| Author |
Message
|
| Gideon |
 Posted: Wed Apr 21, 2010 1:39 pm Post subject: Trusted mode |
 |
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
Out of curiosity, do most shop run MQ in trusted mode, or non-trusted mode ?
How large is the security risk in running trusted |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Apr 21, 2010 1:47 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Define "trusted" - the WMQ sense of trusted in terms of processes like channels or listeners, or trusted in the sense of much how power the mqm user has?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Gideon |
| Posted: Wed Apr 21, 2010 2:00 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
| Do most shops use Trusted MQ applications, running a listener in trusted mode, etc |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Apr 21, 2010 2:59 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Gideon wrote: |
| Do most shops use Trusted MQ applications, running a listener in trusted mode, etc |
You would run an app as a "trusted" app if:
- it is very intensive in use of MQI calls
- it has been coded correctly, so never suffers memory exceptions etc.
- it has been written in C (C++ ought to be OK too, but I'm not totally sure about that)
- your application design allows it to run as user mqm (NB the mqm user has full authority over every MQ object on the system).
- you want better performance of the MQI calls
Do all of those apply in your case? |
|
| Back to top |
|
|
| sridhsri |
| Posted: Wed Apr 21, 2010 3:13 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
When I asked about running message broker in a trusted mode, I was told that the risks to the qmgr outweigh any performance benefits. I don't think the risk is security - it is to the integrity of the qmgr.
I know you didn't ask about message broker running as a trusted application - but the same applies. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Apr 22, 2010 12:39 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| sridhsri wrote: |
I don't think the risk is security - it is to the integrity of the qmgr.
I know you didn't ask about message broker running as a trusted application - but the same applies. |
The same does not necessarily apply - see the checklist in my post.
In the case you mention I would guess the reason for the advice is that my points do not all apply. Particularly points 1 and 4. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Apr 22, 2010 4:02 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
In the case of point 4
| mvic wrote: |
| your application design allows it to run as user mqm |
the service ID of the broker must be in both the mqm and mqbrkrs groups.
Think about it. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 22, 2010 4:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| There's still a meaningful difference between being in the mqm group and being the mqm user. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Apr 22, 2010 6:06 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
| How does running in trusted mode (broker or an app), risk the integrity of the qmgr |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Apr 22, 2010 6:15 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| How does running in trusted mode (broker or an app), risk the integrity of the qmgr |
Did you search Mr. Google for 'mq+trusted'? Did you look through the APG?
A quck read of the IBM-published materials should lead you to answer your own question.
Review the restrictions that WebSphere MQ places on trusted applications that apply to your environment.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Apr 22, 2010 6:35 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Gideon wrote: |
| How does running in trusted mode (broker or an app), risk the integrity of the qmgr |
For the reasons laid out in the documentation.
For those reasons, most shops don't. The tendancy is to prize uptime over performance and most apps get a bigger performance hike from a rewrite than trusted mode.
Trusted mode is reservered for the IBM supplied components.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
