| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security on Mq for Zos |
« View previous topic :: View next topic » |
| Author |
Message
|
| giuly020277 |
 Posted: Thu Sep 25, 2008 11:58 pm Post subject: Security on Mq for Zos |
 |
|
Centurion
Joined: 07 Aug 2007
Posts: 146
Location: Florence,Italy
|
Hello,
i have MQ for Z/OS (v 6.0).
I use websphere MQ explorer too....to configure my MQ on Z/os, display queue and so on.
How can i restrict access on my MQ on z/os by mq explorer ?
It happened here that a person have modified configuration of mq on zos from mq explorer but it couldn't do it.
thank u all
Ciao
Giuliano |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Fri Sep 26, 2008 1:59 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
what is the put authority and the mca userid setting of the SVRCONN channel on z/OS that you use to connect to?
_________________
Regards, Butcher |
|
| Back to top |
|
|
| giuly020277 |
| Posted: Fri Sep 26, 2008 2:09 am Post subject: |
|
|
Centurion
Joined: 07 Aug 2007
Posts: 146
Location: Florence,Italy
|
...in xxxxmstr log i have found :
CHANNEL(SYSTEM.ADMIN.SVRCONN)
CHLTYPE(SVRCONN)
QSGDISP(QMGR)
TRPTYPE(TCP)
DESCR( )
DISCINT(0)
SCYEXIT( )
SCYDATA( )
SENDEXIT( )
SENDDATA( )
RCVEXIT( )
RCVDATA( )
PUTAUT(DEF)
KAINT(AUTO)
MONCHL(QMGR)
ALTDATE(2007-12-03)
ALTTIME(15.48.26)
SSLCAUTH(REQUIRED)
SSLCIPH( )
SSLPEER( )
MCAUSER( ) ....and so on... |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 26, 2008 3:06 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| What does MCAUSER do? how could it help in this situation? |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Fri Sep 26, 2008 3:06 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
from the mqsc manual
MCAUSER(string) Message channel agent user identifier. If it is nonblank, it is the user identifier that is to be used by the message channel agent for authorization to access WebSphere MQ resources, including (if PUTAUT is DEF) authorization to put the message to the destination queue for receiver or requester channels.
If it is blank, the message channel agent uses its default user identifier. The default user identifier is derived from the user ID that started the receiving channel. The possible values are:
v On z/OS, the user ID assigned to the channel-initiator started task by the z/OS started-procedures table.
.....
PUTAUT Specifies which user identifiers should be used to establish authority to put messages to the destination queue (for messages channels) or to execute an MQI call (for MQI channels). DEF The default user ID is used. On z/OS this might involve using both the user ID received from the network and that derived from MCAUSER.
not quite sure about this one how mq explorer behaves, but it looks to me that you either run with the chinit userid, or the userid passed in the messages. you could verify that by checking the ICH* access control messages in the MSTR log.
you should also have a look at the security manual, and how to secure SVRCONN channels has been discussed here a lot....
_________________
Regards, Butcher |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Sep 26, 2008 7:03 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Giuliano,
As Mr.Butcher alluded to, you need to secure that SVRCONN channel. For any and all enabled incoming channels into your QM (RCVR, CLUSRCVR, SVRCONN) you need to have an MCAUSER >AND< SSL or an Exit.
The MCAUSER will be an ID that you grant specific rights to to allow only the things you intend.
The SSL and/or Security Exut will insure that only the people you intend can connect via that channel.
If you are serious about securing incoming connections you need to do both. If you just use SSL or an Exit, and leave MCAUSER blank, you restrict who can connect, put they can then do anything they want. Unless its only your mum connecting, you can't trust them. If you have an MCAUSER coded in there that limits what can happen, but no SSL or Exit, you are allowing anyone and everyone to do only what you allow. Usually not bad, unless you allowed MQ Admin level access, or +alusr, in which case they can do whatever they want.
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Mon Sep 29, 2008 4:56 am; edited 1 time in total |
|
| Back to top |
|
|
| zhanghz |
| Posted: Mon Sep 29, 2008 1:04 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
it seems to me that the id that that person is using has access to your z/OS QMGR objects. (because otherwise he/she would not be able to modify anything given that the MCAUSER is blank and PUTAUT is DEF)
so, my guess is that you educate that person not to change anything without notice or you remove his/her access to z/OS QMGR objects... |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Sep 29, 2008 1:32 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Check out the effect of RESLEVEL on z/OS as well. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
