| Author |
Message
|
| AkankshA |
 Posted: Tue Apr 14, 2009 8:30 pm Post subject: Is my MQ secure ? |
 |
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
Hi,
Ever since i was using MQ i was told that i should not have any of the svrconn channel with MCAUSER as mqm as that will make anyone to connect to my MQ server, but recently i figured that, if i want to keep my MQ completely secure from outside world, then i shall keep all SVRCONN channel's MCAUSER as NOBODY but how will my application connect then 
Ok, giving you a brief of what i di, while adding a remote queue manager to my mq explorer, i gave user id as mqm. when it prompted for password, i gave any junk value and i got connected. Now i can do anything with that remote queue manager.... create delete.. anything
so all i need is normal information which any client application would require and which i used to give out freelly and happily...
Isn't this a huge loophole in our so called MQ security
_________________
Cheers |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Apr 14, 2009 11:13 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Apr 15, 2009 5:42 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You give AppA a SVRCONN channel called APPA_CHANNEL. You make the MCAUSER of that channel APPA_ID. You use setmqaut to grant APPA_ID the minimum rights it needs. You install SSL or a Security Exit on APPA_CHANNEL to insure only AppA can use that channel.
Repeat for AppB.
Repeat for AppC.
.
.
.
Repeat for channels used by MQ Admin tools like MO71 and MQExplorer.
Then look at the other incoming channels like CLUSRCVRs and RCVRs, and secure them as well, so that people can't admin your QM remotely.
Any channels not meant to be used, like the SYSTEM.* ones, tag with a bogus ID, set the max message size to 1.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Apr 15, 2009 5:54 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| set the max message size to 1 |
Devious, yet simple and elegant. I like it.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| AkankshA |
| Posted: Wed Apr 15, 2009 6:52 am Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
| PeterPotkay wrote: |
You give AppA a SVRCONN channel called APPA_CHANNEL. You make the MCAUSER of that channel APPA_ID. You use setmqaut to grant APPA_ID the minimum rights it needs. You install SSL or a Security Exit on APPA_CHANNEL to insure only AppA can use that channel.
Repeat for AppB.
Repeat for AppC.
.
.
.
Repeat for channels used by MQ Admin tools like MO71 and MQExplorer.
Then look at the other incoming channels like CLUSRCVRs and RCVRs, and secure them as well, so that people can't admin your QM remotely.
Any channels not meant to be used, like the SYSTEM.* ones, tag with a bogus ID, set the max message size to 1. |
sounds good but obviously i need to maintain application's id, n gotta create so many channels...
_________________
Cheers |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 15, 2009 6:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| AkankshA wrote: |
| sounds good but obviously i need to maintain application's id, n gotta create so many channels... |
The other choice is to leave your queue manager wide open to all hackers (and even worse, well meaning developers) who can reach the network address of any listener port. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Apr 15, 2009 7:15 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| PeterPotkay wrote: |
You give AppA a SVRCONN channel called APPA_CHANNEL. You make the MCAUSER of that channel APPA_ID. You use setmqaut to grant APPA_ID the minimum rights it needs. You install SSL or a Security Exit on APPA_CHANNEL to insure only AppA can use that channel.
Repeat for AppB.
Repeat for AppC.
.
.
.
Repeat for channels used by MQ Admin tools like MO71 and MQExplorer.
Then look at the other incoming channels like CLUSRCVRs and RCVRs, and secure them as well, so that people can't admin your QM remotely.
Any channels not meant to be used, like the SYSTEM.* ones, tag with a bogus ID, set the max message size to 1. |
Peter,
I am also following the same thing what you mentioned above but not using SSL for the SVRCONN channels. Do we really need to use SSL when we have MQ used internal to our organization?. We are using a seperate SVRCONN channel for each app and providing the app id in MCAUSER of SVRCONN channel and granting the authorities via OAM for the MQ objects.
Thanks. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Apr 15, 2009 7:23 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Or you OK with AppA using AppB's channels? If yes, no need for SSL or a Security Exit for authentication.
Or you OK with the data flowing in clear text from AppA's client server to the Queue Manager? If yes, then no need for SSL.
