ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ File Transfer Edition » Different users execute fteCreateTransfer with TLS?

Post new topic  Reply to topic
 Different users execute fteCreateTransfer with TLS? « View previous topic :: View next topic » 
Author Message
toshi78
PostPosted: Wed Dec 13, 2017 2:13 am    Post subject: Different users execute fteCreateTransfer with TLS? Reply with quote

Newbie

Joined: 04 May 2012
Posts: 9
Location: Germany

Hi all,

I do have a question regarding MFT and security. Yes, of course I was checking the internet to find a solution but wasn't successful. That's why I decided to ask you.

At first I would like to describe our setup. We do have a Hub-and-Spoke topology. At the hub the coordination qmgr is running and at several node qmgrs we are running commands and agents qmgrs.

Agents are running under user "mqm" in Linux environments. They are connecting to Agents and Commands qmgrs via SVRCONN channels secured with TLS. We also have defined CHLAUTH records to map SSLPEERNAME "CN=mqm,..." to local user "mft" at the Agents qmgr and set limited OAM rights for this usre resp. it's primary group.

We are only use MFT for message-to-file and file-to-message transfers. Usually we are using resource monitors to trigger the transfers and we never had any problems.

Now we have a new requirement that an application wants to execute fteCreateTransfer commands by itself. The application is running under user "admrun". How does this work?

My thoughts:
I don't think that it's possible to execute the fteCreateTransfer as "admrun" as the SVRCONN channels are secured with TLS and we only have a Java Keystore for user "mqm". Is it possible to use a own JKS for "admrun" and add the credentials to the property files and MQMFTCredentials.xml?

In other words...is it possible to run a MFT agent with user "mqm" but submit transfers as another user while using client connections with TLS?

Cheers,
Toshi
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Dec 13, 2017 5:06 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Have you tried having the application use a different channel for its file transfers? i.e. different channel authentication records...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Wed Dec 13, 2017 6:08 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Easy enough to copy the JKS and rename the certificate label.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
toshi78
PostPosted: Thu Dec 14, 2017 4:01 am    Post subject: Reply with quote

Newbie

Joined: 04 May 2012
Posts: 9
Location: Germany

Thanks for the responses but with both I don't know what to do. I think I need to be more precise.

This is our setup. I've obfuscated the internal qmgr names, agent names and IP addresses.

Definitions at Agent Qmgr / Command Qmgr:
-----------------------------------------
DEF CHL(MFT.QMGR) CHLTYPE(SVRCONN) MCAUSER('%%%') SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA)
SET CHLAUTH(MFT.QMGR) TYPE(BLOCKUSER) DESCR('enable MQ Admin') USERLIST('nobody') WARN(NO)
SET CHLAUTH(MFT.QMGR) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH(MFT.QMGR) TYPE(SSLPEERMAP) ADDRESS(187.187.187.187) SSLPEER('CN=mqm,...') MCAUSER('mft')

SET AUTHREC OBJTYPE(QMGR) GROUP('gmft') AUTHADD(CONNECT, INQ, SETID)
SET AUTHREC PROFILE('SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT, SETALL)
SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT, GET, DSP, BROWSE)
SET AUTHREC PROFILE('COORD') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT) ### XMITQ to Coordination Qmgr ###

The agents SYSTEM.FTE* queues are defined as well and its OAM rights
User "mft" is the one and only user in its primary group "gmft". User and group are defined locally at Agent Qmgr / Command Qmgr.

Definitions at AGENT
--------------------
command.properties:
#
#Tue Mar 15 16:40:24 CET 2016
connectionQMgrChannel=MFT.QMGR
connectionQMgrPort=1414
connectionQMgrHost=agentqmgr
connectionQMgr=QMGR
connectionSslCipherSpec=TLS_RSA_WITH_AES_256_CBC_SHA
connectionSslPeerName=CN=QMGR,...
connectionSslTrustStore=/var/mqm/config/ssl/mqm_mft/key.jks
connectionSslTrustStoreType=jks
connectionSslTrustStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
connectionSslKeyStore=/var/mqm/config/ssl/mqm_mft/key.jks
connectionSslKeyStoreType=jks
connectionSslKeyStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml

agent.properties:
#
#Tue Mar 15 16:40:36 CET 2016
agentQMgr=QMGR
agentQMgrPort=1414
agentDesc=
agentQMgrHost=agentqmgr
agentQMgrChannel=MFT.QMGR
agentName=AGENT
agentSslCipherSpec=TLS_RSA_WITH_AES_256_CBC_SHA
agentSslPeerName=CN=QMGR,...
agentSslTrustStore=/var/mqm/config/ssl/mqm_mft/key.jks
agentSslTrustStoreType=jks
agentSslTrustStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
agentSslKeyStore=/var/mqm/config/ssl/mqm_mft/key.jks
agentSslKeyStoreType=jks
agentSslKeyStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
enableQueueInputOutput=true

MQMFTCredentials.xml (obfuscated and file permissions set to 600):
<?xml version="1.0" encoding="UTF-8"?>
<tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MQMFTCredentials" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://wmqfte.ibm.com/MQMFTCredentials MQMFTCredentials.xsd">
<tns:file passwordCipher="08154711" path="/var/mqm/config/ssl/mqm_mft/key.jks"/>
</tns:mqmftCredentials>

@fjb_saper: How do you think to use a different channel for the application? Channels are defined in command.properties and agent properties and you only can configure one channel.
When the application submits the fteCreateTransfer how they should use a different channel? The only connection parameters at fteCreateTransfer are source and destination agent which are both the same
as we are doing message-to-file and file-to-message.
The only thing I've read about using diffrent channels is "Configuring an MFT agent for multiple channels: non-clustered" but this is just for channels betwenn two agents qmgrs.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.wmqfte.doc/configuring_channels_noncluster.htm

@zpat: What is the benefit of copying the JKS and rename the certificate label? It's just a hack. I can also get an own certificate respective a JKS for user "admrun". It's also not a problem to add a second CHLAUTH record of SSLPEERMAP to map CN=admrun... to user "mft" as well. But is it possible to add a second TrustStore/KeyStore & CredentialsFile in command.properties and agent.properties?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Dec 15, 2017 7:26 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

toshi78 wrote:

@fjb_saper: How do you think to use a different channel for the application? Channels are defined in command.properties and agent properties and you only can configure one channel.
When the application submits the fteCreateTransfer how they should use a different channel? The only connection parameters at fteCreateTransfer are source and destination agent which are both the same
as we are doing message-to-file and file-to-message.
The only thing I've read about using different channels is "Configuring an MFT agent for multiple channels: non-clustered" but this is just for channels betwenn two agents qmgrs.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.wmqfte.doc/configuring_channels_noncluster.htm

Forget entirely about the FTE Agent.
For the app, creating a File transfer is nothing different than putting the corresponding xml message onto the agent's command queue....

For a WAS app to have 2 different profiles on the qmgr, all it takes is to have 2 different queue connection factories, each with their own channel, own mca and different authorizations....

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ File Transfer Edition » Different users execute fteCreateTransfer with TLS?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.