I structured the book as scenarios specifically to give us the option of
modular updates. If, for example, someone did a chapter or two on V8 (the
MQ software, not the beverage) it could be added onto the end, the TOC and
to the index. During such an update, minor updates to the other text could
be incorporated. This was something of a strategy to allow the book to be
updated without a full residency. Now we get to see if that strategy works.
I may write a chapter or two but not until the new year. If someone wants
to write one, please coordinate with me as I've already talked with ITSO
about the terms under which we could crank that up.



Neil, if you want to pursue getting minor updates in without adding new
content, please feel free to contact Carla or I can work with you on that.



Finally, if we wanted to go for a full residency funds are allocated in the
fall. If they don't already have one in plan, it can't happen until 2016 at
the earliest. I seriously doubt there's funding to update the book so soon
after the last one but then again there was funding for major security work
in the product so it's feasible. I'll ask around.



Kind regards,

-- T.Rob



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Neil Casey
Sent: Tuesday, September 23, 2014 23:24 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Queue manager default security Unix script



Hi Tim,



thanks for pointing that out. The APAR was included in 7.5.0.1 which wasn't
yet available when the RedBook was written, which probably explains why it
isn't included.



I'll try to get in touch with ITSO to work out whether it is feasible to
issue an errata for the RedBook, or to issue an update including minor
updates like this. I suspect it might not be a simple process, and changes
will have to wait until a new edition for v8 (or v9 or v10 or .).





Regards,





Neil





--

Neil Casey

Senior Consultant | Syntegrity Solutions


+61 414 615 334 <tel:+61%20414%20615%20334>
<mailto:neil.casey-VLLIzlmz+***@public.gmane.org> neil.casey-VLLIzlmz+***@public.gmane.org

Syntegrity Solutions Pty Ltd <http://www.syntegrity.com.au/> | Level 23 |
40 City Road | Southgate | VIC 3006

Analyse >> Integrate >> Secure >> Educate






On 24 Sep 2014, at 1:17 pm, Tim Zielke <tim.zielke-PR+tvw7B/***@public.gmane.org> wrote:





One thing that I didn't see mentioned in the RedBook or the scripts (maybe I
missed it) was the need to have CTRLX on channel objects that run under a
non mqm MCAUSER, so that the internal queue manager code can do commands
like a RESET CHANNEL, if needed.



I recently came across some documentation that mentioned the need for this
-> <http://www-01.ibm.com/support/docview.wss?uid=swg27039002>
http://www-01.ibm.com/support/docview.wss?uid=swg27039002



"The fix for APAR IV31952 changed the authority checks that WebSphere MQ
makes on channel objects when you run the RESET CHANNEL command. Applying
this fix can give changed behavior and you might need to alter some
authorities.



Your systems are affected only if your channels run with an MCAUSER userID
resolving to a non-mqm user. The Reset Channel command can run internally
within WebSphere MQ code, so, even though you have not run the Reset Channel
command manually, your system might still be affected.



Ensure that, at a minimum, your channel's MCAUSER userID has both +DSP and
+CTRLX authority on the channel object, so that the userID can run Reset
Channel commands. Before the fix for IV31952, WebSphere MQ checked that the
userID had +ALTUSR authority which you might previously have granted to make
your channel work."





This requirement is mentioned in the MQ manual ->
<http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.d
oc/q010710_.htm?lang=en>
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.do
c/q010710_.htm?lang=en



"If you use a user ID that is not a part of the mqm group in the MCAUSER
field of a receiver channel, then you must specify the +dsp +ctrlx authority
to the user ID for the channel to work, by using the setmqaut command. The
MCAUSER attribute is unused for the SDR channel type."





but I thought this was somewhat easy to miss, so I thought I would mention
it.





From: MQSeries List [ <mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Tuesday, September 23, 2014 8:30 PM
To: <mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Queue manager default security Unix script



Thanks, Neil! That is what I was looking for.



From: MQSeries List [ <mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Neil Casey
Sent: Tuesday, September 23, 2014 6:21 PM
To: <mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Queue manager default security Unix script



Hi Tim,



The IBM RedBook publication "Secure Message Scenarios with WebSphere MQ" has
a chapter (chapter 9), including scripts, which covers this for MQ 7.5.

<http://www.redbooks.ibm.com/abstracts/sg248069.html?Open>
http://www.redbooks.ibm.com/abstracts/sg248069.html?Open



You will need to think about OS or LDAP considerations if you want to take
advantage of the new authentication options in v8.



The additional materials includes the scripts for both unix/linux and
Windows.



Regards,





Neil





--

Neil Casey

Senior Consultant | Syntegrity Solutions


<image001.jpg> <tel:+61%20414%20615%20334> +61 414 615 334<image002.jpg>
<mailto:neil.casey-VLLIzlmz+***@public.gmane.org> neil.casey-VLLIzlmz+***@public.gmane.org

<http://www.syntegrity.com.au/> Syntegrity Solutions Pty Ltd | Level 23 |
40 City Road | Southgate | VIC 3006

Analyse >> Integrate >> Secure >> Educate


<image003.png>



On 24 Sep 2014, at 6:29 am, Tim Zielke < <mailto:tim.zielke-PR+tvw7B/***@public.gmane.org>
tim.zielke-PR+tvw7B/***@public.gmane.org> wrote:



Hello,



I was just curious if anyone was aware of a published script for applying
"default" security to a distributed Unix queue manager. We do have one
in-house, but was just curious if there was anything published or
recommended that someone was aware of, that I could compare against.



Thanks,

Tim



_____

<http://listserv.meduniwien.ac.at/archives/mqser-l.html> List Archive -
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> Manage Your
List Settings -
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries> Unsubscribe

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at
<http://www.lsoft.com/resources/manuals.asp> http://www.lsoft.com





_____

<http://listserv.meduniwien.ac.at/archives/mqser-l.html> List Archive -
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> Manage Your
List Settings -
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries> Unsubscribe

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at
<http://www.lsoft.com/resources/manuals.asp> http://www.lsoft.com



_____

<http://listserv.meduniwien.ac.at/archives/mqser-l.html> List Archive -
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> Manage Your
List Settings -
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries> Unsubscribe

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at
<http://www.lsoft.com/resources/manuals.asp> http://www.lsoft.com



_____

<http://listserv.meduniwien.ac.at/archives/mqser-l.html> List Archive -
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> Manage Your
List Settings -
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries> Unsubscribe

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at
<http://www.lsoft.com/resources/manuals.asp> http://www.lsoft.com





_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html