| Author |
Message
|
| mquser01 |
 Posted: Thu May 21, 2009 2:11 am Post subject: Access control in IBM MQ |
 |
|
Acolyte
Joined: 06 Mar 2008
Posts: 52
|
Hi,
We have been using IBM MQ in our application. My query is whether it is possible to limit access control (access to read/ delete/ purge etc messages) to particular application.
for eg we have::
application x running on machine x
application y running on machine y
application z running on machine z
there is an queue Q1
Suppose application 'x' sends messages to Q1 which only application 'y' should be able to access, application 'z' should have absolutely no access(delete/read etc) to messages sent by application 'x' for application 'y'
I want to know if there is any means to impose such access restriction in IBM MQ? |
|
| Back to top |
|
 |
| WMBDEV1 |
| Posted: Thu May 21, 2009 2:12 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 21, 2009 2:16 am Post subject: Re: Access control in IBM MQ |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mquser01 wrote: |
| I want to know if there is any means to impose such access restriction in IBM MQ? |
Yes. There's one entire manual devoted to the subject of security, along with a number of informative discussions in here on the subject (the search facility will assist here).
There are also a number of potential strategies depending on how secure you want / need to get. For instance, do you need to prevent application z accessing the messages intended for y, do you need to prevent z spoofing an identity as y, do you need to prevent rogue copies of y being used to obtain unauthorised access to the messages, do you need to prevent the messages being intercepted in transit, etc, etc etc.
Happy Reading! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 21, 2009 2:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
| Using a mainframe queue manager makes security a lot easier to manage (with RACF)! |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 21, 2009 2:29 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Using a mainframe queue manager makes security a lot easier to manage (with RACF)! |
Everything's easier to manage on a mainframe.... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Monk |
| Posted: Thu May 21, 2009 2:31 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Search for OAM in the IBM documentation...
like poobah said....Happy reading.. 
_________________
Thimk |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 21, 2009 6:49 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
And may be, you can use aliasq. Create aliasqs dedicated to application x, y and z and make them get, put disabled where required.
But this is not a scalable solution and will only be helpful if you have some handful of applications.
Setting required level of authority is always better.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 21, 2009 2:42 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sumit wrote: |
And may be, you can use aliasq. Create aliasqs dedicated to application x, y and z and make them get, put disabled where required.
But this is not a scalable solution and will only be helpful if you have some handful of applications.
Setting required level of authority is always better. |
You still need to set authorities on the QA's...and why isn't it scalable?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| AkankshA |
| Posted: Thu May 21, 2009 8:16 pm Post subject: Re: Access control in IBM MQ |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
| mquser01 wrote: |
Hi,
We have been using IBM MQ in our application. My query is whether it is possible to limit access control (access to read/ delete/ purge etc messages) to particular application.
for eg we have::
application x running on machine x
application y running on machine y
application z running on machine z
there is an queue Q1
Suppose application 'x' sends messages to Q1 which only application 'y' should be able to access, application 'z' should have absolutely no access(delete/read etc) to messages sent by application 'x' for application 'y'
I want to know if there is any means to impose such access restriction in IBM MQ? |
do all the applications send messages to same queue and currently picking from same queue as well ??
I fear in this case, implementing access control wont be easy....
may be you can give a little more information...
_________________
Cheers |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 21, 2009 10:08 pm Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| exerk wrote: |
| sumit wrote: |
And may be, you can use aliasq. Create aliasqs dedicated to application x, y and z and make them get, put disabled where required.
But this is not a scalable solution and will only be helpful if you have some handful of applications.
Setting required level of authority is always better. |
You still need to set authorities on the QA's...and why isn't it scalable? |
The point I presented is not scalable when we are not setting authorities.
Let's say app. A only wants to put messages so will interact with QA X with put(enabled) and get(disabled). App. B wants to read messages so, QA Y will have get(enabled) and put(disabled).
Now because of any business reasons app C just wants to browse the messages. Here, it can't use existing QA without setting authority.
And that's where it's independently not scalable. Also that's where I suppose you suggested to set authorities on QA.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| vol |
| Posted: Thu May 21, 2009 10:44 pm Post subject: |
|
|
Acolyte
Joined: 01 Feb 2009
Posts: 69
|
auth is set by group ID, not app, so your apps would all have to run under a different ID for different permissions to be picked up
set the auth for the different grups in setmqaut, and assign different groups to the users running the apps |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu May 21, 2009 10:47 pm Post subject: Re: Access control in IBM MQ |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| AkankshA wrote: |
| mquser01 wrote: |
Hi,
We have been using IBM MQ in our application. My query is whether it is possible to limit access control (access to read/ delete/ purge etc messages) to particular application.
for eg we have::
application x running on machine x
application y running on machine y
application z running on machine z
there is an queue Q1
Suppose application 'x' sends messages to Q1 which only application 'y' should be able to access, application 'z' should have absolutely no access(delete/read etc) to messages sent by application 'x' for application 'y'
I want to know if there is any means to impose such access restriction in IBM MQ? |
do all the applications send messages to same queue and currently picking from same queue as well ??
I fear in this case, implementing access control wont be easy....
may be you can give a little more information... |
As its being said..
If there is an appli. x (suppose as a client) putting message on Q1 and another appli. y (suppose as a target) gets the message from the Q1. And another appli. z which is not being given those levels of access.Then the OAM would be diff. for them all of them (x,y,z).
I dont think there would be much difficulty while assigning OAM on Queue Manager and Respective Queues.
Ya as far as more information is concerned, mquser01 can provide that.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| AkankshA |
| Posted: Thu May 21, 2009 11:10 pm Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
oops...
i actually imagined it to be a lil more then this..
my context was if application a and b are puuting messages on qeueue Q1 and y and z are picking... i assumed implementing a mechanism here that y should only get the messages picked by a and not by b...
well,, seems lke friday has already hit my brain... 
_________________
Cheers |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu May 21, 2009 11:20 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| AkankshA wrote: |
oops...
i actually imagined it to be a lil more then this..
my context was if application a and b are puuting messages on qeueue Q1 and y and z are picking... i assumed implementing a mechanism here that y should only get the messages picked by a and not by b...
well,, seems lke friday has already hit my brain... |
I am thankful to your imagination that would give another dimension to think/work upon THE Scenario. (If its being faced by any of us in future.)
But Yes, I agree with
| Quote: |
| here that y should only get the messages picked by a and not by b... |
It would be a little difficult and particular about the things while implementation of such concept.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| mquser01 |
| Posted: Thu Jun 18, 2009 11:17 pm Post subject: |
|
|
Acolyte
Joined: 06 Mar 2008
Posts: 52
|
I have used setmqaut commands to give access access control but how to do the same using websphere mqexplorer?
I will give an idea regarding whatever i did..
In MQ explorer
on right click of QM
>Object Authoritites -> Manage Create Authoritites -> Users
in above window i created 1 user and gave him rights available i.e. clicked check box of Queues/NameLists/Process Definition/Channels/Client-connection channels/Authetication info/Listeners/Services/Topics and in
>Object Authoritites -> Manange Authority Records -> Users
In this window again i created same user as in Manage Create Authoritites and clicked in following checkbox
Alternate user authority/Change/Connect/Delete/Display/Inquire/Set/Set all context/Set identity context.
But this explorer approach does not allow me to set access at get/put/browse etc level as we can do in setmqaut?
please let me know how to do the same?
Thanks |
|
| Back to top |
|
|
|
|
