| Author |
Message
|
| qwerty |
 Posted: Mon Jun 22, 2009 10:30 pm Post subject: Is it possible to stop WMQ Tool from having mqm status? |
 |
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
Hi, we have a problem.
We try to active the OAM, as security and some of us use the WMQ Tool.
This Tool always has mqm status and so I can´t protect queues, qmgrs etc.
Is it possible to unable the mqm status for this tool?
or is it possible to take away the rights of mqm (only the rights which aren´t necessary) and make a new user with all the abilities?
The big question is: How can we take away the access of this Tool to queues, qmgrs, chls, ect within mqs?
Thanks
qwerty |
|
| Back to top |
|
 |
| jon |
| Posted: Mon Jun 22, 2009 11:01 pm Post subject: |
|
|
Apprentice
Joined: 17 May 2009
Posts: 32
|
Hi qwerty,
I too faced the same problem, there should be some way to limit authority level on this tool. |
|
| Back to top |
|
|
| qwerty |
| Posted: Mon Jun 22, 2009 11:15 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
Hi jon,
i hope so too.
Do you have any clues for me? |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jun 22, 2009 11:25 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
It's not the WMQ tool as such, it's the fact that you allow MQ client based programs to connect without authentication as mqm.
Check out BlockIP2 or use SSL. |
|
| Back to top |
|
|
| qwerty |
| Posted: Mon Jun 22, 2009 11:30 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
can you please discribe this a bit easier for me.
we try to avoid to use SSL.
What can we do to to avoid login as mqm without authentication? |
|
| Back to top |
|
|
| Pavan Kumar PNV |
| Posted: Mon Jun 22, 2009 11:50 pm Post subject: |
|
|
Acolyte
Joined: 03 Feb 2007
Posts: 66
|
|
| Back to top |
|
|
| qwerty |
| Posted: Mon Jun 22, 2009 11:58 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
| is there no other possibility? |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jun 23, 2009 12:16 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Don't leave the MCAUSER on SVRCONN channels blank (and don't set it to mqm).
BlockIP2 is fairly easy and doesn't just work on IP addresses - it can be used in various ways. For example it can block the use of mqm ids but allow other ids to flow through.
These other ids could be members of the mqm group - not perfect but better than nothing. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 01, 2009 10:24 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
at the moment i am testing BlockIP2 and I am a bit confused
how can I create a Configuration file?
i am logged in with mqm
mqm has the ability to read and write in the exits folder
I untar´d BlockIP2.tar
and now?
I can do some specifications in my SVRCONN an so I tried this
alt chl(MQT2.TCP.MQT1) chltype(SVRCONN) +
SCYDATA('FN=/var/mqm/exits/Blockspec.txt;') +
scyexit('BlockIP2(BlockExit)')
but it doesn´t work
can somebody tell me why? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 01, 2009 10:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| qwerty wrote: |
at the moment i am testing BlockIP2 and I am a bit confused
how can I create a Configuration file?
i am logged in with mqm
mqm has the ability to read and write in the exits folder
I untar´d BlockIP2.tar
and now?
I can do some specifications in my SVRCONN an so I tried this
alt chl(MQT2.TCP.MQT1) chltype(SVRCONN) +
SCYDATA('FN=/var/mqm/exits/Blockspec.txt;') +
scyexit('BlockIP2(BlockExit)')
but it doesn´t work
can somebody tell me why? |
 for this thread, and a double post of this!
Double posting is considered rude. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 01, 2009 10:43 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
omg...
 |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 01, 2009 11:20 pm Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Jul 02, 2009 4:42 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| qwerty wrote: |
| plz close =) |
Threads don't close, they remain active for eternity, unless deleted by the forum administrators. Someone can read and comment on a thread that is many years old.
_________________
Glenn |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 03, 2009 12:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gbaddeley wrote: |
| Someone can read and comment on a thread that is many years old. |
Though (for the record) it's probably better in that sense to start a new thread which has a link back to the previous one. It's unlikely (given the change in software levels) that an old thread is exactly relevant, but is certainly a worthwhile start.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
