| Author |
Message
|
| kun.leeing |
 Posted: Mon Sep 23, 2013 5:10 am Post subject: How to limit or block the remote conn to qmgr by explorer |
 |
|
Disciple
Joined: 27 Sep 2008
Posts: 171
|
Hi masters,
How to limit or block the remote connection to qmgrs by explorer through SYSTEM.ADMIN.SVRCONN? and may use MCA do this? |
|
| Back to top |
|
 |
| PaulClarke |
| Posted: Mon Sep 23, 2013 6:17 am Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
Could you try and re-phrase the question please, I'm not sure what you are asking.
Are you asking how you can stop MQ Explorer from connecting remotely into your Queue Manager ? or something else ?
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| kun.leeing |
| Posted: Mon Sep 23, 2013 6:27 am Post subject: |
|
|
Disciple
Joined: 27 Sep 2008
Posts: 171
|
Yes, that's exactly what I would like to ask.
and instead of STOP, I prefer limit or control the remote connecting to qmgr actually. |
|
| Back to top |
|
|
| PaulClarke |
| Posted: Mon Sep 23, 2013 7:38 am Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
Well, I don't think it is really any different to any other MQ client is it ? If you want to prevent ANY user from connecting to the channel disable it in some way - delete the channel, stop it or disable it in some way such as setting an invalid MCAUSER etc. Of course in the latest MQ you can configure CHLAUTH to add more fine granularity to the restriction.
Cheers,
P.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| kun.leeing |
| Posted: Mon Sep 23, 2013 7:51 am Post subject: |
|
|
Disciple
Joined: 27 Sep 2008
Posts: 171
|
Well, thanks.
I could set MCA user to control the access to a certain channel, like blocking a few operations, by authorizing the user different rights, but what I do want is to let the channel available for a part of clients and unavailable for the others.
And also the Explorers all use SYSTEM.ADMIN.SVRCONN as their default channel for connecting remote qmgr. I don't want to change this default setting.
All in all, how can I configure to make MQ explorer connecting controllable? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Sep 23, 2013 10:38 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
By using CHLAUTH rules. You can only know an entity is who they say that are by using SSL. CHLAUTH rules were added at WMQ 7.1/7.5
You can also use exits but the issues still remain in determining if the entity is who they say they are, so SSL is the answer again.
It is very easy to create a self-signed CA and implement this at all Qmgrs and clients. You have GSKit installed as part of WMQ. |
|
| Back to top |
|
|
| kun.leeing |
| Posted: Tue Sep 24, 2013 1:30 am Post subject: |
|
|
Disciple
Joined: 27 Sep 2008
Posts: 171
|
| JosephGramig wrote: |
By using CHLAUTH rules. You can only know an entity is who they say that are by using SSL. CHLAUTH rules were added at WMQ 7.1/7.5
You can also use exits but the issues still remain in determining if the entity is who they say they are, so SSL is the answer again.
It is very easy to create a self-signed CA and implement this at all Qmgrs and clients. You have GSKit installed as part of WMQ. |
Thx.
I think CHLAUTH may solve my problem.
And if I may follow up a question here, I still dont understand fully why I really need SSL to have channel figure out who is who.
if using SET CHLAUTH('channel-name') TYPE(ADDRESSMAP) ADDRESS('client-machine-IP-address') +
MCAUSER('non-privileged-user-id')
If channel can realize the IP addresses of clients connecting to through it , they already know where the connection comes from and can decide whether the connection is proper to get in or not, right? So how SSL used in this scenario?
Thanks in advance. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 24, 2013 3:00 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Some one else could be logged onto that machine whose IP address you trusted. Less likely but still plausible the IP address could be spoofed. So IP address alone doesn't prove who or what is on the other end, but its not a bad start.
THe CHLAUTH rule could also check for the User ID being presented by the client in addition to the IP address for an added layer of determining what's on the other end of the connection.
The SSL cert was presumably created specifically for one person, and presumably the only copy in existince is held by that one person, so there is a higher level of trust that the person is who they say they are if they present the certificate you expect. But Certificates can be copied.
A Security Exit that prompts for a unique ID and password combination that presumambly only one person knows is another way of identifying a particular entity. But passwords can be shared.
You can use CHLAUTH, SSL and /or Exits together to get to the level of trust you need, but I don't think it can ever be 100%.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
