ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportSecurity:Passing Userid and password from QCF WAS6.0

Post new topicReply to topic
Security:Passing Userid and password from QCF WAS6.0 View previous topic :: View next topic
Author Message
sanjoo
PostPosted: Fri Jul 13, 2007 12:58 pm Post subject: Security:Passing Userid and password from QCF WAS6.0 Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

Greetings!!!!!

We are working on to secure MQ. Issue is- all java applications that connect to MQ server connects thru WAS and they all use same user id to connect which is very very bad design.

Now we know that using QCF, when application try to acquire a connection from connection pool can provide a user id an password and get connection. But this requires a code change. I am looking at a option thru which if at configuration level (QCF) I can pass this userid and password.

If yes, how this user id will map to MQMD userid?

I got some info from ibm site--->


"Container-managed Authentication Alias for QCF
This alias specifies a user ID and password to be used to authenticate connection to a JMS provider for container-managed authentication.
This property provides a list of the J2C authentication data entry aliases that have been defined to WebSphere Application Server. You can select a data entry alias to be used to authenticate the creation of a new connection to the JMS provider.

If you have enabled global security for WebSphere Application Server, select the alias that specifies the user ID and password used to authenticate the creation of a new connection to the JMS provider. The use of this alias depends on the resource authentication (res-auth) setting declared in the connection factory resource reference of an application component's deployment descriptors."
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jul 13, 2007 2:50 pm Post subject: Re: Security:Passing Userid and password from QCF WAS6.0 Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19928
Location: LI,NY

sanjoo wrote:
Greetings!!!!!

We are working on to secure MQ. Issue is- all java applications that connect to MQ server connects thru WAS and they all use same user id to connect which is very very bad design.

Can you elaborate why this looks like a bad design? Are all your applications on WAS using the same qcf? Wouldn't the bad design be not having a qcf per WAS app?
I'm a little bit confused here because using a JAAS alias to authenticate will not allow multiple users... To get multiple users you need multiple qcfs.....
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sanjoo
PostPosted: Fri Jul 13, 2007 6:13 pm Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

saper,
there is one qcf defined for each application. But right now we don't have any authentication info on those qcfs. And since all jvms run under same userid for administrative simplicity, at MQserver we are receive same id as user and it becomes difficult to authenticate and authorize apps on per id per roll basis.

is it possible to pass a different id per qcf?
well, we tried doing that by providing JAAS alias authenticate info but somehow it's not passing that id and we r receiving messages with "mqm" user id.

I hope this clears the picture.

Thanks in advance.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Fri Jul 13, 2007 9:00 pm Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

If your QCFs are binding to a local qmgr as a server connection, then the ID passed will always been the id that is running the WAS instance.

This means that if you need application level authentication granularity, then you need one server instance per application, and each instance needs to run under it's own user id.

If your QCFs are binding to the qmgr as a client connection, then you can either use JAAS aliasing on the QCF, or you can give each QCF it's own SVRCONN and set an MCAUSER on the svrconn.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Jul 14, 2007 4:52 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19928
Location: LI,NY

Well I guess you're never connecting to more than one qmgr per jvm... otherwise you would already have switched to a client connection....

As jeff pointed out the client connection gives you more flexibility as to specifying the user for the qcf, either by mcauser on the channel or JAAS alias.

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sanjoo
PostPosted: Sat Jul 14, 2007 12:05 pm Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

Saper,
it's true that all apps on app server are connecting always to same gateway queue manager and all other queue managers are clustered. but queue manager is on different server than app server, so we must be using client connection and not binding mode.

we tried using JAAS alias, but still on queue we r receiving messages with mqm id which means app is passing blank user id instead of JAAS userid and password.

one quick question... only this userid will be validated on mq server side..right? For password validation we have to go for some 3rd party tool?
well..that's what my understanding is..plz correct me if I am wrong.

also i am wondering how this JAAS userid and password are send to mq? I mean how they are mapped?

Thanks a lot for all the help.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Jul 14, 2007 10:55 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19928
Location: LI,NY

You map the JAAS alias in the JNDI setup of the qcf.
See JAAS authentication for container managed components.
Hope this helps some.

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sanjoo
PostPosted: Wed Jul 18, 2007 6:03 am Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

Thanks Saper.
We tried that but somehow we are getting messages with "mqm" user id which means blank user id is passed.
Do I need to enable global security to enable JAAS alias ?

If you have any document or link for JAAS alias, can you please post it here.

Appreciate your help.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
sanjoo
PostPosted: Wed Jul 18, 2007 7:11 am Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

We tried all the following combos :


1. Specify a method of providing the user ID and password that you want the application server. To use a JAAS authentication alias to provide the user ID and password that you can use for EIS sign-on, complete the following steps:
In the Servers view, right-click the server and select Run administrative console.
Expand Resources and select Resource Adapters.
Select the resource adapter you want to modify.
Under Additional Properties, click J2C connection factories.
Under Related Items, click J2EE Connector Architecture (J2C) authentication data entries.
Above the list of aliases, click New.
Enter an alias name, your user ID, password, and optional description. Select OK.

2. Select the JAAS authentication alias for the Container-managed authentication alias property of the J2C connection factory used by your application. You can do this when you first create the connection factory or later by editing the connection factory. To edit the connection factory:
In the Administrative Console for the server you selected, navigate to the connection factory that you wish to modify. For example, Resource adapters > server_name > J2C connection factories > connection_factory_name.
In the Container-managed authentication alias drop down list, select the JAAS authentication alias to be used for the container-managed authentication by applications using that connection factory.
Select OK.


I am wondering .. are we missing any stupid setting here?
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jul 18, 2007 3:47 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19928
Location: LI,NY

Did you check that the channel used did not have mqm in the mcauser ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sanjoo
PostPosted: Wed Jul 18, 2007 8:00 pm Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65

yeah... MCA user id is blank.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportSecurity:Passing Userid and password from QCF WAS6.0
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.