ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Securing command server access (PCF commands)

Post new topic  Reply to topic
 Securing command server access (PCF commands) « View previous topic :: View next topic » 
Author Message
HenriqueS
PostPosted: Tue Oct 21, 2008 12:20 pm    Post subject: Securing command server access (PCF commands) Reply with quote

Master

Joined: 22 Sep 2006
Posts: 235
How can I make sure that only a legitimate application or at least a server will be able to send PCF messages to another server?

We have one application here that relies on some PCF commands, but it seems that any app that connects to a valid channel will be able to send commands.

Is there any authentication method for the PCF api?

Firewalling is the only way to go?
_________________
HenriqueS
Certified Websphere MQ 6.0 System Administrator
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Oct 21, 2008 12:32 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
For a start, here are several things to consider:

SYSTEM.ADMIN.COMMAND.QUEUE is the queue serviced by the command server application - the application that processes PCF and MQSC commands. Access to this queue should be authorized to MQM group only.

Channels need to have identities of their own (MCAUSER attribute) with authorities to application-related queues only.

I'm sure others will offer more ideas.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 22, 2008 12:53 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
And to go with Roger's rant client channels should have an mcauser and SSL.
You can also allow other users to post to the pcf queue. However if they do not have the right authorization on the queue they want information on, or to manipulate, you should check what the outcome of the pcf command is. In other words test first and deploy later...

And make sure that granting put access to an xmitq in qmgr A does not give you mqm when putting pcf msgs to qmgr B's command queue.


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Thu Oct 23, 2008 7:21 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
fjb_saper wrote:
And to go with Roger's rant client channels should have an mcauser and SSL.

It usually goes "use a security solution (i.e. security exit) or use SSL".
Of course, I lean towards a security solution.


Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Securing command server access (PCF commands)
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.