs under their ID.
We don't want to manage all these users with MQ security and don't want them to have direct access to MQ (or any individual access).
We want to provide a username/password pair via an API that will be used by the DLLs (on the web server) to connect to MQ (on another server) as security credentials. |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Mon May 01, 2006 5:05 am Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
| Ah....so you want only one userid and password that everyone gets to use to access MQ from that application? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon May 01, 2006 9:12 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| klamerus wrote: |
We don't want to manage all these users with MQ security and don't want them to have direct access to MQ (or any individual access).
We want to provide a username/password pair via an API that will be used by the DLLs (on the web server) to connect to MQ (on another server) as security credentials. |
Hi,
Sure, MQAUSX can handle that.
For Java J2EE:
Configure the MQAUSX client-side security exit in your JNDI for the QCF / XAQCF / TCF / XAQCF then do:
qcf.createQueueConnection("myUserId","myPassword");
or
tcf.createQueueConnection("myUserId","myPassword");
For procedure languages (VB/C/COBOL) you have several choices:
1) Use a Client Channel Table, and specify the appropriate Security Exit and Security Exit Data values.
SCYEXIT: C:\Capitalware\MQAUSX\mqausxclnt(ClntExit)
SCYDATA: u=myUserId;p=myPassword
2) Use the MQCONNX API and fill in the Security Exit name and the Security Exit Data which would be:
SCYEXIT: C:\Capitalware\MQAUSX\mqausxclnt(ClntExit)
SCYDATA: u=myUserId;p=myPassword
3) For MQ v6.0, for the MQCONNX API you can use the new MQCSP security structure.
The UserID and password does not have to be the end user's UserId & password but can be an application account UserId and password.
Hence, you get what you are looking for.
Now to the bonus round: MQAUSX can be used to authenticate the incoming web user's UserId and password and then still use a different UserId for MQ connectivity.  
Assumption: The web users' account information are stored in an LDAP server. So, you can do the following
1) Create a new SVRCONN channel for the web server, set the MQAUSX server-side details
2) In the new channel, set a MCAUSER value for the application called "IISauth".
3) Configure the MQAUSX server-side IniFile to point to the LDAP server and to use the MCAUSER value if the authentication is successful.
4) Configure the IIS client-side appropriately. (see above)
Now you will kill 2 birds with one stone. The web user will be validated against an LDAP server and IF AND ONLY IF SUCCESSFUL then the connection will be allowed to the queue manager but the connection (opens/gets/puts) will be using the MCAUSER value of "IISauth". Nobody will be able to backdoor the channel and use the MCAUSER value unless they provide a valid UserId and password to the MQAUSX server-side security exit.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon May 01, 2006 2:44 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you're using server bindings, you can use a DCOM object that will run as a particular user and bind against that inside your web code.
If you're using client bindings, you can set the MCA on the SVRCONN you're using.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
