ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportRestrict MQ client app from doing destructive get operation

Post new topicReply to topic
Restrict MQ client app from doing destructive get operation View previous topic :: View next topic
Author Message
sijtom0703
PostPosted: Wed Feb 08, 2017 8:10 am Post subject: Restrict MQ client app from doing destructive get operation Reply with quote

Voyager

Joined: 28 May 2011
Posts: 84
Location: USA

I have a client app which like to do a non-destructive read of messages from a queue and write to a DB or file using a java program. To ensure that client App is doing a browse of messages and uses MQOO_BROWSE in MQ Get message options. Everything is fine till now. From an MQ administrator perspective I would like to ensure that there is additional layer of protection and I have removed Get access from the permissions for MCA user group which the client channel uses to access queue. I have only added the Browse permission. But then client is receiving MQRC_NOT_AUTHORIZED on the client side when trying to access the queue.

So my question is is there a way I can set permissions on the queue such that client App cannot do a destructive read on queue but can browse messages and copy them to a file or DB? Appreciate your guidance here.
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Wed Feb 08, 2017 8:59 am Post subject: Reply with quote

Shaman

Joined: 17 Nov 2005
Posts: 777
Location: New Zealand

I would say that restricting the permissions sounds like the right way to go to me. Are you sure the Java application isn't trying to access the queue for input access as well? Remember that it is the queue open which matters from a security point of view, not the MQGET call. Check that you are not using MQC.MQOO_INPUT_SHARED on the open.

Cheers,

Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
sijtom0703
PostPosted: Wed Feb 08, 2017 9:21 am Post subject: Reply with quote

Voyager

Joined: 28 May 2011
Posts: 84
Location: USA

Thanks for the response!
The following are the open options used in the client code.

Code:
int openOptions =  CMQC.MQOO_FAIL_IF_QUIESCING + CMQC.MQOO_INPUT_AS_Q_DEF +
            CMQC.MQOO_INQUIRE + CMQC.MQOO_OUTPUT;
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Wed Feb 08, 2017 9:26 am Post subject: Reply with quote

Shaman

Joined: 17 Nov 2005
Posts: 777
Location: New Zealand

Well, what happens if you change it to.....
Code:
MQC.MQOO_FAIL_IF_QUIESCING + MQC.MQOO_BROWSE;


Since I assume you don't want to inquire or write to the queue either.

Cheers,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
RogerLacroix
PostPosted: Wed Feb 08, 2017 11:19 am Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 2983
Location: London, ON Canada

For a Java application to browse the queue, the Open Options should be:

Code:
int openOptions  = CMQC.MQOO_INQUIRE + CMQC.MQOO_BROWSE + CMQC.MQOO_FAIL_IF_QUIESCING;


Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Feb 08, 2017 12:22 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 18987
Location: LI,NY

RogerLacroix wrote:
For a Java application to browse the queue, the Open Options should be:

Code:
int openOptions  = CMQC.MQOO_INQUIRE + CMQC.MQOO_BROWSE + CMQC.MQOO_FAIL_IF_QUIESCING;


Regards,
Roger Lacroix
Capitalware Inc.

Don't know if you need the Inquire with Java base... I do know that it should always be part of the permissions when using JMS...
Anyways adding/keeping Inquire should be a breeze.

I am always careful when creating the options and favor the | for the bit-wise OR operator. More secure when you do it twice and you're not risking an overflow...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sijtom0703
PostPosted: Thu Feb 09, 2017 6:47 am Post subject: Reply with quote

Voyager

Joined: 28 May 2011
Posts: 84
Location: USA

Thanks All!

If I remove CMQC.MQOO_INPUT*** from open options then I can remove get permissions from queue which will ensure Application cannot do a destructive get even by mistake.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Feb 09, 2017 6:50 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17088

You should be careful of having applications that can only browse queues.

That is, you need to make sure that something else will clean the queue at some point.

If you are trying to write something that logs messages, you will need to be careful of the appllication that processes the message doesn't get a message before the browse/logger... which honestly you can't really prevent.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
sijtom0703
PostPosted: Thu Feb 09, 2017 7:28 am Post subject: Reply with quote

Voyager

Joined: 28 May 2011
Posts: 84
Location: USA

Thanks for the input! The queues which we are dealing here are not Application write queues and also we have a separate Application process taking care of cleaning up the queue.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportRestrict MQ client app from doing destructive get operation
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.