Discussion:
MQ eclipse plug in for developers and access into development qmgrs.
Costa, D. (Damian)
2014-10-01 07:37:21 UTC
Permalink
Hi all,
I Got a request to grant a user access to view certain queues. the user is using the MQ explorer on eclipse. So we're getting through it slowly but I'm starting to see access requirements into queues I feel might be a security risk.
As I'm not entirely sure how the MQ admin view works on the explorer is it safe to grant put auth to the SYSTEM.ADMIN.COMMAND.QUEUE so the use can view his queues?

Ta.

********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Neil Casey
2014-10-01 11:48:28 UTC
Permalink
Hi Damin,

if they are to have the ability to query queue definitions and such, you have no choice but to grant that.

There is a tech note or DeveloperWorks (or maybe Hursley blog article) about enabling read only capability in MQ Explorer, and it is also covered in the Security Messaging Scenarios with WebSphere MQ redbook.
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
https://t-rob.net/Downloads/20120501_1577-WebSphere_MQ_Securing_Your_Queue_Manager.pdf
http://www.redbooks.ibm.com/abstracts/sg248069.html?Open

Regards,

Neil Casey.
Post by Costa, D. (Damian)
Hi all,
I Got a request to grant a user access to view certain queues. the user is using the MQ explorer on eclipse. So we're getting through it slowly but I'm starting to see access requirements into queues I feel might be a security risk.
As I'm not entirely sure how the MQ admin view works on the explorer is it safe to grant put auth to the SYSTEM.ADMIN.COMMAND.QUEUE so the use can view his queues?
Ta.
********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Costa, D. (Damian)
2014-10-01 14:03:35 UTC
Permalink
I have done so bit by bit. So they can actually only see the queue I've granted the display auth on.
I feel like I'm being pulled in a million direction today. Too many masters to answer to.
-----Original Message-----
Behalf Of Neil Casey
Sent: 01 October 2014 01:48 PM
Subject: Re: MQ eclipse plug in for developers and access into development
qmgrs.
Hi Damin,
if they are to have the ability to query queue definitions and such, you have no
choice but to grant that.
There is a tech note or DeveloperWorks (or maybe Hursley blog article) about
enabling read only capability in MQ Explorer, and it is also covered in the
Security Messaging Scenarios with WebSphere MQ redbook.
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-
explorer-as-a-read-only-viewer/
https://t-rob.net/Downloads/20120501_1577-
WebSphere_MQ_Securing_Your_Queue_Manager.pdf
http://www.redbooks.ibm.com/abstracts/sg248069.html?Open
Regards,
Neil Casey.
Post by Costa, D. (Damian)
Hi all,
I Got a request to grant a user access to view certain queues. the user is using
the MQ explorer on eclipse. So we're getting through it slowly but I'm starting to
see access requirements into queues I feel might be a security risk.
Post by Costa, D. (Damian)
As I'm not entirely sure how the MQ admin view works on the explorer is it
safe to grant put auth to the SYSTEM.ADMIN.COMMAND.QUEUE so the use can
view his queues?
Post by Costa, D. (Damian)
Ta.
********************
Nedbank Limited Reg No 1951/000009/06. The following link displays the
names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ] This email is
confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************
the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
message body (not the subject), write: SIGNOFF MQSERIES Instructions for
managing your mailing list subscription are provided in the Listserv General
Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Andrew Hunt
2014-10-02 07:12:54 UTC
Permalink
Damian,

Here's what I use to allow GUI access for MQExplorer and MQMon;
setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid +dsp
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP +browse +get +inq +put +dsp
setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse +get +inq +dsp
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP +browse +get +inq +put

You will have to then grant permissions on the queues they wantto see based on how much you trust them and which environment they are in...and how much you trust them.

hunty

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
David Awerbuch (BLOOMBERG/ 120 PARK)
2014-10-02 13:08:36 UTC
Permalink
Hi hunty,

Why are you granting +get and +inq to the SYSTEM.ADMIN.COMMAND.QUEUE?

Applications should only +put to the queue, the responses will be returned by the command server to the queue (generally TEMPDYN) that is specified in the ReplyToQ attribute of the MQMD.

