| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQM group on AIX issues |
« View previous topic :: View next topic » |
| Author |
Message
|
| pfarrel |
 Posted: Wed Jul 29, 2009 1:47 pm Post subject: MQM group on AIX issues |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I have WMQ on multiple different AIX lpars. I currently have different users in the mqm group on different systems. For example, I want some people to be admins on a test system, but not on a production system.
We would like to get away from this, and have the groups the same on all AIX systems. I notice that a product called MQ Authenticate User Security Exit from Capitalware says it can do this. Does anyone know if this is correct ? Does anyone have experience with this product ? Are there other products that might do this also ? Perhaps a product that can use LDAP rather than the local files /etc/password and /etc/group. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Jul 29, 2009 5:25 pm Post subject: Re: MQM group on AIX issues |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pfarrel wrote: |
| I notice that a product called MQ Authenticate User Security Exit from Capitalware says it can do this. Does anyone know if this is correct ? |
I would be surprised if the author was exagarating the capabilities of the product, but I'm sure he'll be along in a moment to be discuss your requirements.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 30, 2009 3:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't understand the requirement.
You want one group in one location that has all people who are MQ administrators on at least one AIX machine.
And then you want each queue manager to decide whether a given user is actually allowed to administer itself?
I really doubt your security auditors will like that idea.
You can certainly configure something like PAM, but the AIX equivalent, to work with an LDAP repository.
Every professional MQ monitoring/management solution (Omegamon, contact admin, QPasa, etc. etc. etc) that I've ever worked with provides a management console that institutes it's own authentication scheme that is significantly more granular than membership in mqm provides. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Jul 30, 2009 6:05 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| The requirement is to have the same group membership on all AIX lpars. This implies that some other method, other than putting a userID in the mqm group, is needed to identify an MQ administrator on a particular lpar. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jul 30, 2009 6:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
As has been discussed here quite often, membership in the mqm group means that no security checks for mq things will be performed for all users in the group. Take userids out of mqm.
Create a testadm group for the lpar, add userids, grant authorities to test qmgrs and test objects in this lpar.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
