Title: Message
'mqm'
group for MQ administrators only and creation of separate groups for different
levels of access to MQ objects is what I had
meant. Please excuse me if it was confusing.
-Original Message-From: MQSeries List
[mailto:[EMAIL PROTECTED] On Behalf Of Potkay, Peter M (ISD,
IT)Sent: Thursday, September 16, 2004 6:10 PMTo:
[EMAIL PROTECTED]Subject: Re: MQIPT remote
client
In
step g, if you plan on restricting groups on what MQ objects they have access
to, you cannot put those groups in the mqm group. Anyone in the mqm group has
100% full authority, and you cannot take away any of it with
setmqaut.
Put
these types of groups and/or IDs not in the mqm group but somewhere else, and
then add the rights they need, since they will have none to begin with,
assuming you didn't put them in a group that already had some MQ authorities
set.
-Original Message-From: Urvesh Bipin Shah
[mailto:[EMAIL PROTECTED]Sent: Thursday, September 16,
2004 8:20 AMTo: [EMAIL PROTECTED]Subject: Re:
MQIPT remote client
Hi
Navin,
I
am copying part of the email that I had sent to someone a while ago
pertaining to MQ security on Windows. This is what I had understood from MQ
manuals and some postings on the internet. I couldn't try this myself
though. I hope this helps.
===
Let's consider set-up for only the
development box to start with. This development box that will host the MQ
Development server will be a windows server and will be part of some domain.
The domain will also have some boxes (machines) which will act as the
primary domain controller (PDC) and secondary domain controller
(SDC).
On Windows - to administer MQ, the user must
be a member of a group named 'mqm' or should be a member of the
'Administrators' group. 'mqm' group is created, if one does not exist,
automatically at the time of installation. Now the user who needs to
administer can either log on to the dev. box locally or via the network.
This user can get the administration rights if he is a member of the mqm or
Administrators group of the local machine. But he also needs to be granted
the administration rights if he logs on via some other machine on the
network. The following steps shouldenable this user (or more users, as
needed) to administer MQ on the dev. box irrespective of where he logs on
from. Let's name this user USER1
a. delete any local groups named 'mqm'
(without the quotes) on the dev. box
b. on the PDC, create a global group named
'MQAdmGrp' (group that will have the administration rights to the dev. MQ
server)
c. add USER1 (from the domain, USER1 may be
qualified with the domain name, e.g. [EMAIL PROTECTED]) to this group. You can also add
more users who need the administration rights
d. on the dev. box, create a local group
named 'mqm'
e. add theglobal group 'MQAdmGrp' to
this local group 'mqm' created on the dev. box (this should grant access to
all users in MQAdmGrp to administer the dev. MQ
server
f. if you want to add a local user of the
dev. box then you can add that user either to the local group 'mqm' created
in step 'd' above or the 'Administrators' group of the dev.
box
g. for access control to various MQ objects,
you can use the 'setmqaut' command. You can create user groups on the PDC
for different access levels. One such group, say for application developers,
could be 'devMQUsers', and then use the 'setmqaut' command on the dev. MQ
server to grant access to this group on the queue manager, queues,
processes, etc.
===
Thanks and best regards,
Urvesh.
-Original Message-From: MQSeries
List [mailto:[EMAIL PROTECTED] On Behalf Of Navin
ValiSent: Thursday, September 16, 2004 3:46 PMTo:
[EMAIL PROTECTED]Subject: MQIPT remote
client
Hi All,
Have implemented MQIPT so can filter IPs and at the same
time implemented Security Exit in MQIPt which makes it possible for user
to connect to certain CHANNELS only.
Implemented CHANNEL level Security Exits in MQ server which
work in tandem with the Security Exits at client side. HandShake, UserName
transfer and then Password transfer and then UserName and Password
authentication based on the NT secuirty mechanism i.e. user has to exist
in Windows. And then the user can place the message in the desired
queue.
But the problem is the user coming from the remote client
has to be there in the MQM group. And as soon as you add the user in MQM
group he gets all the MQI rights and MQAdmin rights like create, drop,
change