| Author |
Message
|
| ARI126 |
 Posted: Tue Aug 05, 2014 10:53 am Post subject: How to restrict MQ Channels |
 |
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
Environment: MQ v7.1, WMB v7.0.0.5, RHEL v5
Hello,
I'm trying to create a security setup that would allow the MQ Explorer to be used as a View Only interface for my queue managers and brokers. I'm having trouble blocking access to the channels. Could anyone point out what needs to be added/removed to prevent the channels from being accessible via the MQ Explorer.
Here is the script I've put together.
| Code: |
#!/bin/bash
#This script provides view only access to the Broker and Queue Manager through the mqexpusr Unix id.
# Establish Variables
QMGR=$(mqsilist|grep "BIP1285I\|BIP1284I"| awk '{print $7}'| sed "s/'//g")
BRKR=$(mqsilist|grep "BIP1285I\|BIP1284I"| awk '{print $3}'| sed "s/'//g")
Group=mqexpusr
EGArray=`mqsilist $BRKR| egrep "BIP1287I|BIP1286I"| awk '{print $4}'| sed "s/'//g"`
#Apply Permissions
for EG in ${EGArray};do
echo
echo "Setting permissions for the \"$EG\" Execution Group."
#To connect to the Queue Manager
setmqaut -m $QMGR -t qmgr -g $Group -all +connect +inq +dsp
#Queues needed by the MQ Explorer
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t q -g $Group -all +inq +browse +get
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g $Group -all +inq +browse +get +put
setmqaut -m $QMGR -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g $Group -all +inq +browse +get +dsp
#To view or restrict Queue Manager components relevant to the application
setmqaut -m $QMGR -n '**' -t topic -g $Group +dsp
setmqaut -m $QMGR -n 'EDI.**' -t q -g $Group -all +inq +browse +dsp
setmqaut -m $QMGR -n '**' -t channel -g $Group -all
#To connect to the Broker.
setmqaut -m $QMGR -n SYSTEM.BROKER.DEPLOY.QUEUE -t q -g $Group -all +put
setmqaut -m $QMGR -n SYSTEM.BROKER.DEPLOY.REPLY -t q -g $Group -all +get +put
setmqaut -m $QMGR -n SYSTEM.BROKER.AUTH -t q -g $Group -all +inq
#To connect to the Execution Group
setmqaut -m $QMGR -n SYSTEM.BROKER.AUTH.$EG -t q -g $Group -all +inq
done
#Refresh the security cache
echo 'REFRESH SECURITY' | runmqsc $QMGR
exit |
|
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Aug 05, 2014 12:16 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Take a look at THIS.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ARI126 |
| Posted: Tue Aug 05, 2014 1:26 pm Post subject: |
|
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
Hey Exerk,
Thanks for the response. That was the blog, based off which I built most of my script. Here's what T-Rob has to say about giving view access to channels.
| Code: |
| setmqaut -m YOUR_QUEUE_MANAGER -t channel -n '**' -p YOUR_USER_NAME +dsp |
So, I used the same line in my script, but replaced +dsp with -all because my goal is to prevent users from being able to view the channels on the Queue Manager.
| Code: |
| setmqaut -m $QMGR -n '**' -t channel -g $Group -all |
Yet, the channels show up. My guess is something else in the script is overriding this exclusion. Or am I missing something obvious?  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 05, 2014 1:31 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There's a big difference between "allowing MQExplorer to view the status and properties of a channel" and "allowing someone to connect to a channel".
All your script currently does is control what permissions someone has *after they connect*.
There was a somewhat confused thread the last couple of months asking basically exactly the same question. |
|
| Back to top |
|
|
| ARI126 |
| Posted: Tue Aug 05, 2014 1:42 pm Post subject: |
|
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
MQJeff,
I agree. I am trying to control what permissions someone has after they connect. I am trying to prevent them from viewing the list of channels on the queue manager, after they connect using a SVRCONN channel, specified by me.
And this is not able to achieve that.
| Code: |
| setmqaut -m $QMGR -n '**' -t channel -g $Group -all |
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 05, 2014 1:52 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The user coming in might belong to more than just the one group. |
|
| Back to top |
|
|
| ARI126 |
| Posted: Tue Aug 05, 2014 5:31 pm Post subject: |
|
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
The user, "mqexpusr", has been entered as the value of the MCAUSER field for the channel being used to connect to the Queue Manager (SYSTEM.BKR.CONFIG).
This id is a member of only one group, which is also called mqexpusr. So, irrespective of who tries to access the queue manager, the authorities of the mqexpusr id will be applied. As this id is a member of the mqexpusr group, the permissions being set in this script should get applied.
I was able to alter access for the other components of the queue manager using this script. So, I believe it is the mqexpusr group's authorities that are getting applied during Queue Manager access. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 05, 2014 6:42 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| ARI126 wrote: |
| I am trying to prevent them from viewing the list of channels on the queue manager, after they connect using a SVRCONN channel, specified by me. |
How exactly do you force the user to connect to a SVRCONN channel that you specify - the channel that has MCAUSER mqexpusr ?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ARI126 |
| Posted: Wed Aug 06, 2014 5:09 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
| I tell the user to use the SYSTEM.BKR.CONFIG channel (the one with mqexpusr). The rest of the SVRCONN channels have been set to 'nobody'. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 06, 2014 5:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
-all might somehow not be sufficient...
My memory on this is not good, but I remember some mumblings about needing to be explicit about dsp or inq or something....
Other than that, turn on authority events and see what pops up when MQExplorer shows a list of channels. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Aug 06, 2014 7:30 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
I did the following which works for me:
setmqaut -m $QMGR -g $GROUP -n 'WMQ.**' -t channel -all +none |
|
| Back to top |
|
|
| ARI126 |
| Posted: Wed Aug 06, 2014 9:03 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2014
Posts: 6
|
Joseph,
I was really hoping -all +none would work. But unfortunately, the channels still show up. I delete and recreate the connection on the MQ Explorer every time, just to be thorough.
I'll open a PMR and see what IBM has to say about this. |
|
| Back to top |
|
|
|
|
