ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authentication Records Displaying on Read Only Group

Post new topic  Reply to topic
 Authentication Records Displaying on Read Only Group « View previous topic :: View next topic » 
Author Message
myip
PostPosted: Mon Feb 19, 2018 7:33 am    Post subject: Authentication Records Displaying on Read Only Group Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

Hi team,

The MQ version is 7.5.0.0.3

I want to setup a Read Only group ('it-read') that can only display QUEUES and TOPICS using MQ Explorer.

These are the script:

SET AUTHREC OBJTYPE(QMGR) GROUP('it-read') AUTHADD(CONNECT,INQ,DSP)
SET AUTHREC PROFILE(**) OBJTYPE(QUEUE) GROUP('it-read') AUTHADD(DSP,BROWSE)
SET AUTHREC PROFILE(**) OBJTYPE(TOPIC) GROUP('it-read') AUTHADD(DSP)

The problem is that I have some Channel Authentication Records that maps users and channels to allow or block access on channels by remote user ID. Some of this records are admin users mapped to certain Channel.

When I connect using a user from the Read Only group, I can display the Channel Authentication Records, and therefore I can see which admin user ID is mapped to what Channel and then connect as a admin.

Is there a way to prevent this?

Thanks in advance!


Last edited by myip on Mon Feb 19, 2018 8:55 am; edited 1 time in total
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Feb 19, 2018 8:14 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Guess where MQ stores the chlauth mapping info?

SYSTEM.CHLAUTH.DATA.QUEUE

Don't grant read access to this queue if you want to hide it.

However hiding it is not really a substitute for proper security.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
myip
PostPosted: Mon Feb 19, 2018 8:53 am    Post subject: Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:
Guess where MQ stores the chlauth mapping info?

SYSTEM.CHLAUTH.DATA.QUEUE

Don't grant read access to this queue if you want to hide it.

However hiding it is not really a substitute for proper security.


I have taken the read access and it is still showing :/
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Feb 19, 2018 9:34 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Did you refresh security?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
myip
PostPosted: Mon Feb 19, 2018 11:11 am    Post subject: Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

bruce2359 wrote:
Did you refresh security?


yes, I even restarted the QM
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Feb 19, 2018 11:27 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Then you have not taken away access to that queue.

Start again and don't grant access to all queues (**).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
myip
PostPosted: Mon Feb 19, 2018 12:11 pm    Post subject: Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:
Then you have not taken away access to that queue.

Start again and don't grant access to all queues (**).


I have again, deleted the QMGR and created a new one, then I only granted the read only group access to connect, then I connected with that group user in MQ Explorer and I still can see the Channel Authentication Records.

SET AUTHREC OBJTYPE(QMGR) GROUP('it-read') AUTHADD(CONNECT,INQ,DSP)
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Feb 20, 2018 12:21 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

What groups is the user a member of?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
myip
PostPosted: Wed Feb 21, 2018 7:03 am    Post subject: Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:
What groups is the user a member of?


only it-read
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Feb 21, 2018 3:22 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Look at Table 2 here:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083500_.htm

Notice CHLAUTH records don't have their own column.
Guess which column IBM uses to control access to CHLAUTH records.

Right below that table is the following:
Quote:
chg
A user needs chg authority to make any authorization changes on the queue manager. The authorization changes include:
Changing the authorizations to a profile, object, or class of objects
Creating and modifying channel authentication records, and so on


Access to CHLAUTH records is controlled by access to the QM object.


_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
myip
PostPosted: Thu Mar 01, 2018 2:49 pm    Post subject: Reply with quote

Newbie

Joined: 14 Feb 2018
Posts: 6

PeterPotkay wrote:
Look at Table 2 here:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083500_.htm

Notice CHLAUTH records don't have their own column.
Guess which column IBM uses to control access to CHLAUTH records.

Right below that table is the following:
Quote:
chg
A user needs chg authority to make any authorization changes on the queue manager. The authorization changes include:
Changing the authorizations to a profile, object, or class of objects
Creating and modifying channel authentication records, and so on


Access to CHLAUTH records is controlled by access to the QM object.



hi, sorry for the late response.

so basically there is no way to hide or not displaying the Channel Authentication Records from other users?

My goal is that a Queue reader user can only read Queues from the the MQ Explorer and cant display anything else.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Mar 02, 2018 2:12 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Have you tried removing display from the QMGR object?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Authentication Records Displaying on Read Only Group
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.