| Author |
Message
|
| JYama |
 Posted: Wed Sep 12, 2007 3:43 am Post subject: How can I assign an userid to connect to a remote qmgr? |
 |
|
Master
Joined: 27 Mar 2002
Posts: 281
|
Hi all,
I'd like to know how I can assign an userid in WAS to connect a remote qmgr.
Now I'm using WASv6.1 on Windows and WMQv6.0 on AIX, trying to make a MQ client connection in JMS from WAS to WMQ.
When MCAUSER of the SVRCONN channel used by WAS is not set, how can I have a secure connection without JAAS-J2C authentication settings in WAS?
I learned that if MCAUSER was blank and userid&password were not assigned by JMS programs, maybe through createQueueConneciton method, this connection is authenticated with the same userid as the one that started runmqlsr.
I think this will result in we have no way to secure MQ client connections from WAS when MCAUSER is blank and WAS doesn't have JAAS-J2C authentication. In this case, every WAS program can connect to the QMgr... 
How do you think of this?
Many thanks in advance,
Last edited by JYama on Wed Sep 12, 2007 7:03 am; edited 3 times in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Sep 12, 2007 3:51 am Post subject: Re: How can I assign an userid to connect to a remote qmgr? |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| JYama wrote: |
| When MCAUSER of the SVRCONN channel used by WAS is not set, how can I have a secure connection without JAAS(J2C) authentication settings in WAS? |
So what you're asking is - when you've taken no steps to assign a userid to a connection, how can you assign a userid to a connection?
The two mechanisms you've described are how you assign a userid.
Assigning a userid has nothing to do with preventing a given application from connecting to a queue manager - it merely controls what that application can do once it does connect.
Proper management of SSL keys will prevent applications from connecting to a queue manager.
But, yes. You're correct. If you don't do anything to secure your queue manager, then anyone can connect to it.
That's why you should do things to secure your queue manager - if you care about security.
Roger will be along in a bit to scold you for not searching on this very frequently talked about topic, and to mention his products and his website.
There's also a good article by T.Robb Wyatt on DevWorks.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jsware |
| Posted: Wed Sep 12, 2007 3:52 am Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
The only way to secure MQ client channels is with SSL or a security exit. IMHO MCAUSER gives a false sense of security because it effectively says "I don't care who you really are, you're going to be so-and-so". This means that anybody, even somebody who isn't mean't to have access can get access to do whatever "so-and-so" is authorised to do.
Setting MCAUSER to a value is better than leaving it blank. Setting it to 'nobody' is best 
Java does not have the concept of an immutable user ID. This means that Java clients can effectively say "I am mqm" without having to provide a password to authenticate. MQ svrconn channels with blank MCAUSER attributes take this value and use it - effectively giving mq admin access to the qmgr.
This is just the tip of a very dark iceberg. Search this site for details on security exits and you'll get quite a few hints, tips and advice.
I would recommend you have MQ installed on your WAS host and use bindings mode to access "local" MQ resources which are configured to deliver messages to your AIX host.
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| JYama |
| Posted: Wed Sep 12, 2007 4:00 am Post subject: |
|
|
Master
Joined: 27 Mar 2002
Posts: 281
|
| Quote: |
If you don't do anything to secure your queue manager, then anyone can connect to it.
|
 So you mean, SSL is the only solution to the issue and there're no alternatives? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 12, 2007 4:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| JYama wrote: |
| Quote: |
If you don't do anything to secure your queue manager, then anyone can connect to it.
|
So you mean, SSL is the only solution to the issue and there're no alternatives? |
Follow the advice of jefflowrey and do a search. This problem (especially the Java aspect) has been discussed quite a lot.
It depends how secure you want to be. Setting MCAUser does limit the damage (and access to admin rights), providing you set it to a user id with properly restricted authorities, but doesn't do anything to authenticate who's using it.
I have known sites who've considered that acceptable within their given infrastructure. I've known sites that havn't.
But if you want locked down, bolted shut authenticaion & control you're probably talking SSL.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 12, 2007 10:06 am Post subject: Re: How can I assign an userid to connect to a remote qmgr? |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| jefflowrey wrote: |
| Roger will be along in a bit to scold you for not searching on this very frequently talked about topic, and to mention his products and his website. |
| JYama wrote: |
| I think this will result in we have no way to secure MQ client connections |
SSL is a good node-to-node security method ONLY if the nodes are completely locked down. Also, do you have the infrastructure to manage the certificates? (i.e. as they expire.)
If you want proper end-to-end security for MQ then you have 3 choices:
1. Capitalware's MQ Authenticate User Security Exit (MQAUSX)
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
Over 90% of our customers purchase MQAUSX for exactly the reasons you listed above.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 12, 2007 11:10 am Post subject: Re: How can I assign an userid to connect to a remote qmgr? |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| RogerLacroix wrote: |
| jefflowrey wrote: |
| Roger will be along in a bit to scold you for not searching on this very frequently talked about topic, and to mention his products and his website. |
|
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| JYama |
| Posted: Wed Sep 12, 2007 6:06 pm Post subject: |
|
|
Master
Joined: 27 Mar 2002
Posts: 281
|
Thank you for your help, all,
I understand the idea of security for MQ client connection is 'easy-to-use', therefore eveybody can connect to QMgrs with no settings.
I don't know whether it's good or bad, but I think MQ may need to provide more robust approach as a product when we consider the adoption of SOA in the future. Standardization may be a 'key' on this...
One, last question. I'd appreciate it if somebody could help. 
Apart from SecurityExits and 3rd party tools, is there a way to secure a client connection with password along with userid? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Sep 13, 2007 11:48 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| JYama wrote: |
| Apart from SecurityExits and 3rd party tools, is there a way to secure a client connection with password along with userid? |
MQ Security Exit is the only way.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| JYama |
| Posted: Thu Sep 13, 2007 5:16 pm Post subject: |
|
|
Master
Joined: 27 Mar 2002
Posts: 281
|
Thank you very much, all, 
Your expertise was greatly helpfull.
Cheers, |
|
| Back to top |
|
|
|
|