If AppA can use AppB's channel, there is no benefit, other than extra work, in making seperate IDs for each channel. You should still have seperate SVRCONN channels regardless.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Apr 15, 2009 7:33 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| Quote: |
| Or you OK with AppA using AppB's channels? If yes, no need for SSL or a Security Exit for authentication. |
Lets say, the app id for AppA is AppA_id1
The SVRCONN channel will be AppA.SVRCONN with MCAUSER('AppA_id1')
&
the app id for AppB is AppB_id2.
The SVRCONN channel will be AppB.SVRCONN with MCAUSER('AppB_id2')
The AppA will fail to access the QMgr objects when it uses the channel AppB's channel- AppB.SVRCONN with MCAUSER('AppB_id2') as the AppA's id (AppA_id1) is not in the MCAUSER of AppB.SVRCONN, correct?.
Thanks. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 15, 2009 7:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Sam Uppu wrote: |
| The AppA will fail to access the QMgr objects when it uses the channel AppB's channel- AppB.SVRCONN with MCAUSER('AppB_id2') as the AppA's id (AppA_id1) is not in the MCAUSER of AppB.SVRCONN, correct?. |
It will fail to access any objects that are restricted to AppA_id1. It will have full access to all objects that are restricted to AppB_id2.
And there's nothing that tells you that it's AppA connecting tot AppB.SVRCONN or AppB.
Unless you use SSL. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Apr 15, 2009 6:33 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| PeterPotkay wrote: |
You give AppA a SVRCONN channel called APPA_CHANNEL. You make the MCAUSER of that channel APPA_ID. You use setmqaut to grant APPA_ID the minimum rights it needs. You install SSL or a Security Exit on APPA_CHANNEL to insure only AppA can use that channel.
Repeat for AppB.
Repeat for AppC.
.
.
.
Repeat for channels used by MQ Admin tools like MO71 and MQExplorer. |
Agree.
| Quote: |
Then look at the other incoming channels like CLUSRCVRs and RCVRs, and secure them as well, so that people can't admin your QM remotely.
Any channels not meant to be used, like the SYSTEM.* ones, tag with a bogus ID, set the max message size to 1. |
Setting MCAUSER to 'nobody' is sufficient, assuming this userid doesn't exist on the system. There is no need to set MAXMSGL.
_________________
Glenn |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Apr 16, 2009 5:33 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| gbaddeley wrote: |
| Quote: |
Then look at the other incoming channels like CLUSRCVRs and RCVRs, and secure them as well, so that people can't admin your QM remotely.
Any channels not meant to be used, like the SYSTEM.* ones, tag with a bogus ID, set the max message size to 1. |
Setting MCAUSER to 'nobody' is sufficient, assuming this userid doesn't exist on the system. There is no need to set MAXMSGL. |
As long as you are at MQ 6.0.2.5 or better.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Thu Apr 16, 2009 7:47 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| mqjeff wrote: |
| Sam Uppu wrote: |
| The AppA will fail to access the QMgr objects when it uses the channel AppB's channel- AppB.SVRCONN with MCAUSER('AppB_id2') as the AppA's id (AppA_id1) is not in the MCAUSER of AppB.SVRCONN, correct?. |
It will fail to access any objects that are restricted to AppA_id1. It will have full access to all objects that are restricted to AppB_id2.
And there's nothing that tells you that it's AppA connecting tot AppB.SVRCONN or AppB.
Unless you use SSL. |
It sounds like the AppA can use the application id as AppB and can access the AppB's svrconn channel - AppB.SVRCONN MCAUSER('AppB_id2)?. Correct.
Can an application override the Application id of a message with a different id whichever it wants?.
| Quote: |
** Identity Context
UserIdentifier : 'AppB_id2 ' |
Is it possible for the application - AppA to override the 'UserIdentifier' filed in MQMD to 'AppB_id2'?.
Thanks. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Apr 16, 2009 8:17 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
It could be possible.
+altusr
An ID with +altusr means you have no MQ Security for anyone allowed to connect as that ID.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Apr 16, 2009 1:41 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Sam Uppu wrote: |
| It sounds like the AppA can use the application id as AppB and can access the AppB's svrconn channel - AppB.SVRCONN MCAUSER('AppB_id2)?. Correct. |
Which is what SSL is for...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
