| Author |
Message
|
| rammer |
 Posted: Sat Feb 09, 2013 11:13 am Post subject: MQ Security |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hi All.
I am not looking at the moment for anything to extensive I would rather phase some security in so looking at what peole are using from the perspective of not having to purchase in external tools etc.
All servers are AIX
MQ Clustering in use
Current position
System Channels that are not used have mcauser set to DONOTUSE
System accounts have been created and applied to relevant channels that applications use with relevant permissions set at queue manager / queue level
MQ Explorer / RFHUTIL system account has been set up and applied to "admin" channels / queues to allow users to connect and browse but not delete / put etc
Servers are all behind firewalls with no incoming connections at the moment from external clients
mqm group only has mqm in it so individual user accounts
I realise the above is just a start, I am interested on what people have done to add security to clusters etc, we do have one customer that we support that uses SSL and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster.
The version of mq currently on is 7.0.1.x
As mentioned I realise the above is a small start with more to be done if the customer pushes for it. They have not so far and have lived with it for 12+ years in the above scenario (just because they have lived with it does not make it correct) I am just interested on what others may do to lock it down a little more.
Thank you in advance for any constructive comments. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sat Feb 09, 2013 12:39 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Let's start with the security controls you do you have in place.
What about your internal clients?
Do you require that users sign on with username and password?
Do you have role-based (group) rules to limit which groups can access which application programs? Or, can anyone run any application program?
Can someone sign on with username DONOTUSE?
Do you have rules that prevent DONOTUSE from running applications?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Feb 10, 2013 3:16 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Some people force their apps in an MQ cluster to always use Alias queues, to avoid having to give apps authority to put the SYSTEM.CLUSTER.TRANSMIT.QUEUE (SCTQ). If the app has access to the SCTQ, it can send to any other queue on any other QM in the cluster - assuming the CLUSRCVR channels on the other QMs allow it which they usually do. But it is difficult if not impossible to follow thru with this 100% if you have apps that need to reply to the Reply To Queue and Reply To QM, particularly if those queues are dynamic queues with names you can't possibly predict.
The MCAUSER on the CLUSRCVR channels should be running with an ID that does not have access the QM's command queue, to prevent remote admin via another QM in the cluster.
Yes, putting SSL Certs (with SSLPEER in use) and/or using channel exits like MQAUSX from Capitalware is needed if you want to prevent a random yahoo from adding his QM to your cluster.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| rammer |
| Posted: Mon Feb 11, 2013 8:02 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| Hi Yes all our Apps use Queue Alias's that are local to the App Queue Manager and resolving to cluster queue on other queue managers. Currently no dynamic queues etc are used |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Feb 12, 2013 6:18 pm Post subject: Re: MQ Security |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| rammer wrote: |
| and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster. |
Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door. 
| rammer wrote: |
| System accounts have been created and applied to relevant channels that applications use with relevant permissions set at queue manager / queue level |
So what stops Joe Blow user from connecting to the queue manager using that channel? Other than you saying do not connect to the queue manager using that channel?
| rammer wrote: |
| MQ Explorer / RFHUTIL system account has been set up and applied to "admin" channels / queues to allow users to connect and browse but not delete / put etc |
Same comment again - what stops Joe Blow user from connecting to the queue manager using that channel?
| rammer wrote: |
| Servers are all behind firewalls with no incoming connections at the moment from external clients |
Most rogue users are internal people (company employees) and not external users. I serious doubt Anonymous is interested in your MQ environment. Although, some day Anonymous will discover 99% of all financial companies use MQ and since most are insecure, we will all be in trouble.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 13, 2013 1:30 am Post subject: Re: MQ Security |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| RogerLacroix wrote: |
| ...I serious doubt Anonymous is interested in your MQ environment. Although, some day Anonymous will discover 99% of all financial companies use MQ and since most are insecure, we will all be in trouble... |
If they didn't know before, they do now! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| rammer |
| Posted: Wed Feb 13, 2013 2:56 am Post subject: Re: MQ Security |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| RogerLacroix wrote: |
| rammer wrote: |
| and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster. |
Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door. |
No they use it on SVRCONN |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 13, 2013 4:08 am Post subject: Re: MQ Security |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| rammer wrote: |
| RogerLacroix wrote: |
| rammer wrote: |
| and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster. |
Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door. |
No they use it on SVRCONN |
If you have not applied security to every single channel you have, you have only locked the front door and the garage and left the windows wide open. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Feb 13, 2013 3:18 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Every incoming channel...
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Feb 13, 2013 3:39 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Think of channels like a door. If you securely lock one, but leave a window open, then you do not have security.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
