| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MCAUSER Confusion |
« View previous topic :: View next topic » |
| Author |
Message
|
| mquser925 |
 Posted: Thu Jul 03, 2008 8:58 am Post subject: MCAUSER Confusion |
 |
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
Maybe someone can help me understand MCAUSER once and for all. So from reading the manuals I have gathered that if I specify an MCAUSER for the channel and setmqaut for that user, then only that user will be able to connect to my queues and get/put messages. So if the sender is sending a message from a windows box to my unix queue manager then the userid of the local machine will be passed in the userid field for the mq header correct? Is this correct? So if john.doe tries to connect then he will be denied access?
| Code: |
DEFINE CHANNEL (AA.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('bob.smith') REPLACE
setmqaut -m QM -n Queue -t q -p bob.smith +get + put
setmqaut -m QM -t qmgr -p bob.smith +connect
|
|
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Thu Jul 03, 2008 9:26 am Post subject: Re: MCAUSER Confusion |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| mquser925 wrote: |
| So from reading the manuals I have gathered that if I specify an MCAUSER for the channel and setmqaut for that user, then only that user will be able to connect to my queues and get/put messages. |
Absolutely, not true.
What you have done is setup a channel and UserId, so that ANYONE connecting to that channel will access the MQ objects using that particular UserId (bob.smith). Hence, ANY user in your environment will be able to connect to that channel and pretend to be "bob.smith".
You also need to implement a security solution or SSL.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mquser925 |
| Posted: Fri Jul 04, 2008 5:38 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| Thanks for the reply. We are also implementing a security exit. If MCAUser is not used for authentication purposes, what purpose does the userid and password field serve? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 04, 2008 7:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mquser925 wrote: |
| Thanks for the reply. We are also implementing a security exit. If MCAUser is not used for authentication purposes, what purpose does the userid and password field serve? |
Passwd ?? further development in coming releases maybe?
userid is being used for authorization purposes. If you want authentication you have to use some userexit or/and SSL.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jul 04, 2008 8:22 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mquser925 wrote: |
| If MCAUser is not used for authentication purposes, what purpose does the userid and password field serve? |
The UserId and Password are passed to the security exit so that it can do the authentication. It is best to use the MQCSP structure rather than the old style of Remote UserId & Password fields.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
