You could use BlockIP2 to help you there. BlockIP2 can filter on your connection name together with the userid. And if you have a match it can even change/set MCAUSER depending on your choise.
Another ting is when leaving a SVRCONN open you can let everybody inside. If somebody can write a JMS/JAVA program they can connect to your queuemanager and set the usterid to whatever they want: mqm, root, db2admin. All they need is a know userid with the right auth. (and ofcause the connctionname/channel of your qmgr, typicly: 'SYSTEM.DEF.SVRCONN/TCP/conname(1414)')
BlockIP2 was designed to help MQ-administrators to keep the mqnetwork more secure.
http://www.mrmq.dk/BlockIP.htm#BlockIP2
Just my $0.02 ;o)
Kind regards
Jxrgen
www.mrmq.dk the author of BlockIP
From: "Ward, Mike S" <[EMAIL PROTECTED]> Reply-To: MQSeries List <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: MO71 Date: Mon, 22 Mar 2004 07:15:17 -0600
I'm not sure I understand. If my NT userid is db2admin why would it work if I change the MCAUSER on the SVRCONN to mqm? How can I secure it so that only users I designate can use it?
-----Original Message----- From: Paul Clarke [mailto:[EMAIL PROTECTED] Sent: Monday, March 22, 2004 4:04 AM To: [EMAIL PROTECTED] Subject: Re: MO71
Mike,
I'm not sure what your security policy is; whether you're using SSL, security exits or whatever but to get things working you could change the MCAUSER of the SVRCONN to something which has the required authority. If your MCAUSER is blank then you are even less secure since you'll effectively believe any userid the client cares to throw at you. On most platforms you can switch authority events on in the Queue Manager and then you'll get a message whenever a security check fails. This messages details the userid and the object being checked. Personally I find this quite useful when tracking down security violations.
Cheers, P.
Paul G Clarke WebSphere MQ Development IBM Hursley
|---------+----------------------------> | | "Ward, Mike S" | | | <[EMAIL PROTECTED]>| | | Sent by: MQSeries| | | List | | | <[EMAIL PROTECTED]| | | N.AC.AT> | | | | | | | | | 19/03/2004 22:20 | | | Please respond to| | | MQSeries List | |---------+---------------------------->
>--------------------------------------------------------------------------- ----------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: MO71 | | | | |
>--------------------------------------------------------------------------- ----------------------------------------------|
Thanks, I got it to work. I am also trying to connect to a SCO Unix qmanager and I keep getting a Error connecting via client to 'VRUQMGR3' RC(2035) Not authorized. I tried defining the userid of the NT box that has mqmon running on it and then modifying that user so that it has mqm as a group but I still get the same message. Any thoughts?
-----Original Message----- From: Paul Clarke [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 3:50 AM To: [EMAIL PROTECTED] Subject: Re: MO71
Mike,
MO71 supports two types of monitoring. 1/ Normal monitoring relies on a program at the remote Queue Manager to receive the messages and send them back to the reply fields This does therefore require a client (program) running on the remote system 2/ Loopback monitoring allows yoiu to define a remote queue on the remote system which just 'points' back to the originating queue. This does not therefore require a client (program) running on the remote system Cheers, P.
Paul G Clarke WebSphere MQ Development IBM Hursley
|---------+----------------------------> | | "Ward, Mike S" | | | <[EMAIL PROTECTED]>| | | Sent by: MQSeries| | | List | | | <[EMAIL PROTECTED]| | | N.AC.AT> | | | | | | | | | 16/03/2004 14:32 | | | Please respond to| | | MQSeries List | |---------+---------------------------->
>---------------------------------------------------------------------------
----------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: MO71 | | | | |
>---------------------------------------------------------------------------
----------------------------------------------------|
Hi, is a client required at both ends in order for the monitoring to work?
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
_________________________________________________________________ Fe alle de nye og sjove ikoner med MSN Messenger http://messenger.msn.dk
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive