-----Original Message-----
From: Urvesh Bipin Shah [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 16, 2004 8:20 AM
To: [EMAIL PROTECTED]
Subject: Re: MQIPT remote clientHi Navin,I am copying part of the email that I had sent to someone a while ago pertaining to MQ security on Windows. This is what I had understood from MQ manuals and some postings on the internet. I couldn't try this myself though. I hope this helps.===========Let's consider set-up for only the development box to start with. This development box that will host the MQ Development server will be a windows server and will be part of some domain. The domain will also have some boxes (machines) which will act as the primary domain controller (PDC) and secondary domain controller (SDC).On Windows - to administer MQ, the user must be a member of a group named 'mqm' or should be a member of the 'Administrators' group. 'mqm' group is created, if one does not exist, automatically at the time of installation. Now the user who needs to administer can either log on to the dev. box locally or via the network. This user can get the administration rights if he is a member of the mqm or Administrators group of the local machine. But he also needs to be granted the administration rights if he logs on via some other machine on the network. The following steps should enable this user (or more users, as needed) to administer MQ on the dev. box irrespective of where he logs on from. Let's name this user USER1a. delete any local groups named 'mqm' (without the quotes) on the dev. boxb. on the PDC, create a global group named 'MQAdmGrp' (group that will have the administration rights to the dev. MQ server)c. add USER1 (from the domain, USER1 may be qualified with the domain name, e.g. [EMAIL PROTECTED]) to this group. You can also add more users who need the administration rightsd. on the dev. box, create a local group named 'mqm'e. add the global group 'MQAdmGrp' to this local group 'mqm' created on the dev. box (this should grant access to all users in MQAdmGrp to administer the dev. MQ serverf. if you want to add a local user of the dev. box then you can add that user either to the local group 'mqm' created in step 'd' above or the 'Administrators' group of the dev. boxg. for access control to various MQ objects, you can use the 'setmqaut' command. You can create user groups on the PDC for different access levels. One such group, say for application developers, could be 'devMQUsers', and then use the 'setmqaut' command on the dev. MQ server to grant access to this group on the queue manager, queues, processes, etc.===========Thanks and best regards,Urvesh.-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Navin Vali
Sent: Thursday, September 16, 2004 3:46 PM
To: [EMAIL PROTECTED]
Subject: MQIPT remote clientHi All,
Have implemented MQIPT so can filter IPs and at the same time implemented Security Exit in MQIPt which makes it possible for user to connect to certain CHANNELS only.
Implemented CHANNEL level Security Exits in MQ server which work in tandem with the Security Exits at client side. HandShake, UserName transfer and then Password transfer and then UserName and Password authentication based on the NT secuirty mechanism i.e. user has to exist in Windows. And then the user can place the message in the desired queue.
But the problem is the user coming from the remote client has to be there in the MQM group. And as soon as you add the user in MQM group he gets all the MQI rights and MQAdmin rights like create, drop, change etc. which is wrong.
I want to give the user only rights for GET on certain queue and PUT in another queue. Queue level rights. Trying to use SETMQAUT and DSPMQAUT but of no use as user can't place the message in he is not in MQM group and as soon as you enter him in MQM group he has all the rights which cannot be altered using the above said commands.
Any thoughts !!!
Thanks in Advance
Navin
ALL-NEW Yahoo! Messenger - all new features - even more fun!
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If
you are not the intended recipient, please notify the sender
immediately by return email and delete this communication and destroy all copies.
