| Author |
Message
|
| fernando28 |
 Posted: Mon Jul 22, 2013 3:39 am Post subject: Can't block channel status using OAM |
 |
|
Novice
Joined: 07 May 2013
Posts: 20
|
Hi everybody!!
Environment is MQ V 6.0.2.9, Linux x86-64.
Some users here uses MQ Explorer, mqjexplorer and MQMon. They are not MQ administrators, so I want to grant authority just to display queues and qmgr.
I'm using OAM to grant +allmqi +dsp to qmgr and all queues;
And blocking access to all other objects (channel, process, namelist, authinfo, service, clntconn, listener):
setmqaut -m QMLI114 -n '**' -t namelist -p usrsegmq -allmqi -alladm
setmqaut -m QMLI114 -n '**' -t listener -p usrsegmq -allmqi -alladm
setmqaut -m QMLI114 -n '**' -t authinfo -p usrsegmq -allmqi -alladm
setmqaut -m QMLI114 -n '**' -t channel -p usrsegmq -allmqi -alladm
setmqaut -m QMLI114 -n '**' -t clntconn -p usrsegmq -allmqi -alladm
Everything is working fine, except channel status. I'd like to block display chstatus. Problem is: there's a SVRCONN with blank MCAUSER. All MQ admins use this channel to remote admin of qmgrs (mq admins belong to mqm group).
But If a normal user (not mq admin) knows the name of this SVRCONN channel with blank userid, they will be granted access to all qmgr, since mqjexplorer does not pass a md_userid, so mqm will be used by this channel.
Is it possible to block chstatus using OAM? Thanks in advance....
Regards from Brazil.....Fernando |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Jul 22, 2013 3:48 am Post subject: Re: Can't block channel status using OAM |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fernando28 wrote: |
| ...there's a SVRCONN with blank MCAUSER. All MQ admins use this channel to remote admin of qmgrs (mq admins belong to mqm group)... |
This is really, really, not a good idea. Better to use an MCAUSER with the appropriate authorities and protect the channel with SSL to limit whom can connect - better still, get off the unsupported version and use a version that now includes AUTHRECS.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 4:41 am Post subject: Re: Can't block channel status using OAM |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| exerk wrote: |
| fernando28 wrote: |
| ...there's a SVRCONN with blank MCAUSER. All MQ admins use this channel to remote admin of qmgrs (mq admins belong to mqm group)... |
This is really, really, not a good idea. Better to use an MCAUSER with the appropriate authorities and protect the channel with SSL to limit whom can connect - better still, get off the unsupported version and use a version that now includes AUTHRECS. |
Thanks Exerk.
Yes, I know it. But I think migration to 7.5 will occur only next year 
They do not want to use ssl here. Today (and since MQ is used here - about 11 years) MQ is completely unsecured....
So I'm trying to use a single security based on mcauser. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 22, 2013 4:45 am Post subject: Re: Can't block channel status using OAM |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fernando28 wrote: |
Today (and since MQ is used here - about 11 years) MQ is completely unsecured....
So I'm trying to use a single security based on mcauser. |
Explain to your management that it's not worth the effort or time in light of the unsecured SVRCONN...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 5:00 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
is CHAD (channel auto-definition) enabled on your qmgrs?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 5:22 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
Exerc, it will not work here (don't ask me why, it will be hard to explain how things work here )
Bruce, CHAD is disabled. I think it's not possible to block display chstatus. I've tried everything with setmqaut. I can block define / delete /start, but even blocking channel (-allmqi -alladm) it's possible to see channel status using mexplorer, mqjexplorer and mqmon.
Thanks agan, guys!!! Fernando |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 5:28 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Why exactly do you want to block channel status? What risk do you perceive?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 5:43 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| bruce2359 wrote: |
| Why exactly do you want to block channel status? What risk do you perceive? |
Bruce, I don't have SYSTEM.ADMIN.SVRCONN, but I have one svrconn channel with blank mcauser (we mq admins use this channel, we belong to mqm group).
All other svrconn channels use usrsegmq mcauser (this user does not belong to mqm group), so applications can run (+allmqi for qmgr and queues), and non-adm users can use mqexplorer, mqjexplorer or mqmon to display queues only. But if these non-adm users try to see channel status, they will know the name of svrconn channel with blank mcauser, so they can use this channel to reach qmgr with mqjexplorer (mqjexplorer does not pass userid, so qmgr is unsecured to them).
Sorry about my poor english. I'm from Brazil, hope you understand my explanation..... Fernando |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 6:12 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I want to know WHY you want to grant permission to display channel status? Porque? Not how are you trying to do so?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 6:16 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| bruce2359 wrote: |
| I want to know WHY you want to grant permission to display channel status? Porque? Not how are you trying to do so? |
I want to REVOKE permission to display channel status.
My first post:
Everything is working fine, except channel status. I'd like to block display chstatus.
Thanks again.... |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 6:19 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Again, why? What secret information are you attempting to protect by blocking channel status? From whom?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 6:41 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| bruce2359 wrote: |
| Again, why? What secret information are you attempting to protect by blocking channel status? From whom? |
One of the svrconn channels displayed with channel status is an administration svrconn channel with blank mcauser. If non-adm users see the name of this channel, they will try to connect mqJexplorer with it, and will have adm access to all qmgr, since this channel has blank mcauser.
I don't want to let non-adm users see svrconn channel names. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 6:55 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
You will need to prevent display channel(*), too, and not just channel status.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Mon Jul 22, 2013 6:59 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| bruce2359 wrote: |
| You will need to prevent display channel(*), too, and not just channel status. |
Yes, but dis channel(*) is ok, blocked. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Wed Jul 24, 2013 11:17 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| Problem solved! It was not possible to block display channel status, but with BlockIP2 channel exit I've blocked mqm, MUSR_MQADMIN and blank userids. |
|
| Back to top |
|
|
|
|
