| Author |
Message
|
| Mitra |
 Posted: Tue May 31, 2011 11:14 am Post subject: Client for QA connecting to Prod and grabbing the msgs? |
 |
|
Voyager
Joined: 21 Mar 2011
Posts: 78
|
we have one user(App/Client) from QA connecting to prod to grab messages from one of the queues , how can we recitify this Please help.
Thanks, |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue May 31, 2011 11:21 am Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Mitra wrote: |
| we have one user(App/Client) from QA connecting to prod to grab messages from one of the queues , how can we recitify this |
Change the client's configuration so it points to the QA queue manager rather than the prod one? Just a guess?  
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 31, 2011 11:23 am Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Mitra wrote: |
we have one user(App/Client) from QA connecting to prod to grab messages from one of the queues , how can we recitify this Please help.
Thanks, |
1. Block the channel;
2. Use SSL and filter on SSLPEER;
3. Change the client application's connection details;
4. Block the IP address from which the client originates.
Take your pick. This is what you get when you don't secure your channels.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 31, 2011 11:38 am Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
1. Block the channel;
2. Use SSL and filter on SSLPEER;
3. Change the client application's connection details;
4. Block the IP address from which the client originates.
Take your pick. |
I'd do all four. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue May 31, 2011 12:43 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
5. Shoot the user.
6. anyone?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 31, 2011 12:47 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| 5. Shoot the user. |
Slightly unfair. They may not realise to what they're connecting to, so maybe more appropriate to shoot whomsoever set it up?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue May 31, 2011 12:49 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
OK:
5. Shoot the user
6. Shoot whoever set it up
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Mitra |
| Posted: Tue May 31, 2011 1:01 pm Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Voyager
Joined: 21 Mar 2011
Posts: 78
|
| exerk wrote: |
| Mitra wrote: |
we have one user(App/Client) from QA connecting to prod to grab messages from one of the queues , how can we recitify this Please help.
Thanks, |
1. Block the channel;
2. Use SSL and filter on SSLPEER;
3. Change the client application's connection details;
4. Block the IP address from which the client originates.
Take your pick. This is what you get when you don't secure your channels. |
we have the same Client/App connecting to both the envi(QA and Prod) with same ID and Pwd and using the System.def.svrconn channel.
The client don't want to change their connection details in this case  |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue May 31, 2011 1:26 pm Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Mitra wrote: |
we have the same Client/App connecting to both the envi(QA and Prod) with same ID and Pwd and using the System.def.svrconn channel.
The client don't want to change their connection details in this case |
Then you're a bit stuck I think. If they don't want to change their connection details (which includes the IP address & port number) it's very hard to change where they're connecting to.
Add
7 ) Shoot whoever decided it was ok for an application to use SYSTEM.DEF.SVRCONN
8 ) Shoot whovever decided it was ok to use the same user id & password in both production & non-production environments (there's secure look you)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 31, 2011 1:30 pm Post subject: Re: Client for QA connecting to Prod and grabbing the msgs? |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Mitra wrote: |
| ...we have the same Client/App connecting to both the envi(QA and Prod) with same ID and Pwd and using the System.def.svrconn channel... |
Don't EVER use the SYSTEM.DEF.SVRCONN for applications to connect! Give each application its own channel and lock down that channel with an MCAUSER that has only the authorities required for the application to achieve its purpose. Further lock down that channel with SSL.
| Mitra wrote: |
| The client don't want to change their connection details in this case |
Tough on them. If you are responsible for the care and maintenance of the infrastructure, you tell them it's damn well going to be changed and their wants have no influence, bearing, or weight in the statement that it's going to be changed - note I said statement, not discussion.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 31, 2011 7:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Inform them of the changes that are going to take place. If they do not want to submit, they won't be able to connect at all anymore past the date the changes will be implemented. Their choice. If they are unhappy direct them gently to the PCI officer. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
