| Author |
Message
|
| balaji83it |
 Posted: Thu Jan 27, 2011 1:24 am Post subject: MQ Explorer Security |
 |
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
Hello Friends,
Iam using MQExplorer on Windows to connect to a remote Qmanager running on Linux 64 bit.
If I connect directly without using any user id, it does not connect because my user id is not authorised to connect.
But the interesting this is that If I use mqm as the user id and provide any password, it connects immediately and gets all the privilages of mqm.
Iam using MQ V7.
Is this a bug in the product?
Please let me know the solution if it is a known bug?
Thanks
Balaji. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jan 27, 2011 1:37 am Post subject: Re: MQ Explorer Security |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| balaji83it wrote: |
| ...If I connect directly without using any user id, it does not connect because my user id is not authorised to connect... |
Working as advertised 
| balaji83it wrote: |
| ...But the interesting this is that If I use mqm as the user id and provide any password, it connects immediately and gets all the privileges of mqm... |
Also working as advertised
| balaji83it wrote: |
| ...Is this a bug in the product?... |
Why do you think that using an administrator-level userid as an MCAUSER to gain access, which is effectively what you are doing, is a bug in the product?
READ THE SECURITY MANUAL AND SEARCH ON THIS SITE (which you have obviously NOT done), THERE ARE ENDLESS THREADS ON THIS TOPIC, SOME OF WHICH ARE VERY RECENT! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| santnmq |
| Posted: Thu Jan 27, 2011 1:39 am Post subject: |
|
|
Centurion
Joined: 11 Jan 2011
Posts: 125
|
| this is not the bug. this is how the MQ should behave if you use the mqm user id to connect. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu Jan 27, 2011 1:55 am Post subject: Re: MQ Explorer Security |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
I'm guessing you think
| balaji83it wrote: |
| provide any password |
is the bug.
Do as exerk suggests and read up on security. This will tell you what this password is used for.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| balaji83it |
| Posted: Thu Jan 27, 2011 1:58 am Post subject: |
|
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
Sir,
Please read my post once again.
Iam telling that "whatever password you give for mqm user, it logs in".
Being an admin, I should be able to control this as any user can log into the Qmanager with mqm privilages which we do not want.
Please let me know if I missed anything.
Thanks
Balaji. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu Jan 27, 2011 2:02 am Post subject: Re: MQ Explorer Security |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| balaji83it wrote: |
| Iam telling that "whatever password you give for mqm user, it logs in". |
Where do you think it is logging in?
What bit of this did you not understand
| Quote: |
| Do as exerk suggests and read up on security. This will tell you what this password is used for. |
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 27, 2011 2:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| balaji83it wrote: |
Sir,
Please read my post once again.
Iam telling that "whatever password you give for mqm user, it logs in". |
I don't need to re-read your post, and I am telling you the same as the good fatherjack, the password is irrelevant in what you are specifically doing...
| balaji83it wrote: |
| Being an admin, I should be able to control this as any user can log into the Qmanager with mqm privilages which we do not want. |
You can control it...
| balaji83it wrote: |
| Please let me know if I missed anything. |
You missed reading the documentation obviously...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 27, 2011 2:33 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
If you wish to prevent such mqm access.
You can set a MCAUSER on the svrconn channel, or do what I do which is to install BlockIP2 exit on the channel configured in such a way that the explorer userid is passed to MQ through unless it is a powerful id such as mqm.
Or use other techniques like SSL certs, or other products like the channel exits from Capitalware etc. |
|
| Back to top |
|
|
| balaji83it |
| Posted: Thu Jan 27, 2011 2:47 am Post subject: |
|
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
I read the manual but could not get the details required.
Zpat,
Thanks for your response. I tried giving a user id in the mca user id field. But it not only blocked mqm user but all other authorised users as well.
Please let me know how to block only mqm user (with wrong password) and allow all authorised users.
Also which password is this for mqm. Is it the passowrd of mqm user on that unix box.
Thanks
Balaji. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 27, 2011 2:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MQ has NEVER made ANY use of passwords. It does not do anything to AUTHENTICATE users. It relies on the OS to do that.
MQ merely AUTHORIZES users.
MCAUSER allows you to assert that ALL users that connect to a given channel will only be authorized as the named user.
A proper configuration of MCAUSER, SSL certificates and SSLPEER will allow you to create a SET of channels that will enforce a role-based model. Users will only be allowed to connect to the correct server-connection channel that then authorizes them into a specific role that only has the privileges needed for the task.
Or, as mentioned, you can go down the road of using a security exit.
If your only goal is to ensure that end users can not administer your queue managers, create a single id on the queue manager machine and then use setmqaut to grant that id the needed privileges for your end users, and then set that id in MCAUSER on *all* of your channels. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 27, 2011 2:57 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| balaji83it wrote: |
| I read the manual but could not get the details required. |
Read it again, it's quite explicit...
| balaji83it wrote: |
| ...I tried giving a user id in the mca user id field. But it not only blocked mqm user but all other authorised users as well... |
And did you authorise that user, as per the manual? If not, what did you expect?
| balaji83it wrote: |
| ...Please let me know how to block only mqm user (with wrong password) and allow all authorised users... |
You've already been told, zpat spoon-fed you the answer and you've ignored it.
| balaji83it wrote: |
| ...Also which password is this for mqm... |
Stop fixating on the password, it's irrelevant in your situation unless you intend to use an exit!
EDIT: And start HERE, which should obviate most of the next set of questions I fear will be coming from you.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Thu Jan 27, 2011 3:00 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 27, 2011 2:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| And no matter what else you do, your production queue managers should be behind a network firewall that blocks access to the queue manager's listener port from anywhere that is not your main operations and administrative machines. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 27, 2011 3:39 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
OK, this is not a recommendation because you are responsible for this and not me. But if you install the BlockIP2 exit and use this parameter file (BLK.ini) it will get you going
| Code: |
#
# Your test svrconn channel definition should have these attributes
#
# MCAUSER('NoBody') SCYEXIT('BlockIP2(BlockExit)') SCYDATA('FN=/var/mqm/exits64/BLK.ini;')
#
LogPath=/var/mqm/exits64;
LogFormat=N;
LogCount=8;
AllowSelfSignedCertificate=Y;
BlockMqmUsers=N;
AllowBlankUserID=Y;
LogFileName=BLK-;
#
# Add rules here, if required, to add exceptions to the following rules
#
# Block certain id patterns (and blank ids) from direct usage
#
CON=*;mq*,root,qpasa*,wmb*,mqsi*;BLOCK;
#
CON=*;BLANK_USERID;BLOCK;
#
# Other ids will authenticate as their connection id (overide MCAUSER)
#
CON=*;*;MCA=*;
#
# -- END |
Read the BlockIP2 manual for more information.
http://mrmq.dk/index.htm?BlockIP2.htm
Try this on a test QM and a newly defined test SVRCONN channel and fully understand how it works before any further usage. |
|
| Back to top |
|
|
|
|
