| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Receiver & requestor channels - unprivileged mca user |
« View previous topic :: View next topic » |
| Author |
Message
|
| ChristianH |
 Posted: Fri Jun 06, 2014 7:48 am Post subject: Receiver & requestor channels - unprivileged mca user |
 |
|
Novice
Joined: 27 Sep 2007
Posts: 19
Location: London, UK
|
Hi,
I have a question regarding receiver and requestor channels configured with a low-privileged mca user. We are trying to run our channels with the minimum authorisations the user requires for the channel to run without issues, following a least access model as recommended in the Redbook "Secure Messaging Scenarious with Websphere MQ". So we are trying to give that mca user only put access to the queues it needs to write to + the limited access it needs to run the channel without issues.
But what exactly is the minimum required access for that mca user to run the channel???
The background to my question is that we were having some issues with a few channels that frequently encountered "out of sequence" issues after having network interruptions.
Following some investigation and some tests, I found out that these channels were missing:
1) put on SYSTEM.CHANNEL.SYNCQ
2) dsp on the channel object
3) ctrlx on the channel object
And, after adding these authorisation, the "out of sequence" issues have disappeared and I was not able to reproduce the issue anymore although I could reliably reproduce it prior to adding those authorisations.
I found some evidence on the IBM MQ infocentre that these authorisations are indeed required to run the channel with a low-privileged user, but not exactly what these authorisations do and why they are needed.
( http://www-01.ibm.com/support/knowledgecenter/?lang=zh#!/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q010710_.htm )
My concern is adding those rights without exactly knowing whether they could be exploited somehow. Is it totally safe to add them?
I'm specifically wondering about the ctrlx authority as we are running many channels without that authority and they don't "suffer" from the "out of sequence" problems described above.
The MQ version we are using is 7.0.1.10.
Does anyone have any insight on the internals of the receiver and requestor channels who could shed some light on this (maybe an IBM employee)?
Looking forward to any comments especially regarding the security aspect. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Jun 06, 2014 1:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The put authority to SYSTEM.CHANNEL.SYNC.QUEUE is to allow you to persist the current / latest state (seqnum).
The ctrlx authority on the channel is to allow you to stop / start the channel (triggered channel?).
Note that you should also have authority to put to the DLQ (+put +dsp +inq)
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ChristianH |
| Posted: Mon Jun 09, 2014 4:39 am Post subject: |
|
|
Novice
Joined: 27 Sep 2007
Posts: 19
Location: London, UK
|
Thanks for you answer fjb_saper!
That was my understanding as well, but my testing seemed to indicate that ctrlx is required for some other things as well.
So I'm still not sure I fully understand what crtlx is used for.
The channels I tested with are receiver channels and also requestor channels. The reqestors are checked regularly by our monitoring infrastructure and started via a script, if required. The receivers are being started by the sender on the other end starting up.
The actual startup was working without the ctrlx authority and the channels were running fine except that they were encountering the odd "out-of-sequence" issue every now and then.
I noticed that the missing ctrlx authority is being logged to MQ error log when a channel is starting up after a channel reset was done.
So it seemed to have been related to something like resynching the sequence number...?
On the security aspect of adding these authorities: It sounds like it would be OK to add them. Or does anyone know whether they could be used in any harmful way? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jun 09, 2014 5:23 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| ChristianH |
| Posted: Mon Jun 09, 2014 5:41 am Post subject: |
|
|
Novice
Joined: 27 Sep 2007
Posts: 19
Location: London, UK
|
| Quote: |
| As of MQ 6 channels are objects in MQ like queues the user ID that the channel runs under needs +ctrlx and +dsp to the channel objects to be able to RESET and RESOLVE the channel. |
Thanks, Peter!
That explains it! |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
