Re: MQIPT remote client
Title: Message Hi Navin, I am copying part of the email that I had sent to someone a while ago pertaining to MQ security on Windows. This is what I had understood from MQ manuals and some postings on the internet. I couldn't try this myself though. I hope this helps. === Let's consider set-up for only the development box to start with. This development box that will host the MQ Development server will be a windows server and will be part of some domain. The domain will also have some boxes (machines) which will act as the primary domain controller (PDC) and secondary domain controller (SDC). On Windows - to administer MQ, the user must be a member of a group named 'mqm' or should be a member of the 'Administrators' group. 'mqm' group is created, if one does not exist, automatically at the time of installation. Now the user who needs to administer can either log on to the dev. box locally or via the network. This user can get the administration rights if he is a member of the mqm or Administrators group of the local machine. But he also needs to be granted the administration rights if he logs on via some other machine on the network. The following steps shouldenable this user (or more users, as needed) to administer MQ on the dev. box irrespective of where he logs on from. Let's name this user USER1 a. delete any local groups named 'mqm' (without the quotes) on the dev. box b. on the PDC, create a global group named 'MQAdmGrp' (group that will have the administration rights to the dev. MQ server) c. add USER1 (from the domain, USER1 may be qualified with the domain name, e.g. [EMAIL PROTECTED]) to this group. You can also add more users who need the administration rights d. on the dev. box, create a local group named 'mqm' e. add theglobal group 'MQAdmGrp' to this local group 'mqm' created on the dev. box (this should grant access to all users in MQAdmGrp to administer the dev. MQ server f. if you want to add a local user of the dev. box then you can add that user either to the local group 'mqm' created in step 'd' above or the 'Administrators' group of the dev. box g. for access control to various MQ objects, you can use the 'setmqaut' command. You can create user groups on the PDC for different access levels. One such group, say for application developers, could be 'devMQUsers', and then use the 'setmqaut' command on the dev. MQ server to grant access to this group on the queue manager, queues, processes, etc. === Thanks and best regards, Urvesh. -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Navin ValiSent: Thursday, September 16, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: MQIPT remote client Hi All, Have implemented MQIPT so can filter IPs and at the same time implemented Security Exit in MQIPt which makes it possible for user to connect to certain CHANNELS only. Implemented CHANNEL level Security Exits in MQ server which work in tandem with the Security Exits at client side. HandShake, UserName transfer and then Password transfer and then UserName and Password authentication based on the NT secuirty mechanism i.e. user has to exist in Windows. And then the user can place the message in the desired queue. But the problem is the user coming from the remote client has to be there in the MQM group. And as soon as you add the user in MQM group he gets all the MQI rights and MQAdmin rights like create, drop, change etc. which is wrong. I want to give the user only rights for GET on certain queue and PUT in another queue. Queue level rights. Trying to use SETMQAUT and DSPMQAUT but of no use as user can't place the message in he is not in MQM group and as soon as you enter him in MQM group he has all the rights which cannot be altered using the above said commands. Any thoughts !!! Thanks in Advance Navin ALL-NEW Yahoo! Messenger - all new features - even more fun! �
Re: MQIPT remote client
Title: Message In step g, if you plan on restricting groups on what MQ objects they have access to, you cannot put those groups in the mqm group. Anyone in the mqm group has 100% full authority, and you cannot take away any of it with setmqaut. Put these types of groups and/or IDs not in the mqm group but somewhere else, and then add the rights they need, since they will have none to begin with, assuming you didn't put them in a group that already had some MQ authorities set. -Original Message-From: Urvesh Bipin Shah [mailto:[EMAIL PROTECTED]Sent: Thursday, September 16, 2004 8:20 AMTo: [EMAIL PROTECTED]Subject: Re: MQIPT remote client Hi Navin, I am copying part of the email that I had sent to someone a while ago pertaining to MQ security on Windows. This is what I had understood from MQ manuals and some postings on the internet. I couldn't try this myself though. I hope this helps. === Let's consider set-up for only the development box to start with. This development box that will host the MQ Development server will be a windows server and will be part of some domain. The domain will also have some boxes (machines) which will act as the primary domain controller (PDC) and secondary domain controller (SDC). On Windows - to administer MQ, the user must be a member of a group named 'mqm' or should be a member of the 'Administrators' group. 'mqm' group is created, if one does not exist, automatically at the time of installation. Now the user who needs to administer can either log on to the dev. box locally or via the network. This user can get the administration rights if he is a member of the mqm or Administrators group of the local machine. But he also needs to be granted the administration rights if he logs on via some other machine on the network. The following steps shouldenable this user (or more users, as needed) to administer MQ on the dev. box irrespective of where he logs on from. Let's name this user USER1 a. delete any local groups named 'mqm' (without the quotes) on the dev. box b. on the PDC, create a global group named 'MQAdmGrp' (group that will have the administration rights to the dev. MQ server) c. add USER1 (from the domain, USER1 may be qualified with the domain name, e.g. [EMAIL PROTECTED]) to this group. You can also add more users who need the administration rights d. on the dev. box, create a local group named 'mqm' e. add theglobal group 'MQAdmGrp' to this local group 'mqm' created on the dev. box (this should grant access to all users in MQAdmGrp to