| Author |
Message
|
| sanjoo |
 Posted: Fri Jul 13, 2007 12:58 pm Post subject: Security:Passing Userid and password from QCF WAS6.0 |
 |
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
Greetings!!!!!
We are working on to secure MQ. Issue is- all java applications that connect to MQ server connects thru WAS and they all use same user id to connect which is very very bad design.
Now we know that using QCF, when application try to acquire a connection from connection pool can provide a user id an password and get connection. But this requires a code change. I am looking at a option thru which if at configuration level (QCF) I can pass this userid and password.
If yes, how this user id will map to MQMD userid?
I got some info from ibm site--->
"Container-managed Authentication Alias for QCF
This alias specifies a user ID and password to be used to authenticate connection to a JMS provider for container-managed authentication.
This property provides a list of the J2C authentication data entry aliases that have been defined to WebSphere Application Server. You can select a data entry alias to be used to authenticate the creation of a new connection to the JMS provider.
If you have enabled global security for WebSphere Application Server, select the alias that specifies the user ID and password used to authenticate the creation of a new connection to the JMS provider. The use of this alias depends on the resource authentication (res-auth) setting declared in the connection factory resource reference of an application component's deployment descriptors."
_________________
Sanjoo
Keep smiling
 |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Jul 13, 2007 2:50 pm Post subject: Re: Security:Passing Userid and password from QCF WAS6.0 |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sanjoo wrote: |
Greetings!!!!!
We are working on to secure MQ. Issue is- all java applications that connect to MQ server connects thru WAS and they all use same user id to connect which is very very bad design.
|
Can you elaborate why this looks like a bad design? Are all your applications on WAS using the same qcf? Wouldn't the bad design be not having a qcf per WAS app?
I'm a little bit confused here because using a JAAS alias to authenticate will not allow multiple users... To get multiple users you need multiple qcfs..... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sanjoo |
| Posted: Fri Jul 13, 2007 6:13 pm Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
saper,
there is one qcf defined for each application. But right now we don't have any authentication info on those qcfs. And since all jvms run under same userid for administrative simplicity, at MQserver we are receive same id as user and it becomes difficult to authenticate and authorize apps on per id per roll basis.
is it possible to pass a different id per qcf?
well, we tried doing that by providing JAAS alias authenticate info but somehow it's not passing that id and we r receiving messages with "mqm" user id.
I hope this clears the picture.
Thanks in advance.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jul 13, 2007 9:00 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If your QCFs are binding to a local qmgr as a server connection, then the ID passed will always been the id that is running the WAS instance.
This means that if you need application level authentication granularity, then you need one server instance per application, and each instance needs to run under it's own user id.
If your QCFs are binding to the qmgr as a client connection, then you can either use JAAS aliasing on the QCF, or you can give each QCF it's own SVRCONN and set an MCAUSER on the svrconn.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jul 14, 2007 4:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well I guess you're never connecting to more than one qmgr per jvm... otherwise you would already have switched to a client connection....
As jeff pointed out the client connection gives you more flexibility as to specifying the user for the qcf, either by mcauser on the channel or JAAS alias.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sanjoo |
| Posted: Sat Jul 14, 2007 12:05 pm Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
Saper,
it's true that all apps on app server are connecting always to same gateway queue manager and all other queue managers are clustered. but queue manager is on different server than app server, so we must be using client connection and not binding mode.
we tried using JAAS alias, but still on queue we r receiving messages with mqm id which means app is passing blank user id instead of JAAS userid and password.
one quick question... only this userid will be validated on mq server side..right? For password validation we have to go for some 3rd party tool?
well..that's what my understanding is..plz correct me if I am wrong.
also i am wondering how this JAAS userid and password are send to mq? I mean how they are mapped?
Thanks a lot for all the help.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jul 14, 2007 10:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You map the JAAS alias in the JNDI setup of the qcf.
See JAAS authentication for container managed components.
Hope this helps some.
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sanjoo |
| Posted: Wed Jul 18, 2007 6:03 am Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
Thanks Saper.
We tried that but somehow we are getting messages with "mqm" user id which means blank user id is passed.
Do I need to enable global security to enable JAAS alias ?
If you have any document or link for JAAS alias, can you please post it here.
Appreciate your help.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| sanjoo |
| Posted: Wed Jul 18, 2007 7:11 am Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
We tried all the following combos :
1. Specify a method of providing the user ID and password that you want the application server. To use a JAAS authentication alias to provide the user ID and password that you can use for EIS sign-on, complete the following steps:
In the Servers view, right-click the server and select Run administrative console.
Expand Resources and select Resource Adapters.
Select the resource adapter you want to modify.
Under Additional Properties, click J2C connection factories.
Under Related Items, click J2EE Connector Architecture (J2C) authentication data entries.
Above the list of aliases, click New.
Enter an alias name, your user ID, password, and optional description. Select OK.
2. Select the JAAS authentication alias for the Container-managed authentication alias property of the J2C connection factory used by your application. You can do this when you first create the connection factory or later by editing the connection factory. To edit the connection factory:
In the Administrative Console for the server you selected, navigate to the connection factory that you wish to modify. For example, Resource adapters > server_name > J2C connection factories > connection_factory_name.
In the Container-managed authentication alias drop down list, select the JAAS authentication alias to be used for the container-managed authentication by applications using that connection factory.
Select OK.
I am wondering .. are we missing any stupid setting here?
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 18, 2007 3:47 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you check that the channel used did not have mqm in the mcauser ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sanjoo |
| Posted: Wed Jul 18, 2007 8:00 pm Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
yeah... MCA user id is blank.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
|
|
