ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ client connection to the Queue manager

Post new topic  Reply to topic
 MQ client connection to the Queue manager « View previous topic :: View next topic » 
Author Message
velocity
PostPosted: Fri Jul 14, 2017 10:06 am    Post subject: MQ client connection to the Queue manager Reply with quote

Centurion

Joined: 30 Nov 2007
Posts: 126
How to prevent a developer from using an MQ client on a test server to connect to a production queue manager via an SSL secured client connection? Let's assume the developer has acquired a SSL key repository with valid certs to make a successful handshake.

TIA.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jul 14, 2017 10:54 am    Post subject: Re: MQ client connection to the Queue manager Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
velocity wrote:
How to prevent a developer from using an MQ client on a test server to connect to a production queue manager via an SSL secured client connection? Let's assume the developer has acquired a SSL key repository with valid certs to make a successful handshake.


You prevent him by preventing him getting access to the repository.

Seriously - you're asking how to stop someone breaking into your house when they've got a key to your front door.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
velocity
PostPosted: Fri Jul 14, 2017 11:41 am    Post subject: Reply with quote

Centurion

Joined: 30 Nov 2007
Posts: 126
Well, a lot of times the dev folks do prod support too, or they may be having access to production environments to look into app specific issues.

Rephrasing my question-- Can a MQ client connection from a specific server be prevented, even if it's coming in with a valid SSL certificate? Maybe somehow filter the IP?
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jul 14, 2017 12:15 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
velocity wrote:
Well, a lot of times the dev folks do prod support too, or they may be having access to production environments to look into app specific issues.


During those times the operational risk management and audit people should be hitting you over the head with a copy of the mitigation regulations while chanting "Separation of duties! Separation of duties!"

velocity wrote:
Rephrasing my question-- Can a MQ client connection from a specific server be prevented, even if it's coming in with a valid SSL certificate? Maybe somehow filter the IP?


You can set a CHLAUTH record but how's that going to help with the dev guy who does prod support? He needs access to both system so he can't be blocked.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ client connection to the Queue manager
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.