| Author |
Message
|
| jeevan |
 Posted: Fri Aug 14, 2009 3:07 pm Post subject: Is an ANONYMOUS connection possible in MQ? |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
We have an old production mq box which is being upgraded. We even do not have a record of the user id authorised. The MQ amqoamd or dmpmqaut utility do not show any user authorised for connection, and queues.
What is interesting is that the application is running for many years. When I checked the windows event viewer/security, I could see an ANONYMOUS user is connecting to the box.
Could it be possible that an ANONYMOUS user can connect to MQ and access MQ components?
MQ version : 5.3.11
Platform : Windows
Last edited by jeevan on Wed Sep 23, 2009 8:08 am; edited 2 times in total |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Aug 15, 2009 2:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Check the members of the mqm group as it's not unknown for application userid's to be in there.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Aug 15, 2009 7:50 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Check for the much more likely possibility that the application is written in Java. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 9:42 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| mqjeff wrote: |
| Check for the much more likely possibility that the application is written in Java. |
The application is written in java. What does that do?
there is any id in mqm groupr nor in Admin group. This is the box in dmz and can not use any domain user. Even, they should be granted permission regardless whether they are local or dmain user. There is no any ID in MQM and Admin group.
When I check securiy under event viewer, I can see ANONYMOUS user being logged as category 3 which means coming through port.
My question is does mq 5.3 any way allow to connect and accesses the queues to an ANONYMOUS user?
Thanks |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 9:46 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| Check the members of the mqm group as it's not unknown for application userid's to be in there. |
Sorry to miss to tell this in my previous post. There are not any user id in MQM and Admin group. I have already checked. Even my windows /doamin expert are puzzled.
Does a mq trace show a logged in user? I have done a long way back so I do not remember |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Aug 15, 2009 11:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| jeevan wrote: |
| mqjeff wrote: |
| Check for the much more likely possibility that the application is written in Java. |
The application is written in java. What does that do? |
It means that it runs inside a JVM. Which has no access to the OS user registry. |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Aug 15, 2009 12:16 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jeevan wrote: |
| ...Sorry to miss to tell this in my previous post. There are not any user id in MQM and Admin group. I have already checked. Even my windows /doamin expert are puzzled... |
So what user are all the WMQ processes running under?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Aug 15, 2009 12:28 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
(oooh, oooh, I know this one...) 
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Aug 15, 2009 12:32 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| (oooh, oooh, I know this one...) |
But do you  ...
| jeevan wrote: |
| ...There are not any user id in MQM and Admin group... |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 2:10 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| jeevan wrote: |
| ...Sorry to miss to tell this in my previous post. There are not any user id in MQM and Admin group. I have already checked. Even my windows /doamin expert are puzzled... |
So what user are all the WMQ processes running under? |
WMQ is running under an id - MUSR_MQADMIN which is standard.
Last edited by jeevan on Sat Aug 15, 2009 3:04 pm; edited 1 time in total |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Aug 15, 2009 2:19 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jeevan wrote: |
| exerk wrote: |
| jeevan wrote: |
| ...Sorry to miss to tell this in my previous post. There are not any user id in MQM and Admin group. I have already checked. Even my windows /doamin expert are puzzled... |
So what user are all the WMQ processes running under? |
WMQ is running under an id - MUSR_MQADMIN which is standard. |
OK, I misinterpreted your '...There are not any user id in MQM and Admin group...' statement, in which case I think you'll find mqjeff's suggestion is the most likely.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 3:09 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| mqjeff wrote: |
| jeevan wrote: |
| mqjeff wrote: |
| Check for the much more likely possibility that the application is written in Java. |
The application is written in java. What does that do? |
It means that it runs inside a JVM. Which has no access to the OS user registry. |
Are not all java application running under jvm? Could you please elaborate this a little bit. FYI, the application is not running in the MQ server. It makes a tcp connection and get/put message. It is not listening to a queue permanently as these are the request/reply message.
Still I am looking for an answer to : Does mq allow to connect and put /get mesage to a blank user? |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 3:09 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Could some one please delete this post |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Aug 15, 2009 3:40 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Does mq allow to connect and put /get mesage to a blank user? |
Yes.
As delivered from IBM and installed, WMQ is completely unsecured. Unless you do something to secure WMQ, it is completely unsecured. This is well documented. WMQ relies on OAM, or whatever underlying security component your o/s uses. Refer to the WMQ Security manual.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Aug 15, 2009 4:27 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| bruce2359 wrote: |
| Quote: |
| Does mq allow to connect and put /get mesage to a blank user? |
Yes.
As delivered from IBM and installed, WMQ is completely unsecured. Unless you do something to secure WMQ, it is completely unsecured. This is well documented. WMQ relies on OAM, or whatever underlying security component your o/s uses. Refer to the WMQ Security manual. |
bruce2359,
My understanding thus far with MQ is as follows:
An Admin equivalent privilage is required for installing mq and creating different objects eg queues, channel etc
Next, in order to connect to the queue manager, the user has to be authorised.
Furthermore, in order to access the queues, it needs to be granted permission to the id.
or if an id is in mqm/admin group, it can connect to the queue manager and access the objects without explicitely granting permission.
the other security provision is MCAuser. If an MCAUSER is set in the incoming channel, the user /blank user coming from application picks that user and goes to access the mq. But stil the user which is used as MCAUSER has to be granted permission.
is my understanding wrong? if not, how a blank user can access the mq object ?
could you please elaborate a littlebit. I will definitely look into the manual.
thanks
Last edited by jeevan on Sat Aug 15, 2009 4:35 pm; edited 2 times in total |
|
| Back to top |
|
|
|
|
