| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Password Authentication for MQSeries. |
« View previous topic :: View next topic » |
| Author |
Message
|
| mohan_baj |
 Posted: Fri May 17, 2002 12:35 am Post subject: Password Authentication for MQSeries. |
 |
|
Newbie
Joined: 16 May 2002
Posts: 1
|
Hi,
I am involved in MQ Enabling an Interanet application.
The the front end is sending UserId and Password field which needs to be authenticated.The backend is mainframe. Can MQ on OS/390 take up the UserID and Password and validate it. I understand that Groups and User priveledges are given for MQ Objects and there is always an UserID check when appilcation tries to connect to Qmgr or when receiving MCA puts on the Queue.
But nowhere is the password checked for. This could be as well a security breach ,for instance any application which manually moves the authorized RACF ID into MQMD UserID properties can start putting messages on the queue?
Can the group help me out on this.
Thanks in Advance
Mohan |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Fri May 17, 2002 1:36 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi Mohan,
you're quite right..... there are no password checking done....
There are at least tree ways arround this challange:
1. wait and see what IBM implements in version 5.3 (GA end of june).
2. buy a product from an ISV.
3. write one or more security exits. In the security exit you can validate what ever you want. One of my costomers are using this approach with great success.
There was an old supportpack MS05MVS but now withdrawn by IBM (I've still got a copy send a mail if you want it.).
Validateing the password is a bit tricky on Z/OS because your task have to be autorized to do that, and all exit in MQSeries is invoked as unauth... 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri May 17, 2002 5:48 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
It's not true that you need to be APF authorised to validate a RACF password. If you wanted to create a security environment (ACEE) without a password you would need to be APF.
You can either call the CICS security commands to verify the user/password (which I would normally recommend) or write an Assembler program to issue a RACROUTE VERIFY call. Don't forget to delete the ACEE when you are done with it.
For repeated calls with the same id/password you should re-use the ACEE (CICS will give you a ptr to it). To avoid re-validating the password for each message, you could generate a token and keep a list of valid tokens. We have done all this sort of thing and more using MQ and CICS. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
