Kulbir,
I
second Peter's suggestion but wanted to comment directly on your query about
adding their accounts to your groups. The only way to do this is through a
trust relationship between the domains. (This may be called something else in
Active directory but in NT it was domain trusts.) This is a LOT bigger
deal than securing a QMgr with SSL and an MCAUSER.
As a
second alternative, why not get the offshore team their own accounts? In
our shop we put up a dedicated Windows server that the users sign onto for
a Windows desktop and access to a configuration manager. The gateway
server allows you to keep all of the domain authentication, security, server and
MQ administration in-house. When you control all the pieces, your risk is
reduced. We factored the cost of the gateway into the cost savings of
using an offshore team.
Incidentally, the advice about securing your SVRCONN applies whether your
users are authenticated in your domain or not. Even if you didn't have the
offshore team to worry about, an unsecured SVRCONN channel gives full MQ admin
authority to anyone who connects to it. Tie it down if you have not
already.
--
T.Rob
-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED]On Behalf Of Potkay, Peter M (ISD, IT)
Sent: Tuesday, August 03, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: Re: Domain users requiring access to WBI MB Config ManagerHard code a value in the MCAUSER of the SVRCONN channel used by the Toolkit, and then use SSL to insure only the users you want can use it. Then you only have to give that 1 ID access.If you don't have that channel protected by SSL and its MCAUSER is blank, it is a wide open hole for anyone to connect to with mqm authority.-----Original Message-----
From: Kulbir S. Thind [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 03, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Domain users requiring access to WBI MB Config Manager
Hi,
We have a W2K Configuration Manager (v5, CSD 3) installed that we need to provide access to. This is normally a straight forward step which involves adding domain accounts to the local groups used by WMQ (mqm) and WBIMB (5 groups).
However, the users we're trying to add do not belong to one of our company domains, they belong to a domain in their own company. We're trying to provide our off shore company with enough access to our configuration manager to allow them to be able to establish a domain connection, however we can't find a way of adding their domain accounts to our local groups. Has anyone done this or know of a way of being able to do this?
Thanks,
Kulbir.
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If
you are not the intended recipient, please notify the sender
immediately by return email and delete this communication and destroy all copies.
