| Author |
Message
|
| Luca81 |
 Posted: Thu Mar 06, 2008 8:22 am Post subject: Start chennel without +ctrl authority |
 |
|
Acolyte
Joined: 01 Mar 2007
Posts: 62
|
Hi all,
I have a SVRCONN channel named 'SVRCH' with MCA user named 'ch_usr'.
My client applications use 'SVRCH'.
User 'ch_usr' has not +ctrl authority on channel 'SVRCH'.
My client applications can start an instance of 'SVRCH'. How is this possibile?
I'm on Windows and MQ: 6.0.2.3.
'ch_usr' is not member of mqm or administrators group...
'ch_usr' has +connect authority on the QM.
thx
luca
Last edited by Luca81 on Thu Mar 06, 2008 8:28 am; edited 1 time in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Mar 06, 2008 8:26 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think you misunderstand what it means to "start" a SVRCONN.
I think you'll find that ch_usr, once connected via SVRCH, will not be able to submit a START CHANNEL command to the command server.
Are you trying to limit which SVRCONNs a user can connect to? Or are you trying to disable the SVRCONN?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Luca81 |
| Posted: Thu Mar 06, 2008 8:31 am Post subject: |
|
|
Acolyte
Joined: 01 Mar 2007
Posts: 62
|
| jefflowrey wrote: |
| I think you misunderstand what it means to "start" a SVRCONN. |
can you tell me what "start" a SVRCONN means?
| jefflowrey wrote: |
| Are you trying to limit which SVRCONNs a user can connect to? |
yes! This is the situation: 'ch_usr' has complete control of a lot of queues (qu1, qu2 etc). Only one client uses SVRCH. Other clients use a different server connection channel (SVRCHUSER) without MCA user (so a user can write/read to/from a queue if and only if the user has the right authority on it).
The problem is: if one of this client uses SVRCH instead of SVRCHUSER he can write on qu1 or qu2 etc... and this should be a big problem!.
Can I limit which SVRCONNs a user can connect to? I would like that only one user can use SVRCH... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 06, 2008 9:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You start a SVRCONN by connecting to it.
You can use SSL to limit which users can connect to which SVRCONNs, by using SSLPEER attribute of a channel.
You can not do this with the base product otherwise.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Mar 06, 2008 9:40 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Luca81 wrote: |
can you tell me what "start" a SVRCONN means?
|
The start command for a SVRCONN channel enables it for any future incoming client connections.
| Luca81 wrote: |
Other clients use a different server connection channel (SVRCHUSER) without MCA user (so a user can write/read to/from a queue if and only if the user has the right authority on it).
|
Anyone that connects to this other SVRCONN channel can do everything that ch_usr can do on the SVRCHUSER channel if they are so inclined.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Luca81 |
| Posted: Fri Mar 07, 2008 12:26 am Post subject: |
|
|
Acolyte
Joined: 01 Mar 2007
Posts: 62
|
| jefflowrey wrote: |
| You start a SVRCONN by connecting to it.. |
ok but then, if I can istance a SVRCONN without +ctrl
what is the meaing of +ctrl authority on SVRCONN channel?
| jefflowrey wrote: |
You can use SSL to limit which users can connect to which SVRCONNs, by using SSLPEER attribute of a channel.
You can not do this with the base product otherwise. |
OK! |
|
| Back to top |
|
|
| Luca81 |
| Posted: Fri Mar 07, 2008 12:52 am Post subject: |
|
|
Acolyte
Joined: 01 Mar 2007
Posts: 62
|
| PeterPotkay wrote: |
Anyone that connects to this other SVRCONN channel can do everything that ch_usr can do on the SVRCHUSER channel if they are so inclined. |
I should remove SVRCH channel and use SVRCHUSER (and auhorize ch_user on qu1 and que2) but the situation is more complex... The QM is under MSCS active/passive mode... MQ for windows does not support domain groups but only domain users. We have a lot of clients with a lot of difference users so we created a SVRCONN channel (with no blank MCA) for every applications type...
Example
Application | ch name | client users | MCA user | Queus
A SVR1 'c_u1', 'c_u2', 'c_u3' mca_u1 q1,q2
B SVR2 'c_u4', 'c_u5, 'c_u6' mca_u2 q2,q3
...
If we use SVRCONN channel with blank MCA we have not a flexible approach because we have to use domain users (users change very frequently).
But now we have security problems... c_u4 can use SVR1 and write on q1...
I think we have to use SSL... |
|
| Back to top |
|
|
|
|
