WebSphere MQ Channel Access Security Considerations

Question

WebSphere MQ Channel Access Security Considerations

Consider the following queue definitions:

SET AUTHREC OBJTYPE (QMGR) GROUP ('mq-user') AUTHADD (INQ, DSP, CONNECT)
SET AUTHREC PROFILE (SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE (QUEUE) GROUP ('mq-user') AUTHADD (INQ, DSP, GET)
SET AUTHREC PROFILE (SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE (QUEUE) GROUP ('mq-user') AUTHADD (INQ, DSP, PUT)
DEFINE CHANNEL ($ cname) CHLTYPE (SVRCONN) TRPTYPE (TCP) MCAUSER ('tcs-mq-user') REPLACE
SET CHLAUTH ($ cname) TYPE (ADDRESSMAP) ADDRESS (*) MCAUSER ('tcs-mq-user')

What is the meaning of MCAUSER in both DEFINE CHANNEL and SETCHLAUTH?
If tcs-mq-user belongs to the mq-user group?
Does this mean that only tcs-mq-user has access to the queue manager in binding mode? Now, if I want to grant access to another user in bind mode, should I create a couple more DEFINE CHANNEL and SET CHLAUTH commands for this user?
Can a channel be granted access to the mcs-user group?

+5

ibm-mq

arrehman Aug 3 '12 at 15:08

source share

1 answer

T.Rob · Accepted Answer · 2012-08-03T15:48:50+0000

OK, answers to the sale, buy one get three for free today! :-) Let's take them in order ...

1.A. MCAUSER - , . DEFINE CHL() CHLTYPE(SVRCONN) MCAUSER , , . , WMQ , , , . MCAUSER .

1.B. MCAUSER ADDRESSMAP MCAUSER . : " IF IP- | | SSL THEN MCAUSER , .

, CHLAUTH, , MCAUSER , , . , , CHLAUTH MCAUSER , . MCAUSER nobody , , WMQ Strategist Hursley, , no#body. WMQ V7.1 *NOACCESS , .

2. . WMQ . , "admin", "app1", "app2", "", "" .. , , .

, , . , MCAUSER , . , .

UNIX, . ( WMQ) . . . , .

3.. QMgr V7.1 . , AUTHREC, . CHLAUTH.

$cname tcs-mq-user. , , mq-user, . , - , IP- , , .

4. . № 2 , , . CHLAUTH, MCAUSER - , . MCAUSER - ID, , .

, T-Rob.net. , "" WMQ , .

WebSphere MQ Channel Access Security Considerations

More articles: