ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMigrating to the MQ Appliance - User ID authority/config

Post new topicReply to topic
Migrating to the MQ Appliance - User ID authority/config View previous topic :: View next topic
Author Message
muralihegde
PostPosted: Thu Apr 20, 2017 6:47 am Post subject: Migrating to the MQ Appliance - User ID authority/config Reply with quote

Centurion

Joined: 30 Apr 2002
Posts: 108

We are migrating the Q-mgrs from Unix to MQ Appliance. (MQ V9.0x)

On the MQ Appliance, we are not using local users/groups, but LDAP is being used. However on the current Unix systems, LDAP is not used, but local users (local to all of the Unix Servers) are used.

We are doing a test to connect from our existing MQ client 8.0x using perl scripts to the MQ Appliance.
The perl script runs on the Unix Server is invoked by an user ID aixuserid1.
While on the MQ Appliance, this user ID does not exist. There is another id appluserid1 on the MQ Appliance which has appropriate permissions on the Q-mgrs on the MQ Appliance.
Is there any way that this user id appluserid1 can be configured in the perl scripts, mq client configuration so that even when the perl script is invoked by aixuserid1, it can still use appluserid1 while to connect to the Q-mgrs on the MQ Appliance?
Back to top
View user's profile Send private message Yahoo Messenger
mqjeff
PostPosted: Thu Apr 20, 2017 6:59 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17250

You could use PAM to change your unix boxes to use LDAP instead of local users/groups.

But it's much easier to use a robust set of CHLAUTH rules to ensure that only the right users on the right machines can connect to a channel that has the right MCAUSER.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
muralihegde
PostPosted: Thu Apr 20, 2017 10:28 pm Post subject: Reply with quote

Centurion

Joined: 30 Apr 2002
Posts: 108

Thanks. We will explore that in more detail about using CHLAUTH. However as of now we just added appluserid1 in the MCAUSER() of the channel and the perl script was able to connect from Unix even though it is invoked by the aixuserid1. Of course the QMGR chalauth was disabled in this case. Even though we made it work this way, I am sure this is not the best way to implement security.
Back to top
View user's profile Send private message Yahoo Messenger
mqjeff
PostPosted: Fri Apr 21, 2017 4:25 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17250

muralihegde wrote:
Even though we made it work this way, I am sure this is not the best way to implement security.


It's not the best way to implement security.

In fact, it doesn't even implement security.

It mearly makes it possible for anyone to use this channel to do anything they want that appluserid1 is able to do.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportMigrating to the MQ Appliance - User ID authority/config
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.