administer the dev. MQ server f. if you want to add a local user of the dev. box then you can add that user either to the local group 'mqm' created in step 'd' above or the 'Administrators' group of the dev. box g. for access control to various MQ objects, you can use the 'setmqaut' command. You can create user groups on the PDC for different access levels. One such group, say for application developers, could be 'devMQUsers', and then use the 'setmqaut' command on the dev. MQ server to grant access to this group on the queue manager, queues, processes, etc. === Thanks and best regards, Urvesh. -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Navin ValiSent: Thursday, September 16, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: MQIPT remote client Hi All, Have implemented MQIPT so can filter IPs and at the same time implemented Security Exit in MQIPt which makes it possible for user to connect to certain CHANNELS only. Implemented CHANNEL level Security Exits in MQ server which work in tandem with the Security Exits at client side. HandShake, UserName transfer and then Password transfer and then UserName and Password authentication based on the NT secuirty mechanism i.e. user has to exist in Windows. And then the user can place the message in the desired queue. But the problem is the user coming from the remote client has to be there in the MQM group. And as soon as you add the user in MQM group he gets all the MQI rights and MQAdmin rights like create, drop, change etc. which is wrong. I want to give the user only rights for GET on certain queue and PUT in another queue. Queue level rights. Trying to use SETMQAUT and DSPMQAUT but of no use as user can't place the message in he is not in MQM group and as soon as you enter him in MQM group he has all the rights which cannot be altered using the above said commands. Any thoughts !!! Thanks in Advance Navin ALL-NEW Yahoo! Messenger - all new features - even more fun! This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information
Re: MQIPT remote client
Title: Message 'mqm' group for MQ administrators only and creation of separate groups for different levels of access to MQ objects is what I had meant. Please excuse me if it was confusing. -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Potkay, Peter M (ISD, IT)Sent: Thursday, September 16, 2004 6:10 PMTo: [EMAIL PROTECTED]Subject: Re: MQIPT remote client In step g, if you plan on restricting groups on what MQ objects they have access to, you cannot put those groups in the mqm group. Anyone in the mqm group has 100% full authority, and you cannot take away any of it with setmqaut. Put these types of groups and/or IDs not in the mqm group but somewhere else, and then add the rights they need, since they will have none to begin with, assuming you didn't put them in a group that already had some MQ authorities set. -Original Message-From: Urvesh Bipin Shah [mailto:[EMAIL PROTECTED]Sent: Thursday, September 16, 2004 8:20 AMTo: [EMAIL PROTECTED]Subject: Re: MQIPT remote client Hi Navin, I am copying part of the email that I had sent to someone a while ago pertaining to MQ security on Windows. This is what I had understood from MQ manuals and some postings on the internet. I couldn't try this myself though. I hope this helps. === Let's consider set-up for only the development box to start with. This development box that will host the MQ Development server will be a windows server and will be part of some domain. The domain will also have some boxes (machines) which will act as the primary domain controller (PDC) and secondary domain controller (SDC). On Windows - to administer MQ, the user must be a member of a group named 'mqm' or should be a member of the 'Administrators' group. 'mqm' group is created, if one does not exist, automatically at the time of installation. Now the user who needs to administer can either log on to the dev. box locally or via the network. This user can get the administration rights if he is a member of the mqm or Administrators group of the local machine. But he also needs to be granted the administration rights if he logs on via some other machine on the network. The following steps shouldenable this user (or more users, as needed) to administer MQ on the dev. box irrespective of where he logs on from. Let's name this user USER1 a. delete any local groups named 'mqm' (without the quotes) on the dev. box b. on the PDC, create a global group named 'MQAdmGrp' (group that will have the administration rights to the dev. MQ server) c. add USER1 (from the domain, USER1 may be qualified with the domain name, e.g. [EMAIL PROTECTED]) to this group. You can also add more users who need the administration rights d. on the dev. box, create a local group named 'mqm' e. add theglobal group 'MQAdmGrp' to this local group 'mqm' created on the dev. box (this should grant access to all users in MQAdmGrp to administer the dev. MQ server f. if you want to add a local user of the dev. box then you can add that user either to the local group 'mqm' created in step 'd' above or the 'Administrators' group of the dev. box g. for access control to various MQ objects, you can use the 'setmqaut' command. You can create user groups on the PDC for different access levels. One such group, say for application developers, could be 'devMQUsers', and then use the 'setmqaut' command on the dev. MQ server to grant access to this group on the queue manager, queues, processes, etc. === Thanks and best regards, Urvesh. -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Navin ValiSent: Thursday, September 16, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: MQIPT remote client Hi All, Have implemented MQIPT so can filter IPs and at the same time implemented Security Exit in MQIPt which makes it possible for user to connect to certain CHANNELS only. Implemented CHANNEL level Security Exits in MQ server which work in tandem with the Security Exits at client side. HandShake, UserName transfer and then Password transfer and then UserName and Password authentication based on the NT secuirty mechanism i.e. user has to exist in Windows. And then the user can place the message in the desired queue. But the problem is the user coming from the remote client has to be there in the MQM group. And as soon as you add the user in MQM group he gets all the MQI rights and MQAdmin rights like create, drop, change
