| Author |
Message
|
| ramires |
 Posted: Wed Nov 24, 2010 1:54 am Post subject: |
 |
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
| zpat wrote: |
| I don't understand the fuss here, just keep the definitions in source form and use MO72 as a "compiler". |
 I agree. This is no rocket science, its just a table/file thing. Reading all this I've one doubt: is it possible to digital sign a CCDT file and "say" to the qmgr this is the file CCDT you have to use? To avoid a unauthorized change in the CCDT, outside qmgr control.
Regards
joao |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Nov 24, 2010 4:02 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20763
Location: LI,NY
|
| ramires wrote: |
| zpat wrote: |
| I don't understand the fuss here, just keep the definitions in source form and use MO72 as a "compiler". |
I agree. This is no rocket science, its just a table/file thing. Reading all this I've one doubt: is it possible to digital sign a CCDT file and "say" to the qmgr this is the file CCDT you have to use? To avoid a unauthorized change in the CCDT, outside qmgr control.
Regards
joao |
It is possible to digitally sign the file, keeping the signature apart... but the qmgr would not know about it. If you want to make sure that the file does not get tampered with, just place into a location that is read only access for everybody else. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 24, 2010 5:29 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
| ramires wrote: |
| zpat wrote: |
| I don't understand the fuss here, just keep the definitions in source form and use MO72 as a "compiler". |
I agree. This is no rocket science, its just a table/file thing. Reading all this I've one doubt: is it possible to digital sign a CCDT file and "say" to the qmgr this is the file CCDT you have to use? To avoid a unauthorized change in the CCDT, outside qmgr control.
Regards
joao |
Why is this different to any other program? Use source management for the source if you like. Anyone can create a CCDT, you should protect the system that is used on from modification. But in any case a CCDT is not a security control. |
|
| Back to top |
|
|
| ramires |
| Posted: Wed Nov 24, 2010 5:54 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
| It was just a though. If CCDT file placing is under MQ admin team control, we can use O.S authorities to protect it. But there are cases a external entity uses a client connection and a CCDT file. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 24, 2010 6:00 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
Anyone can install a MQ client, anyone can create or modify a CCDT.
If you want to authenticate a client, use SSL certificates (or a channel exit to check IP address or password).
I repeat - a CCDT is not a security control. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 24, 2010 6:13 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Any one can write an app that uses MQCONNX. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 6:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| Any one can write an app that uses MQCONNX. |
But they have to know the connection details 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 24, 2010 6:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
| mqjeff wrote: |
| Any one can write an app that uses MQCONNX. |
But they have to know the connection details |
Right, but they can't build a CCDT without that either.
Security through obscurity is not security. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 6:24 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
Right, but they can't build a CCDT without that either.
Security through obscurity is not security. |
But 'they' shouldn't get to build the CCDT's, it should be WMQ Admins only. Admittedly 'they' might be able to clone/reverse engineer the information from the CCDT, but then I'm a great believer in service ID's that are locked up tighter than my wallet when the kids come calling...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Nov 24, 2010 6:38 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
With a free WMQ download and a laptop, I can create a qmgr and CCDT quite easily; and I have mqm privilege. Now, can I export it somehow to a 'real' qmgr filesystem?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 24, 2010 6:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I have said before, and I'll say it again...
MQ security starts at the network. Block every machine that is not known to be allowed to connect to the queue manager at the network level.
Then put SSL and MCAUSERS on *every* channel into the qmgr.
Then *tightly* control your certificates, and change and expire them routinely. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 6:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| With a free WMQ download and a laptop, I can create a qmgr and CCDT quite easily; and I have mqm privilege. Now, can I export it somehow to a 'real' qmgr filesystem? |
That's always a possibility, but then I have always believed the most perfect WMQ solution is the one where you do not allow anyone to use it 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 24, 2010 8:23 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
| exerk wrote: |
| mqjeff wrote: |
| Any one can write an app that uses MQCONNX. |
But they have to know the connection details |
MQ Port scanner (like the one that Capitalware gives away). |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 8:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| exerk wrote: |
| mqjeff wrote: |
| Any one can write an app that uses MQCONNX. |
But they have to know the connection details |
MQ Port scanner (like the one that Capitalware gives away). |
May give them the port, but not channel name etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 24, 2010 8:30 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
| bruce2359 wrote: |
| With a free WMQ download and a laptop, I can create a qmgr and CCDT quite easily; and I have mqm privilege. Now, can I export it somehow to a 'real' qmgr filesystem? |
That's always a possibility, but then I have always believed the most perfect WMQ solution is the one where you do not allow anyone to use it |
The only secure computer is one that is turned off, unplugged, sealed in six inches of concrete, and dropped to the bottom of the contact admin trench...
and guarded by attack sharks... |
|
| Back to top |
|
|
|
|
