Anybody can change the MQ_USER_ID environment variable, so it provides
no measure of true authentication, anyway. If client security is very
important, then you've got a significant challenge on your hands that
will need considerable architectural attention--you're looking at some
combination of security exits, an upgrade to get SSL support,
third-party software, etc. On the other hand, you can get a moderate
level of security without too much effort. Some observations:
1. You may find that restricting the NT userid length (as a standard)
provides other benefits and that, relatve to other solutions, is not so
ominous after all.
2. If you have only a few clients, then you can provide a separate
server channel for each and supply the userid in MCAUSER.
3. From MQ's perspective it is not necessary for the NT account to have
a matching UNIX account. You only need to authorize the 10-character NT
userids in MQ's security namespace. In other words, you can authorize
'NT USER 01' to the Unix MQ server even though it's longer than 8
characters.
It is important to note that MQ security and the Unix OS security are
separate beasts. Your MQ USERID and UNIX USERID are not necessarily the
same. The MQ_USER_ID which MQ passes in the client connection only
pertains to MQ SECURITY and does not mean the UNIX server process runs
under that account (unless you have done an 'SU' or something to that
effect in the server process).
Regards,
Dennis
-----Original Message-----
From: Richard Bellis [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 11, 2004 12:21 AM
To: [EMAIL PROTECTED]
Subject: Windows/Unix Authentication
I wonder if someone could help.
Currently when an Windows MQ series client connects to the MQ server on
Unix we require that the account exists on both machines.
We now have a problem were a Unix restriction prevents user names from
being more than 8 characters. However our NT account is 10 characters
long.
The documentation that I have stumbled accross mention something about
environment Variables MQ_USER_ID, but states that this is not for
Windows NT.
Is there any way that we can set this up? The client is NT4 and the
server is on Solaris 8 using MQ 5.2.1
I know I could change the Windows NT account, but this is a hassle and
may involves a lot of work.
Many Thanks,
Richard Bellis
M&G IS Technical Strategy
020 7548 3346
The information contained in this message may be CONFIDENTIAL and is
intended for the addressee only. Any unauthorised use, dissemination of
the information, or copying of this message is prohibited. If you are
not the addressee, please notify the sender immediately by return e-mail
and delete this message. Although this e-mail and any attachments are
believed to be free of any virus, or other defect which might affect any
computer or system into which they are received and opened, it is the
responsibility of the recipient to ensure that they are virus free and
no responsibility is accepted by M&G for any loss or damage from receipt
or use thereof. Please note that all e-mail messages are subject to
interception for lawful business purposes.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
