| Author |
Message
|
| pcelari |
 Posted: Tue May 23, 2006 11:10 am Post subject: Queue access control for JMS application possible? |
 |
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
Hi,
it seems to be there is no control over jms application's access to queues. setmqaut command doesn't seem to have any effect on such access since user don't need to logon to run the program.
Am I right or wrong? If right, how should I setup authorization to prevent unauthorized access from malicious attacks from inside?
appreciate any insight.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue May 23, 2006 11:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can't protect a machine against a malicious systems administrator.
So you can't protect against unauthorized access from malicious attacks from inside.
You can merely limit the exposure you have. One way to do this is to put production machines behind a firewall, and limit the access that way. In addition, you can enable SSL on all your channels and ensure that only specific machines with specific certificates can connect to those channels. If you do both of these, your queue manager is exactly as secure as the firewall config and the network infrastructure and your certificates.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 23, 2006 3:01 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And specifically for java and the svrconn channels there are programs like the Security support pack from Capitalware or SecureIP2 etc...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue May 23, 2006 3:31 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Sure, but then your environment is only as secure as the configuration of those tools.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 23, 2006 7:44 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jefflowrey wrote: |
| Sure, but then your environment is only as secure as the configuration of those tools. |
Naively I assumed that to have always been the case. Your environment is only as secure as your firewall anyways... So ?
Obviously (maybe just to me) he wants to protect the system against unwarranted and easy access as well from within the company as from without. What he can NEVER protect against is malicious access from an AUTHORIZED user. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue May 23, 2006 8:56 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| pcelari wrote: |
| how should I setup authorization to prevent unauthorized access from malicious attacks from inside? |
| fjb_saper wrote: |
| ... programs from Capitalware ... |
| jefflowrey wrote: |
| Sure, but then your environment is only as secure as the configuration of those tools. |
MQ Authenticate User Security Exit like a rock! 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
