| Author |
Message
|
| PeterPotkay |
 Posted: Fri Sep 27, 2013 10:36 am Post subject: Viewing accounting and statistics data in MBX |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
So, thought I'd give this a whirl.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bj10420_.htm
First problem, even though I have a secure connection to the broker's Queue Manager in MBX already, viewing the Statistics window seems to feel the need to want to open up ANOTHER channel connection to the QM, over SYSTEM.DEF.SVRCONN no less.
Fine, I find the place where I can choose to put the channel name for this 'statistics' connection. And the only input field is the name of the channel. There is no place to specify SSL or Security Exit info. So of course the connection is properly rejected by the exit on the Queue Manager.
If I temporarily configure a wide open channel for this secondary connection it works.
So, as annoying as it is that I have to open a second channel even though I already have a perfectly good, properly authenticated and properly authorized connection already, I can deal with specifying another channel name.
Can someone tell me how to make this secondary connection work over a SVRCONN channel that has SSL and/or an Exit?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Sep 27, 2013 10:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
you could create a subscription to the remote broker's stats that ended up on a local qmgr, and then talk to that.
Or look at the functions in IS03 instead of MBX. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Sep 27, 2013 11:18 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
you could create a subscription to the remote broker's stats that ended up on a local qmgr, and then talk to that.
|
Create a Queue Manager on my PC just to look at these messages? Pass.
| mqjeff wrote: |
| Or look at the functions in IS03 instead of MBX. |
I was not aware of IS03. Looking at it's doc, it also ignores SSL and Security Exits for the connection parameters. Sigh. Although I'm guessing it should be possible to use a CCDT under the covers and reference SSL or an Exit that way. So, this could be an option if it turns out I can't use MBX for this. I wonder if IS03 gives me more, less or the same quality and quantity of data as MBX.
So before we give up on MBX, anyone else have thoughts on this connection in MBX and how to make it secure?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Nov 20, 2013 3:14 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
My PMR finally got closed as “working as designed”. Dang – I’m 0 for 2 on my last 2 PMRs where I think something is wrong but they say it’s working as designed and just open up a RFE. (My other one was where dmpmqcfg didn’t get 100% of the records a QM had for MQ AUTHs).
So here is my RFE for Websphere Message Broker Explorer to be enhanced so that it doesn’t require the MQ Admin to configure a SVRCONN channel that is wide open to the world so that MBX can show Accounting and Statistics data. Please vote if you think its worthwhile.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=41900
| Quote: |
Headline:
Allow your existing secure channel connection in MBX to view Accounting and Statistics data
RFE ID:
41900
PMR ID:
66477,L6Q,000
Submitter:
PPotkay
Company:
Hartford Fire Insurance Compan
Submitter's ranking of priority:
Medium - Lack of the RFE functionality is a minor road block to deployment/adoption
Brand:
WebSphere
Product family:
Connectivity and Integration
Product:
IBM Integration Bus (WebSphere Message Broker)
Description:
Please enhance Message Broker Explorer to use one SVRCONN channel for all communucations with the Broker, including Accounting and Statistics. Currently we have to use a secondary channel for Accounting andd Statistics in MBX. And there is no way to specify any details for that channel other than the name, so we can't use SSL or an Exit. So while we are already connected in MBX to the Broker over a properly authenticated and authorized channel, to use Accounting and Statistcs via MBX we have to configure an unsecure channel on the queue manager and start up another connection. I opened a PMR but it concluded that requiring a second channel that is wide open from an MQ security perspective is "working as designed".
Use case:
Broker is WMB 8.0.0.3 on a Linux server with MQ 7.5.0.2
MBX 8.0.0.2 is running on a Windows 7 PC with MQ 7.5.0.2
I connect to the Broker in MBX 8.0 over a SVRCONN channel that has a Security Exit configured on it. This insures that only authenticated users can connect to the queue manager over this channel. The queue manager is otherwise secure with no other way for an unauthenticated user to connect.
I am attempting Accounting and Statistics thru MBX as described here.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bj10420_.htm
Even though I have a secure connection to the broker's Queue Manager in MBX already, viewing the Statistics window wants to open up ANOTHER channel connection to the QM, over SYSTEM.DEF.SVRCONN no less.
I could not find a way around this, so I found the place where I can choose to put the channel name for the 'statistics' connection. And
the only input field is the name of the channel. There is no place to specify SSL or Security Exit info. In my case that means the connection
attempt for this secondary channel is properly rejected by the Security Exit on the Queue Manager.
If I temporarily configure a secondary SVRCONN channel with no security for this secondary connection it works.
