{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《WebSphere MQ v7.1 Security User Credentials》','https://www.manongdao.com/q-1251357.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Linux Server Box running WebSphere MQ Server v7.1:
I have created a user 'mq-user' that belongs to 'mq-users' group in Linux. Then I created a queue manager QM_TEST, and used MQSC to issue the following commands to create a queue and set up the security:
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('mq-user') AUTHADD(ALL)
SET AUTHREC PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE(QUEUE) PRINCIPAL('mq-user') AUTHADD(INQ,DSP,GET)
SET SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('mq-user') AUTHADD(INQ,DSP,PUT)
DEFINE CHANNEL (TEST_CHANNEL) CHLTYPE (SVRCONN) TRPTYPE (TCP) MCAUSER('mq-user')
SET CHLAUTH(TEST_CHANNEL) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('mq-user')
DEFINE QLOCAL (TEST_QUEUE)
SET AUTHREC PROFILE(TEST_QUEUE) OBJTYPE(QUEUE) PRINCIPAL('mq-user') AUTHADD(ALL)
DEFINE LISTENER (TEST_LISTENER) TRPTYPE (TCP) CONTROL (QMGR) PORT (1414)
START LISTENER (TEST_LISTENER)
Linux Client Box running WebSphere MQ Client v7.1 and WebSphere MQ Explorer:
I am logged in as my username (arrehman) which is not part of mq-users group. However I am able to access the queue I created above both via a Java Application and via MQ Explorer client without passing any user credentials. Why is it this way if security is in effect?
Any further details needed, please let me know. Thanks.
This line:
SET CHLAUTH(TEST_CHANNEL) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('mq-user')Says the following:
TEST_CHANNEL...mq-userIn other words, enable the channel such that any connections inherit the privileges of
mq-userregardless of where they originate and what identity they present. So the behavior you are seeing is the expected behavior based on theCHLAUTHrule above.There are a few other problems with the rules as listed:
PRINCIPALrather thanGROUP. On non-windows servers if you specifyPRINCIPALwhat happens is that the QMgr looks up that ID, queries its primary group and then sets authorizations based on that. So ifmq-usershas a primary group ofstafforusersthat that is what gets authorized instead ofmq-usersand is probably not what you intended. Always usegroupso that you get the result you intend withsetmqautorAUTHREC.ALLon the QMgr makes the ID/group administrative. One of the privileges at the QMgr level isSETand any user in a group withSETrights can set, among other things, authorization control lists. So even though you only grantedAUTHADD(INQ,DSP,PUT)themq-usersID can submit PCF commands to grant all access to all objects. Only grantCONNECTandINQUIREon the QMgr if that's all you need.USERSRC(CHANNEL)on the mapping, then your ID would have been used and most likely rejected. But the rejection would have been either because it is in themqmgroup (which is blocked by a defaultCHLAUTHrule) or because there are noAUTHRECrecords for the group it is in.For more about hardening WMQ, there are a number of resources collected here. The Hardening WebSphere MQ presentation is from v7.0. Although v7.1 has new controls, the principals remain the same:
MCAUSERvalue by hard-coding it in the channel or by using an exit orCHLAUTHrule to dynamically set it