| Author |
Message
|
| friedl.otto |
 Posted: Tue Feb 12, 2008 6:23 am Post subject: Installation on Linux |
 |
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
Is it possible to install MQ as foo:bar (as opposed to mqm:mqm).
I would think from a security perspective it would make sense, but all
documentation harps on the mqm user being part of the mqm group etc.
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing!  -- Vitor |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Feb 12, 2008 6:32 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
No.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Tue Feb 12, 2008 6:44 am Post subject: |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
Terse but effective! 
Have Hursley decided to hard-code authentication? 
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 6:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
Terse but effective!
Have Hursley decided to hard-code authentication? |
On most Unix software needs to be installed as the admin user, or as root with an admin user pre-defined. AFAIK the "hard coded" authentication is connected to the paths used in the binaries.
The question is why would you want to install WMQ (or anything) as foo:bar? What's the requirement here? Aside from confusing the next MQ admin to the point of madness?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Tue Feb 12, 2008 7:25 am Post subject: |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
| Vitor wrote: |
| The question is why would you want to install WMQ (or anything) as foo:bar? What's the requirement here? Aside from confusing the next MQ admin to the point of madness? |
Well ... if everyone on the planet knows:
10g runs as oracle:oracle on port 1526 in /opt/oracle/product/...
MQ runs as mqm:mqm on port 1414 in /opt/mqm/...
it obviously simplifies finding and hurting those apps.
But I see your point ... changing things that admins bank on, can make one
rather unpopular!
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Feb 12, 2008 7:28 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| friedl.otto wrote: |
| MQ runs as mqm:mqm on port 1414 in /opt/mqm/... |
On some unixes, if you decide to use the well-known port.
On other unixes, it runs on "some port" on /usr/mqm
Nobody should be able to log in as the mqm user.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 7:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
MQ runs as mqm:mqm on port 1414 in /opt/mqm/...
it obviously simplifies finding and hurting those apps.
|
1) Not on queue managers I define it doesn't
2) A quality security infrastrucure prevents people "hurting" the app via the port
3) Another facet of the security policy prevents unauthorised administration by spoofing yourself as mqm
Anyone savvy enough to be attempting that is not going to be put off for long by simply using a different user id (or port in all honesty).
But not using 1414 for me is more about not accidently getting 2 queue managers listening on the same port.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| csmith28 |
| Posted: Tue Feb 12, 2008 2:30 pm Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
| Quote: |
10g runs as oracle:oracle on port 1526 in /opt/oracle/product/...
MQ runs as mqm:mqm on port 1414 in /opt/mqm/...
it obviously simplifies finding and hurting those apps.
But I see your point ... changing things that admins bank on, can make one
rather unpopular! |
As pointed out above the mqm and oracle and even the was user are/should be system accounts that do not allow login to the server and all but the server that actually hosts a webpage should be in a private network behind Firewalls both soft and hard.
To date as an WMQSeries admin I have never supported a WMQManager Server that was publicly accessable.
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
|
|
