Re: MQ on z/OS security (SSL) question.

Tue, 23 Nov 2004 04:35:23 -0800

Title: Message
Pete
 
   That is disappointing at best.  It looks like a security hole. 
 
    Do you have the RESLEVEL set to NONE for the Chinit?   I thought if you set PUTAUT to ONLYMCA with RESLEVEL set to NONE, then it should enforce the validation of the Userid.  Did you try this on QMGR to QMGR connection as well?  I am very interested in how this turns out.  If you prefer, I can go off list.
 
Thanks
    Frank
-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gersak
Sent: Tuesday, November 23, 2004 5:17 AM
To: [EMAIL PROTECTED]
Subject: MQ on z/OS security (SSL) question.


Hello,
I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel parameters are:
DEFINE CHANNEL ('CHLA') +
       CHLTYPE(SVRCONN) +
       TRPTYPE(TCP) +
       DESCR('MQ SVRCONN chl for users') +
       QSGDISP(QMGR) +
       PUTAUT(DEF) +
       MAXMSGL(104857600) +
       MCAUSER(' ') +
       RCVDATA(' ') +
       RCVEXIT(' ') +
       SCYDATA(' ') +
       SCYEXIT(' ') +
       SENDDATA(' ') +
       SENDEXIT(' ') +
       SSLCAUTH(REQUIRED) +
       SSLCIPH('TRIPLE_DES_SHA_US') +
       SSLPEER(' ') +
       KAINT(AUTO) +
       REPLACE

From RACF I have removed a public certificate user and got the following message:

+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
 remote channel ????
 - channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started

So, the certificate could not be located, so the CHINIT user id was used. But my understanding is that this connection should fail (because of the parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank intentionally because many users with different userIDs are using the same channel.

Any suggestions? Is this normal behavior? What should I do in order to enforce SSL authentication?

Best Regards, Peter

Peter Ger9ak
3Gen d.o.o., Tr>a9ka 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]

This e-mail message and any attachments contain confidential information from Medco. If you are not the intended recipient, you are hereby notified that disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronic information is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender by reply message and then delete the electronic message and any attachments.

Reply via email to