| Author |
Message
|
| qwerty |
 Posted: Wed Jun 24, 2009 3:06 am Post subject: |
 |
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
I read really a lot about mq
sry...i have to say more details...
ok..
i use the Putty Tool
when I run "runmqsc" for my QMGR
and I type
alter chl(CHL NAME) chltype(svrconn) MCAUser( )
what do I have to write in the brackets after MCAUser
When I write nothing like MCAUser() or MCAUser("") it´s a syntax error
what´s the command for blank? |
|
| Back to top |
|
 |
| Pavan Kumar PNV |
| Posted: Wed Jun 24, 2009 3:11 am Post subject: |
|
|
Acolyte
Joined: 03 Feb 2007
Posts: 66
|
alter chl(CHANNEL_NAME) CHLTYPE(SVRCONN) MCAUSER('') .. not double quotes
_________________
_____________
Pavan Pendyala
http://pavanz.blogspot.com |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Jun 24, 2009 3:11 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| qwerty wrote: |
I read really a lot about mq
sry...i have to say more details...
ok..
i use the Putty Tool
when I run "runmqsc" for my QMGR
and I type
alter chl(CHL NAME) chltype(svrconn) MCAUser( )
what do I have to write in the brackets after MCAUser
When I write nothing like MCAUser() or MCAUser("") it´s a syntax error
what´s the command for blank? |
alter channel(EXPERIMENTSVRCONN) CHLTYPE(SVRCONN) MCAUSER('')
7 : alter channel(EXPERIMENTSVRCONN) CHLTYPE(SVRCONN) MCAUSER('')
AMQ8016: WebSphere MQ channel changed.
Single Quotes will do !!
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jun 24, 2009 3:13 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
OAM:
I have actived the OAM, and added User and groups.
With the setmqaut I can give authorizations to Users or/and groups.
That´s not the problem
I´m able to give authorization and to take it away.
My question was....when I use OAM, are there basic underlying things that I have to change in the system, which block the OAM in doing his work.
Or things that can´t cooperate with the OAM
sry for all the Questions without any details for you...
qwerty |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jun 24, 2009 3:14 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
thanks for the first  |
|
| Back to top |
|
|
| Pavan Kumar PNV |
| Posted: Wed Jun 24, 2009 3:15 am Post subject: |
|
|
Acolyte
Joined: 03 Feb 2007
Posts: 66
|
MQ takes care of what needs to be be done behind the curtains. All you need to do is use setmqauth.
_________________
_____________
Pavan Pendyala
http://pavanz.blogspot.com |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Jun 24, 2009 3:17 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| qwerty wrote: |
OAM:
My question was....when I use OAM, are there basic underlying things that I have to change in the system, which block the OAM in doing his work.
Or things that can´t cooperate with the OAM
|
If you are not manually/explicitly disturbing the mq internal processes (as amqzfuma for OAM) then i dont think there would any.
Another thing, if you are not modifying/deleting the queue/its contents SYSTEM.AUTH.DATA.QUEUE then I dont think there would any.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Jun 24, 2009 3:22 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Pavan Kumar PNV wrote: |
| MQ takes care of what needs to be be done behind the curtains. All you need to do is use setmqauth. |
There is no 'h' in setmqaut
C:\>setmqaut
AMQ7093: An object type is required but you did not specify one.
Usage: setmqaut [-m QMgrName] [-n ObjName] -t ObjType (-p Principal | -g Group)
[-s ServiceComponent] Authorizations
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jun 24, 2009 3:23 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
ok...thanks =)
only for my understanding
I make a amqsputc command
I´d like to put a message on a local Q (LOCALQ)
amqsputc LOCALQ
The User who wants to put the message connects to the server. and he always has the authorizations of the MCAUser.
am I right? |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jun 24, 2009 3:25 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
sry that was a typing mistake  |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 24, 2009 3:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
READ, and if you don't understand, READ AGAIN! It's all there in the manuals, and the questions you are asking display either a lack of understanding of those manuals, or indicate that you are only skimming them, not actually reading them.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Thu Jun 25, 2009 12:04 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
| qwerty wrote: |
ok...thanks =)
only for my understanding
I make a amqsputc command
I´d like to put a message on a local Q (LOCALQ)
amqsputc LOCALQ
The User who wants to put the message connects to the server. and he always has the authorizations of the MCAUser.
am I right? |
----------
If the MCA user identifier is nonblank, it specifies the user identifier to be used by the message channel agent for authorization to access WebSphere® MQ resources.
----------
so it is right? |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu Jun 25, 2009 12:36 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Quote: |
| If the MCA user identifier is nonblank, it specifies the user identifier to be used by the message channel agent for authorization to access WebSphere® MQ resources. |
If you would have read the link ("MQVB and MQVE Exploiting an MQ Security Hole?" and the Comments by Roger) given (in the above posts) then you wouldn't have asked this question.
Answer to this question is there itself.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jun 25, 2009 1:25 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
MQ has huge, HUGE, HUGE security holes when a user does a basic setup/install of WMQ Server. A basic setup/install of WMQ Server potentially allows any user to freely access any message in any queue. Under this scenario, any user can browse, insert, update or delete messages in any queue and there would be no record of this activity.
If the user specifies "blank" then MQEnvironment.userID variable is not set. (Hence, it has a default of blank.) This is a well known security hole in WMQ. See my comments here:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
Any and EVERY Java (and Java/JMS) application that does not explicitly set a UserID then the a blank UserID will be used by the WMQ client code.
It is a little more difficult to exploit MQ in MO71 (MQMon), RFHUtil, etc.. but it can be done with a dummy client-side security exit like the one I posted here. When you use any client-side security exit, MQ automatically blanks out the UserId!!! Weird, but true.
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782
Bottom line, use either SSL or a security exit to secure your queue managers.
Commercial MQ security solutions are:
For end-to-end authentication security solution for MQ:
1. Capitalware's MQ Authenticate User Security Exit
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
A server-side (verification) only MQ security solution:
1. Capitalware's MQ Standard Security Exit
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jun 25, 2009 2:01 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9482
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| MQ has huge, HUGE, HUGE security holes when a user does a basic setup/install of WMQ Server. |
I'd have said that WMQ arrives in the box with no security enabled. It's the responsibility of system admins to enable security to meet business requirements.
| Quote: |
| Bottom line, use either SSL or a security exit to secure your queue managers. |
SSL and security exits secure channel ends, not the qmgr. But you knew that.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
