| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| How to limit acces to QMgr or Queues to some clients ? |
« View previous topic :: View next topic » |
| Author |
Message
|
| cdube |
 Posted: Mon Jan 13, 2003 8:28 am Post subject: How to limit acces to QMgr or Queues to some clients ? |
 |
|
Newbie
Joined: 13 Jan 2003
Posts: 1
|
I have a QMgr that holds 10 queues. I would like to make sure that some clients (MQSeries Client) can acces queues 'A' and 'B', but not 'C', 'D', etc.
I look at the documentation and it seems that it is possible using certificates.
I would like to know if there is any other way because we can not use certificates for now (politics). There must be, but I did not find it.
Clients and server are running on Win2K. I'm using Neil Kolban's .Net Library. MQSeries 5.3.
Thank you for your help.
Chris[/list] |
|
| Back to top |
|
 |
| emileke |
| Posted: Wed Jan 22, 2003 1:44 am Post subject: |
|
|
Centurion
Joined: 19 Aug 2001
Posts: 110
Location: South Africa
|
Hi
There is also an animal called OAM (object Authority Manager) as a part of MQSeries Software which allows you to specify authority by entity.
The OAM works with the entity of a group or a principal
Look at the System Administration guide.
_________________
Emile M Kearns |
|
| Back to top |
|
|
| pgorak |
| Posted: Wed Jan 22, 2003 4:07 am Post subject: |
|
|
Disciple
Joined: 15 Jul 2002
Posts: 158
Location: Cracow, Poland
|
Chris,
It is fairly easy to achieve what you are asking about. Client operations are authorized in the following way: your client process runs on behalf of a user (i.e. W2K user or UNIX user). Username is visible to the Queue Manager on the server side, when the client performs operations such as MQCONN, MQPUT, MQGET etc. Now, the permission to perform any of these operation can be set on the server side with setmqaut command. There are various permission settings possible, you have to search in the documentation for what you actually need.
Piotr |
|
| Back to top |
|
|
| leongor |
| Posted: Wed Jan 22, 2003 5:06 am Post subject: |
|
|
Master
Joined: 13 May 2002
Posts: 264
Location: Israel
|
The question is do you concern about illegal access from unrelevant MQ clients ( from outside and from inside ) ?
If your network is closed and each MQ client user can logon only with its own userid then you can use OAM MQ Server solution.
( remember if user is local administrator in its workstation then he always can create local user 'mqm' or 'MUSR_MQADMIN' and logon with it or to use servise 'run as' ).
In that case you need to use sertificates or channel security exits.
Also can be used security products like kerberos or dce.
_________________
Regards.
Leonid.
IBM Certified MQSeries Specialist. |
|
| Back to top |
|
|
| gwlfng |
| Posted: Wed Jan 29, 2003 8:45 pm Post subject: |
|
|
Newbie
Joined: 13 Nov 2002
Posts: 8
Location: Boston
|
| To tighten-up OAM on Win2k, you can prevent people from using local id's to masquerade as administrators by setting the queue manager to NTSIDsRequired. It's selected from the MQSeries Services snap-in/queue manager properties/services tab/security policy. Might not be bullet-proof: I'm not sure if someone could still masquerade from, say, a unix client. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
