| Author |
Message
|
| rammer |
 Posted: Tue May 28, 2013 10:14 am Post subject: MQ / Message Broker Security |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hi All,
First off all I have to say I know little about Message Broker, I have read and read the info centre around security with MQ and can not make what is stated in the document around security work
In the info centre it quotes what permssion's are needed for Broker queues yet they do not appear to work and also when you see what is below from dspmauth that does not match.
Environment MB 8.0.1 MQ 7.5.0.1
Message Broker user id is part of mqm group and they have created a instance of Message Broker.
I then wanted to lock down some of the actions that they could do.
Part 1 was to look at tying down the SYSTEM.BRKR.CONFIG channel that is created at build time.
I did remove message broker id from mqm group and added the group mqbrkrs to mcauser of above channel which also hosted the id that broker team had put into mqm group.
This still allows users to connect via toolkit, deploy and also by the message broker explorer they can view queues, put messages remove messages etc, which is what I was not wanting, this is from all queues.
Looking at the permissions of mqbrkrs this is what has been set at build time.
setmqaut -m MQBRKSYS1 -n SYSTEM.BKR.CONFIG -t channel -g mqbrkrs +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.MODEL.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.CD.MODEL -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.FTE.MODEL -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +chg +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.SELECTION.EVALUATION.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +chg +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.SELECTION.VALIDATION.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +chg +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.INTERNAL.REPLY.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +chg +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.MB.TOPIC -t topic -g mqbrkrs +passall +passid +setall +setid +chg +clr +dlt +dsp +ctrl +pub +sub +resume
setmqaut -m MQBRKSYS1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +chg +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AUTH.TEST2 -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AUTH.TEST4 -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -t qmgr -g mqbrkrs +altusr +connect +inq +setall +chg +dsp +system
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADAPTER.FAILED -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADAPTER.INPROGRESS -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADAPTER.NEW -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADAPTER.PROCESSED -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADAPTER.UNKNOWN -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADMIN.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.ADMIN.REPLYTODM -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AGGR.CONTROL -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AGGR.REPLY -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AGGR.REQUEST -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AGGR.TIMEOUT -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AGGR.UNKNOWN -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AUTH -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AUTH.TEST1 -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.DC.AUTH -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.DC.BACKOUT -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.DC.RECORD -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.DEPLOY.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.DEPLOY.REPLY -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.EDA.COLLECTIONS -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.EDA.EVENTS -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.EXECUTIONGROUP.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.EXECUTIONGROUP.REPLY -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.SEQ.EXPIRY -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.SEQ.GROUP -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.SEQ.NUMBER -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.TIMEOUT.QUEUE -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.WS.ACK -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.WS.INPUT -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.WS.REPLY -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQBRKSYS1 -n SYSTEM.BROKER.AUTH.TEST3 -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
I am unsure how the above allows them to view and modify non SYSTEM.BROKER queues?
As I mentioned I have read the info centre for Broker, MQ and also the new redbook on MQ Security and for some reason my head is not computing at all.
What security have you put to allow message broker people only the required access they need. My target for required access is to deny the ability to Put / Get and Modify queues and queue manager objects. In terms of Deploy, and remove from Message Broker then that is acceptable (I think)
Sorry for the ramble but im fed up getting no where at present
Thank you in advance |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue May 28, 2013 10:30 am Post subject: Re: MQ / Message Broker Security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| I did remove message broker id from mqm group and added the group mqbrkrs to mcauser of above channel which also hosted the id that broker team had put into mqm group. |
So are the broker processes / ids using mqbrkrs or some other id to run the WMB processes?
| rammer wrote: |
| This still allows users to connect via toolkit, deploy and also by the message broker explorer they can view queues, put messages remove messages etc, which is what I was not wanting, this is from all queues. |
And you're sure there's not a generic profile somewhere allowing this? For an id other than mqbrkrs which they're actually using?
| rammer wrote: |
| What security have you put to allow message broker people only the required access they need. My target for required access is to deny the ability to Put / Get and Modify queues and queue manager objects. In terms of Deploy, and remove from Message Broker then that is acceptable (I think) |
Good luck with that. The MQ team here have tried exactly the same thing and are sick of me calling them, putting in requests and generally annoying them about a) my inability to administer the broker (I can't create the SYSTEM.BROKER.AUTH.** queue associated with a new execution group) or b) the 2035s I get from either an application queue a flow is trying to use or a SYSTEM.BROKER object one of the inbuilt functions is trying to get to with a permission it's not allowed.
Noble sentiments, but kinda fiddly on the ground.
