| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| MQAUSX |
« View previous topic :: View next topic » |
| Author |
Message
|
| shashivarungupta |
 Posted: Wed Mar 24, 2010 11:06 am Post subject: |
 |
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| RocknRambo wrote: |
| ...Lets say QM1 has 5 sndr/rcvr channels which are used by 5 different applications (one each), can we secure only 2 sndr/rcvr channels such that the other 3 applications have NO impact. |
| RocknRambo wrote: |
| ...Lets say QM1 has 5 sndr/rcvr channels which are used by 5 different applications (one each), can we secure only 2 sndr/rcvr channels such that the other 3 applications have NO impact. |
BTW.. why do you want the partial security within the system ? Is that the Security Team doesn't allow you to secure MQ from being accessed by the Applications ( trusted and non trusted ) ? Why dont you go for MCAUserID for selective users to access the conn. over the qmgr using server conn ?
_________________
*Life will beat you down, you need to decide to fight back or leave it.
Last edited by shashivarungupta on Wed Mar 24, 2010 11:13 am; edited 1 time in total |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Wed Mar 24, 2010 11:12 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| shashivarungupta wrote: |
| Most importantly take care of the PERMISSIONS over the FILES ( Some of'em do require the ROOT Level access ). |
shashi, I realize you are trying to be helpful, but you are misleading people.
If the MQAdmin wants LDAP or FBA authentication then ZERO files require any sort of special permission.
If the MQAdmin wants Local OS authentication then ONE file (mqausxvfy) requires special permission as documented in the manual.
| RocknRambo wrote: |
| Will there be an impact on the applications interacting with QM1? |
No, as you have not implemented MQAUSX on QM1.
| RocknRambo wrote: |
| Can we just secure the inter queue manager connectivity b/w QM1 and QM2 and NOT disturb the applications interacting with QM1? |
Yes. Simply follow the instructions in the MQAUSX Queue Manager to Queue Manager Configuration manual.
Please note: If you secure the client channels on QM2 but not on QM1 but QM1 and QM2 can talk to each other then the hackers will simply use QM1 to get to QM2!! 
| RocknRambo wrote: |
| is it possible or do we have options for the same ? |
I'm not sure what you mean.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 24, 2010 11:18 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| RocknRambo wrote: |
| Can we configure a queue manager such that only selected channels are secured. Lets say QM1 has 5 sndr/rcvr channels which are used by 5 different applications (one each), can we secure only 2 sndr/rcvr channels such that the other 3 applications have NO impact. |
Yes but it is not a good idea. For the "other 3 applications" (i.e. channels), you should setup MQAUSX to be in "at least" NoAuth mode.
In case you did not know, you can have as many MQAUSX IniFiles as you wish - one per channel if you want. Each IniFile can have its own set of keywords and certain features enabled.
i.e. Some IniFile can have the NoAuth keywords, some can use the MCC (Max Channel Connection), some can authenticate against an LDAP server, etc...
Please let me know if you have any questions or comments.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 24, 2010 11:19 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| shashivarungupta wrote: |
| Why dont you go for MCAUserID for selective users to access the conn. over the qmgr using server conn ? |
Shashi, that is NOT securing a queue manager. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Wed Mar 24, 2010 11:36 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Point well taken, and we do have roadmap to secure all channels. But, to start off, we want specific channels to be secured which are identified.
Bit complex to outline why we cannot secure all the channels and make the changes in the applications at once.
in the below scenario - If MQAUSX is implemented on QM2 which includes inter queue manager comm b/w QM2 & QM1, do we have install & configure MQAUSX on QM2 as well ?
--
RR |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Wed Mar 24, 2010 11:38 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Thanks Roger, this is much clear now.
Pls. ignore my comments -
| Quote: |
| in the below scenario - If MQAUSX is implemented on QM2 which includes inter queue manager comm b/w QM2 & QM1, do we have install & configure MQAUSX on QM2 as well ? |
--
RR |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 24, 2010 12:29 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
More accurately: securing some channels, but not all channels, is like locking your front door, but leaving the other doors unlocked, and some windows open.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
