| Author |
Message
|
| sapna |
 Posted: Tue Oct 14, 2008 2:19 am Post subject: Authenticating the sending party |
 |
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
Hi,
Whenever we receive any messages from the remote end. The only requirement for receiving messages is the receiver channel name on our end should be the same as other end sender party and should contain our IP and Listener port. Do we have anything else to Authenticate the sending end?
Thanks in Advance,
Sapna  |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Oct 14, 2008 2:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Yes...SSL
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| sapna |
| Posted: Tue Oct 14, 2008 2:29 am Post subject: |
|
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
Thanks for the response. I also wanted to know if this requires only configuration changes or do we need to code anyhting.
Sapna  |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Tue Oct 14, 2008 2:33 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
it will be good if you go through MQ Security PDF, it gives intensive information about this.
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 14, 2008 2:38 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Not sure what you mean by configuration changes - unless you mean changes to the queue manager key store and channel attributes - no coding required. Look through the Security manual for full details - the Info Center link is at the top of the page.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| sapna |
| Posted: Tue Oct 14, 2008 3:04 am Post subject: |
|
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
Ok. Thank you. I will explore the topics.
Sapna  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Oct 14, 2008 8:22 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
The MQ Security manual will discuss 2 solutions: SSL and Security Exits.
A simple search will turn up that there are three 3rd party security products (security exits):
- Capitalware's MQ Authenticate User Security Exit
- IBM's WebSphere MQ Extended Security Edition
- Primeur's Data Secure for WebSphere MQ
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sapna |
| Posted: Thu Oct 16, 2008 2:07 am Post subject: |
|
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
Hi,
These features authenticates each and every message that comes through the channel. Is there any feature that authenticates the other end only once (For Eg: when the two Queue Managers come up).
Regards,
Sapna |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 16, 2008 2:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
With the appropriate cipher spec.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Thu Oct 16, 2008 2:43 am; edited 1 time in total |
|
| Back to top |
|
|
| sapna |
| Posted: Thu Oct 16, 2008 2:33 am Post subject: |
|
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
I was under the impression SSL authenticates each and every message  |
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Oct 16, 2008 5:03 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
SSL Authenticates once (during the handshake) before data transfer and if the client authentication is succesful then the data transfer begins and will be encrypted... (please search for SSL configuration in this forum you will get a good deal of info)
If you want the QM --> QM communication to properly authenticated and the data transfer to be encrypted then use SSL with proper CIPHERSPEC..
If just authentication is required, you can create a user (with appropriate permissions for MQ objects) and use MCAUSER attribute of the channel. The OAM (Object Authority Manager) will take care of the rest.
Please explore the Info centre and explore Security Manual... you will get lot of details... |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 16, 2008 5:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ranganathan wrote: |
| ...If just authentication is required, you can create a user (with appropriate permissions for MQ objects) and use MCAUSER attribute of the channel. The OAM (Object Authority Manager) will take care of the rest... |
This is NOT authentication! All this will do is limit the access to objects within the receiving queue manager, it will NOT provide any method of proving that the sending party is who they say they are!
SSL with NULL_MD5 or NULL_SHA will provide authentication without encryption, and SSLPEER will provide filtering.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Oct 16, 2008 5:19 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
| Quote: |
This is NOT authentication! All this will do is limit the access to objects within the receiving queue manager, it will NOT provide any method of proving that the sending party is who they say they are!
SSL with NULL_MD5 or NULL_SHA will provide authentication without encryption, and SSLPEER will provide filtering. |
Sorry... I guess i used the wrong term (Authentication).
What i wanted to convey is.. if we want to restrict users who can connect to our QM and access our mq objects (authority) we can do that using MCAUSER.. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 16, 2008 5:54 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ranganathan wrote: |
| ...What i wanted to convey is.. if we want to restrict users who can connect to our QM and access our mq objects (authority) we can do that using MCAUSER... |
Again - this will NOT restrict who can connect, only limit what they can do when they do connect.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Oct 16, 2008 6:13 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
| exerk wrote: |
| ranganathan wrote: |
| ...What i wanted to convey is.. if we want to restrict users who can connect to our QM and access our mq objects (authority) we can do that using MCAUSER... |
Again - this will NOT restrict who can connect, only limit what they can do when they do connect. |
This is how i understood this.. 
what if the user connects with a different username other than the one that is mentioned as MCAUSER ?
Will it not restrict..  correct me if im wrong.. |
|
| Back to top |
|
|
|
|