(WMBv7.0.0.3, WMQv7.0.1.7)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Tue May 28, 2013 10:39 am Post subject: Re: MQ / Message Broker Security |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
[quote="Vitor"]
| rammer wrote: |
| I did remove message broker id from mqm group and added the group mqbrkrs to mcauser of above channel which also hosted the id that broker team had put into mqm group. |
| Vitor wrote: |
| So are the broker processes / ids using mqbrkrs or some other id to run the WMB processes?. |
They are using id within the group mqbrkrs group, it was also in the mqm group at the time they build the message broker
| rammer wrote: |
| This still allows users to connect via toolkit, deploy and also by the message broker explorer they can view queues, put messages remove messages etc, which is what I was not wanting, this is from all queues. |
| Vitor wrote: |
| And you're sure there's not a generic profile somewhere allowing this? For an id other than mqbrkrs which they're actually using? |
Not that I am aware of this is a queue manager i have just built using mqm the next step was to build the message broker. Looking through the authorities for everything using amqoamd all I can see is mqm and mqbrkrs
| rammer wrote: |
| What security have you put to allow message broker people only the required access they need. My target for required access is to deny the ability to Put / Get and Modify queues and queue manager objects. In terms of Deploy, and remove from Message Broker then that is acceptable (I think) |
| Vitor wrote: |
| Good luck with that. The MQ team here have tried exactly the same thing and are sick of me calling them, putting in requests and generally annoying them about a) my inability to administer the broker (I can't create the SYSTEM.BROKER.AUTH.** queue associated with a new execution group) or b) the 2035s I get from either an application queue a flow is trying to use or a SYSTEM.BROKER object one of the inbuilt functions is trying to get to with a permission it's not allowed. |
Sounds familiar. I was looking to add SSL and only provide certificate to required message broker team, but I can not see how that is secure either in terms of I am sure people can share out the certificate? This may be me as I have not got full grasp of security yet but there seems to be a big gap when message broker comes into play. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue May 28, 2013 12:35 pm Post subject: Re: MQ / Message Broker Security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| They are using id within the group mqbrkrs group, it was also in the mqm group at the time they build the message broker |
Depending on which OS you're on this can make a difference.
| rammer wrote: |
| Not that I am aware of this is a queue manager i have just built using mqm the next step was to build the message broker. Looking through the authorities for everything using amqoamd all I can see is mqm and mqbrkrs |
Again, this is OS specific.
| rammer wrote: |
| This may be me as I have not got full grasp of security yet but there seems to be a big gap when message broker comes into play. |
That's not entirely unfair. WMB often runs as an extension of the queue manager and is administered by the same team. It's a bit fiddly trying to separate the 2 I've found
With luck, someone will post a brilliant idea in a moment that will help both of us 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Tue May 28, 2013 11:56 pm Post subject: Re: MQ / Message Broker Security |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| Vitor wrote: |
That's not entirely unfair. WMB often runs as an extension of the queue manager and is administered by the same team. It's a bit fiddly trying to separate the 2 I've found
With luck, someone will post a brilliant idea in a moment that will help both of us |
I agree that MB is probably supported in most cases by the MQ Team. But how about from a developers perspective. From what I can tell is that they use Toolkit for connecting to MB and also the MB Explorer installed at the same time, and if the channel is enabled then they have full rights to the queue manager? However let me remind you I have little knolwedge of MB only what I have been trying to read through on Info Centres.
Thank you |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 29, 2013 12:25 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Do not set the MCAUSER of this channel (or set it to a dummy user).
Allow it to inherit the desktop userid from the toolkit (block mqm and other super users with channel auth rules or blockip rules).
Grant that id appropriate access based on their group membership (creating suitable groups as needed). I use generic MQ setmquat profiles for this.
WMB is perfectly secure from the toolkit perspective providing you do not override all controls by forcing a powerful id onto the channel. |
|
| Back to top |
|
|
| rammer |
| Posted: Wed May 29, 2013 12:32 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| zpat wrote: |
Allow it to inherit the desktop userid from the toolkit (block mqm and other super users with channel auth rules or blockip rules).
|
Morning Zpat thanks for the response. I was looking to use user id's from the windows servers that they would be connecting in from, but I read somewhere in the info centre that they can not be over 8 characters long? Maybe I misread that? (MB is on AIX)
I then went to look at using chlauth within 7.5 but could not see where it would allow by username just block by username. Perhaps blockip2 would help..
Thank you |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 29, 2013 12:47 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I believe that MQ on AIX will see the first 12 characters (folded to lower case). So you can define AIX local ids with these names.
Alternatively use CHLAUTH mapping or BlockIP mapping to convert to whatever AIX ids you want to use.
