With all the recent events concerning WMQ security lately, I've been staying busy doing assessments and remediations. But I've been to only a very small sample of WMQ shops and I know that many of you out there are actively addressing these issues or looking seriously into it.
Not setting MCAUSER at all leaves the channel running with admin authority and there is nothing in WMQ that strongly authenticates a remote user ID at the OAM level. The best authentication we have of remote identities is the SSL certificate but that starts and ends on the link and does not extend down into the API calls where OAM can act on it. Generally you can hard-code an MCAUSER for a channel but you get more granularity if you can set the MCAUSER dynamically. The recommendation I make in my security presentation is to use BlockIP2 or MS0R to map SSL credentials to map that SSL certificate down to the MCAUSER to expose a strongly authenticated ID to the OAM. This has raised issues for some shops in that: The shop may not have the skillset to compile and/or maintain BlockIP2 if there are Production problems. MS0R is Cat2 and you cannot raise a PMR against it. If your shop is struggling with either or both of these issues, please let me know. Especially if it is preventing you from moving ahead with security remediation. Off-list response is fine if you wish to remain confidential. My IBM email address is in the signature below. All I can tell you is that I am not planning to use the information to market to you unless you specifically request information on security assessment and remediation services. Thanks! -- T.Rob T.Robert Wyatt, Consulting IT Specialist IBM Software Services for WebSphere WebSphere MQ Security Focused Practice email: [EMAIL PROTECTED] http://www.linkedin.com/in/tdotrob 704-719-2107 Access Line To unsubscribe, write to [EMAIL PROTECTED] and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
