| Author |
Message
|
| magkids |
 Posted: Thu Aug 09, 2007 2:37 am Post subject: Keeping MCAUser blank |
 |
|
Newbie
Joined: 09 Aug 2007
Posts: 8
|
I want to ask what are the consequences of leaving MCAUser blank? Provides that I have use SSL or Channel Exit, only authenticate user can access the queue manager.
If I leave MCAUser blank, that means the user can access with admin rights. Can the user create/delete queues through the channel? How? (Aren't these functions should be done by SVR.ADMIN.CONN channel?)
Thanks a lot. |
|
| Back to top |
|
 |
| jeevan |
| Posted: Thu Aug 09, 2007 7:35 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
If you have setup MCAUSER( let's say mqm)) and some one knows the name of your server connection channel that has an MCAUSER, he/she can connect to your qmgr with the permission of the MCAUSER(mqm in this case). This does not require the incoming user to be in mqm group and admin group ( in windows) and mqm group in unix. You can guess what happens then.
So, it is advaisable to leave MCAUSER blank and authorise individual ( better create a group and put similar user together and authorise the group for certain object they need to work with ). This way you can protect your MQ system. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 09, 2007 7:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you leave the MCAUser blank, then you are trusting that whomever connects to your channel has properly authenticated the user that they are presenting.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| magkids |
| Posted: Thu Aug 09, 2007 5:51 pm Post subject: |
|
|
Newbie
Joined: 09 Aug 2007
Posts: 8
|
| I know the incoming user can then access as mqm user. But aren't the channel should be an application channel? So he could only do something like put, get message. Any admin rights like create/delete queue should be done through SVR.ADMIN.CONN channel. If I protect the SVR.ADMIN.CONN channel, so is it means that I do not need to set MCAuser? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 10, 2007 2:04 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
There is no difference between any SVRCONN channel.
SYSTEM.ADMIN.SVRCONN is just a default channel.
Any SVRCONN can be used to talk to any queues, including the Command Server input queue.
I repeat.
If you DO NOT SET the MCAUser, then you are TRUSTING that the client side of the channel has PROPERLY AUTHENTICATED the user that the channel is presenting.
This might actually be okay in your organization. It depends entirely on your policies and configurations.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