Putting BlockIP2 in logging mode is the first step to seeing what's going on. Use a parameter file like this one.
| Code: |
# SCYEXIT('BlockIP2(BlockExit)') SCYDATA('FN=/var/mqm/exits64/ALL.trc;')
#
# Just display what's coming through without changing it
#
LogPath=/var/mqm/exits64;
LogFormat=N;
LogCount=8;
BlockMqmUsers=N;
AllowBlankUserID=Y;
LogFileName=ALL_TRC-;
#
# -- END
|
|
|
| Back to top |
|
|
| rammer |
| Posted: Wed May 29, 2013 1:11 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Thanks for the response zpat.
The limit off 8 was from the message broker manual and I believe my unix team told me the same.
•On Windows systems, user IDs can be up to 12 characters long, but on Linux, UNIX, and z/OS® systems, they are restricted to eight characters
Although I am unsure on the windows quote of 12 as my user name is 15 charachters.
I'll have a look at the other information you past tomorrow as of now its time to hit the road to the smoke to see England tonight. ( I would rather be working than going to watch them tonight!) |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 29, 2013 1:58 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
OK, map to 8 character AIX ids then.
BlockIP will show what's coming through the channel. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed May 29, 2013 4:22 am Post subject: Re: MQ / Message Broker Security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| From what I can tell is that they use Toolkit for connecting to MB and also the MB Explorer installed at the same time, and if the channel is enabled then they have full rights to the queue manager? |
You wouldn't typically give MB Explorer to a developer. Everything they need to do on a day to day basis they can do through Toolkit, and there's information in the InfoCenter to restrict deploy access and so forth.
Items needed by their code (configurable services and so forth) should still be done by an administrator.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 29, 2013 5:03 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MBX will be subject to the same security controls.
Set up the MQ security profiles to control it.
After all - anyone can download MBX if they want to. |
|
| Back to top |
|
|
| rammer |
| Posted: Thu May 30, 2013 3:35 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Morning zpat,
Thank you for the constant replies.
The issue i have around MQ Security for MB users is that I have tried everything that is documented in the MB Info Centre in terms of authorities that users need and it just does not seem to give permissions required for deploying etc 
If you have enabled broker administration security, users require specific authority so that they can complete administration tasks.
The following table shows the list of actions that a user can perform, and the authorizations that you must set to allow them to complete these tasks when broker administrative security is enabled. The authority is required regardless of the way in which the user requests the action; from a CMP API application, the WebSphere® Message Broker Explorer, or the WebSphere Message Broker Toolkit.
Tasks Authorization Queue
Set broker properties Read and write >
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bp43530_.htm |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu May 30, 2013 12:50 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
rammer
The IDs coming from the windows machines must also be exactly the same on the UNIX machine. If they don't exist, then they will be denied.
Next, if they do exist, then they must not be in the mqm group as all IDs in that group are intentionally blocked for security reasons. In fact, it is a dang good idea that only mqm and the service ID for your brokers be in the mqm group. Use the sudo command to become mqm to do all WMQ maintenance (as in don't do any of that as some other ID as you will also get implicit permissions you probably aren't aware of).
Next, if they don't exist, use a channel auth rec to map the IDs to one that does exist with the correct permissions.
Last, try using the MQ client and amqsputc to verify permissions to the Qmgr and Queues. Then try to get the Toolkit or MBX to work.
An incremental approach will serve you well.
You know, I think I saw a wizard in the MQ Explorer that even did the grants for read only access with that tool. Might start there. |
|
| Back to top |
|
|
| rammer |
| Posted: Thu May 30, 2013 1:12 pm Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| JosephGramig wrote: |
rammer
The IDs coming from the windows machines must also be exactly the same on the UNIX machine. If they don't exist, then they will be denied.. |
Question here is that user ids from windows machines are 15 plus, I believe on AIX we can only use upto 8 characters.
| JosephGramig wrote: |
| Next, if they do exist, then they must not be in the mqm group as all IDs in that group are intentionally blocked for security reasons. In fact, it is a dang good idea that only mqm and the service ID for your brokers be in the mqm group. Use the sudo command to become mqm to do all WMQ maintenance (as in don't do any of that as some other ID as you will also get implicit permissions you probably aren't aware of). |
That is currently how I have it set up, although the MB ID is also in there and the MB people can sudo to that and have access to runmqsc if they so wish to play.
| JosephGramig wrote: |
| Next, if they don't exist, use a channel auth rec to map the IDs to one that does exist with the correct permissions. |
I was thinking of looking into BLOCKIP2
I was hoping to be able to test more today but work gone mad and now my electrics have gone arghhhhh. And tomorrow I fly out early to California so it wont be till Monday that I get time to do any more testing
O by the way I like where you live, I also live in Derby, but Derby in the UK |
|
| Back to top |
|
|
|
|