To get MBX to work with Accounting and Statistics requires opening up a unsecure channel to the Queue Manager. Please enhance MBX so that it allows us to specify all the connection details we need to make secure connections to the queue manager, even for the Accounting and Statistics channel. But ideally, remove the requirement to make a second connection at all - MBX already has a proper connection to the queue manager, why not use that connection for Accounting and Statistics as well? |
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Thu Nov 21, 2013 12:55 pm; edited 1 time in total |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Nov 20, 2013 11:37 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I've been on sites where the SYSTEM.DEF.SVRCONN channel is locked down so tight that it is impossible to use. This is simple for security reasons. In many respects, I concur with that as well.
For the Explorer to use this channel by default is simply silly. Add to that the impossibility of securing it as well then there is a huge gaping hole in security (IMHO).
I'm trying to get my systems made a lot more secure but this allows a Steamroller (Aveling Barford preferred) to drive through your security implementation. I've supported your RFE.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| dogorsy |
| Posted: Thu Nov 21, 2013 3:44 am Post subject: |
|
|
Knight
Joined: 13 Mar 2013
Posts: 553
Location: Home Office
|
 yes from me. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Nov 21, 2013 3:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Of course, the web admin console in v9 shows you lots of stuff without needing a svrconn.
And it can be secured.
But I'm still voting for the RFE. |
|
| Back to top |
|
|
| dstorey |
| Posted: Thu Nov 21, 2013 5:50 am Post subject: |
|
|
Novice
Joined: 25 Mar 2002
Posts: 15
Location: UK
|
Hello Peter
You can change the Statistics SVRCONN channel underneath the broker properties under the Statistics. This is for remote broker connections only though. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 21, 2013 7:10 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| dstorey wrote: |
Hello Peter
You can change the Statistics SVRCONN channel underneath the broker properties under the Statistics. This is for remote broker connections only though. |
You can change the name of the channel you use, but you cannot specify any other client side details for that channel, like SSL or Security Exit details.
Reading my RFE again maybe I wasn't clear enough that you can at least change the channel name. But if the new channel has to be wide open anyway it doesn't really help.
I think its a less than ideal design to require a second channel for Accounting and Statistics, that the channel name defaults to a name that widely accepted best practices say should be disabled, and that there is no way to secure the second channel regardless of the channel name being used. But if that's really the design, I guess its working as designed!
Let's hope my RFE gets enough votes to make the design better.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Nov 21, 2013 10:18 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
Haven't worked with Broker for a while wasn't it supposed to be 'plug-in' to MQ Explorer and re-use it's connection ability including SSL and exits or did I misunderstand... 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Nov 21, 2013 10:19 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Michael Dag wrote: |
| Haven't worked with Broker for a while wasn't it supposed to be 'plug-in' to MQ Explorer and re-use it's connection ability including SSL and exits or did I misunderstand... |
It's a plugin to MQExplorer.
It doesn't reuse the MQ Explorer connections. I'll leave it to dstorey to explain why. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 21, 2013 11:07 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
It doesn't even reuse its own connection. When you first connect with MBX you can specify all the connection details you need, which are a separate set of connection parameters than what your MQ Explorer connection has for that QM. Its when you go to use MBX's Accounting and Statistics feature that it wants to make yet another connection to the queue manager, but this time with no way to specify details of that last connection other than a channel name, which relegates you to using an insecure connection for that piece. It does inherit the host name and port number from the primary connection already established.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| dstorey |
| Posted: Thu Nov 21, 2013 12:39 pm Post subject: |
|
|
Novice
Joined: 25 Mar 2002
Posts: 15
Location: UK
|
Hello Peter,
Having 2 channels allows you to setup 2 access lists but I agree using the same SVRCONN as the broker admin would be a better default here and potentially using the same security settings as this channel initially would also be a good idea.
We need the RFE to investigate further...
Dom |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Nov 22, 2013 1:00 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| dstorey wrote: |
Hello Peter,
Having 2 channels allows you to setup 2 access lists but I agree using the same SVRCONN as the broker admin would be a better default here and potentially using the same security settings as this channel initially would also be a good idea.
We need the RFE to investigate further...
Dom |
kinda defeats the working as designed statement, at least the design was missing some essential parts... i understand the need for RFE from a resourcing perspective... but now the option is unusable due to security reasons which have become more visibile the past few years (i say visible as needed was always the case... days of obscurity are over!)
RFE's tend to end up in future releases some day... this needs to be in one of the earliest fixpacks to be addressed IMHO
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| longnguk |
| Posted: Thu Feb 27, 2014 2:02 pm Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
Just stumble on this one and I totally agree that it's not acceptable to have to leave the system wide open just to be able to use its statistics capability.
On the other hand, I try the capability and although I get the error about SYSTEM.DEF.SVRCONN, but I still be able to see the statistics results! Have no idea where the data would be coming in from. |
|
| Back to top |
|
|
|
|
