| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ explorer and mqm user access to QM v8 |
« View previous topic :: View next topic » |
| Author |
Message
|
| zrux |
 Posted: Mon Oct 12, 2020 5:05 am Post subject: MQ explorer and mqm user access to QM v8 |
 |
|
Apprentice
Joined: 21 May 2006
Posts: 41
Location: UK
|
Hi
I am in the process of tightening the security on the new v8 QM in terms of SVRCONN channel access, I have enabled CHLAUTH(ENABLED)
and set
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
Question is - How do I now setup the rules for allowing MQ explorer for any desktop user from any IP on specific channel (EXPLORER.SVRCONN) on all MQ Objects
Also, how do I allow access for mqm user using specific channel (MQM.SVRCONN) on all MQ Objects
DEFINE CHANNEL(AA_CHL) +
CHLTYPE(SVRCONN) +
MCAUSER(NOACCESS) replace
def ql(SOME_QUEUE)
SET CHLAUTH(AA_CHL) TYPE(USERMAP) +
CLNTUSER('aa_usr') +
USERSRC(MAP) +
MCAUSER('aa_usr') +
ACTION(ADD)
SET AUTHREC +
GROUP('aa_usr') +
OBJTYPE(QMGR) +
AUTHADD(CONNECT,INQ,DSP,ALTUSR)
SET AUTHREC PROFILE(SOME_QUEUE) +
GROUP('aa_usr') +
OBJTYPE(QUEUE) +
AUTHADD(GET,PUT,DSP,INQ)
SET AUTHREC PROFILE(**) +
GROUP('aa_usr') +
OBJTYPE(QUEUE) +
AUTHADD(DSP) |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Oct 13, 2020 8:09 pm Post subject: Re: MQ explorer and mqm user access to QM v8 |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zrux wrote: |
| I am in the process of tightening the security on the new v8 QM in terms of SVRCONN channel access |
I am happy to hear that you want to tighten the security on your queue manager.
| zrux wrote: |
| I have enabled CHLAUTH(ENABLED) and set CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) |
Are you leaving the SYSTEM.DEFAULT.AUTHINFO.IDPWOS with all it's default values? I would suggest using the ADOPTCTX(YES) value (which is the default at newer version of MQ than V8). btw - V8 is now out of service, suggest you might want to get a more modern version?
| zrux wrote: |
| Question is - How do I now setup the rules for allowing MQ explorer for any desktop user from any IP on specific channel (EXPLORER.SVRCONN) on all MQ Objects |
You can set up a CHLAUTH rule as follows:-
| Code: |
| SET CHLAUTH(EXPLORER.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) |
Since you mentioned using CONNAUTH at the start of your post, I have assumed that to have some actually security on this (rather than just an IP filter as your question suggests, since that could literally allow in ANYONE). I have therefore concluded that, as a minimum, you want to check user IDs and passwords (that's what CHCKCLNT(REQUIRED) instructs). Since you are authenticating the provided user id with its password, I have in this rule, decided to take the user ID provided by the MQ Explorer user for authorisation checks (that's what USERSRC(CHANNEL) instructs).
So let's assume that each MQ Explorer user is given a user ID (and password) for a user in the group 'explorer' which will be used for authorisation checks. I assume that this group will be a read only Explorer group. If you need more operations you can add more authorities as required. Having created these user IDs, and added them to the group 'explorer', you would need to also set the following AUTHREC profiles in place.
| Code: |
* First the rules to allow interaction with the command server *
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE) PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) AUTHADD(PUT,INQ,DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE) PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) AUTHADD(GET,DSP)
* Now the rules to grant read-only access to all objects *
SET AUTHREC GROUP('explorer') OBJTYPE(QMGR) AUTHADD(DSP,INQ,CONNECT)
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(TOPIC) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(AUTHINFO) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(CHANNEL) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(CLNTCONN) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(COMMINFO) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(LISTENER) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(NAMELIST) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(PROCESS) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(SERVICE) PROFILE('**') AUTHADD(DSP) |
| zrux wrote: |
| Also, how do I allow access for mqm user using specific channel (MQM.SVRCONN) on all MQ Objects |
You can have administrative users that are not members of the mqm group. How to do this is described in this blog post: A non-privileged MQ administrator
Should you actually NEED remote mqm access, this blog post covers how to do that: CHLAUTH - Allow some privileged admins
I also recommend you set a CHLAUTH Backstop rule - read CHLAUTH - the back-stop rule for more details
Remember, that tightening security means actually adding some authorisation and some authentication. One without the other, is not enough.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 14, 2020 4:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You say you're on V8. Make sure your MQExplorer and MQ Server are at least on 8.0.0.4 or higher as there are inconsistencies at the lower level. Best go to 9.2.0.1. V8 is already out of support. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