Dave


----- Original Message -----
From: ***@LISTSERV.MEDUNIWIEN.AC.AT
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
At: Oct 2 2014 03:13:05

Damian,

Here's what I use to allow GUI access for MQExplorer and MQMon;
setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid +dsp
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP +browse +get +inq +put +dsp
setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse +get +inq +dsp
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP +browse +get +inq +put

You will have to then grant permissions on the queues they wantto see based on how much you trust them and which environment they are in...and how much you trust them.

hunty




<< "Once the game is over, the king and the pawn go back into the same box." - Anon >>

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Andrew Hunt
2014-10-02 14:47:02 UTC
Permalink
Dave,

I have just tested it with SYSTEM.ADMIN.COMMAND.QUEUE only having +put and MQ Explorer does not connect to the QMGR (AMQ4036). Adding +inq allows it, so I think you can safely get away without the +get leaving this as the suite of setmqauts to allow GUI access;

setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid +dsp
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP +browse +get +inq +put +dsp
setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse +get +inq +dsp
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP +browse +inq +put

Works with MQMon also.

hunty

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Dominique Courtois
2014-10-02 15:05:48 UTC
Permalink
I think I remenber +inq is mandatory for Java apps (MQExplorer), whatever the app is actually doing.
Regards
Dominique

----- Mail original -----
De: "Andrew Hunt" <uncle_hunty-deqWdTs+***@public.gmane.org>
À: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Envoyé: Jeudi 2 Octobre 2014 16:47:02
Objet: Re: MQ eclipse plug in for developers and access into development qmgrs.

Dave,

I have just tested it with SYSTEM.ADMIN.COMMAND.QUEUE only having +put and MQ Explorer does not connect to the QMGR (AMQ4036). Adding +inq allows it, so I think you can safely get away without the +get leaving this as the suite of setmqauts to allow GUI access;

setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid +dsp
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP +browse +get +inq +put +dsp
setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse +get +inq +dsp
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP +browse +inq +put

Works with MQMon also.

hunty

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Jefferson Lowrey
2014-10-02 15:16:17 UTC
Permalink
It's also not entirely clear that +get on SYSTEM.ADMIN.COMMAND.QUEUE is
that harmful.

The only thing you could really do is prevent someone else from executing
a command. And even then, if the command server is running, then it's
going to be hard to catch a message before it does.

I suppose it would be possible to build some kind of malicious
intercepter, that modified reply-to-queues or stole usernames or etc. But
again, the distribution of messages across two active MQGETS is not
guaranteed. So it'd be really hit-or-miss, or you'd have to know a lot
about msgids/correlids that you're trying to steal.

Denying +get execpt where it is known to be needed is obviously a good
idea.

I'm sure T.Rob has some thoughts on the matter, but these are mine.

Thank you,

Jeff Lowrey




From: Dominique Courtois <dominic77-***@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Date: 10/02/2014 10:06 AM
Subject: Re: [MQSERIES] MQ eclipse plug in for developers and
access into development qmgrs.
Sent by: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>



I think I remenber +inq is mandatory for Java apps (MQExplorer), whatever
the app is actually doing.
Regards
Dominique

----- Mail original -----
De: "Andrew Hunt" <uncle_hunty-deqWdTs+***@public.gmane.org>
À: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Envoyé: Jeudi 2 Octobre 2014 16:47:02
Objet: Re: MQ eclipse plug in for developers and access into development
qmgrs.

Dave,

I have just tested it with SYSTEM.ADMIN.COMMAND.QUEUE only having +put and
MQ Explorer does not connect to the QMGR (AMQ4036). Adding +inq allows
it, so I think you can safely get away without the +get leaving this as
the suite of setmqauts to allow GUI access;

setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid
+dsp
setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP
+browse +get +inq +put +dsp
setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse
+get +inq +dsp
setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP
+browse +inq +put

Works with MQMon also.

hunty

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html



To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Tim Zielke
2014-10-02 16:36:25 UTC
Permalink
FYI,

When I run an application activity trace on an MQExplorer at 7.5, I see MQExplorer opening the SYSTEM.ADMIN.COMMAND.QUEUE with the open options of 8240.

open options for decimal value 8240 converts to:
MQOO_OUTPUT
MQOO_INQUIRE
MQOO_FAIL_IF_QUIESCING

Thanks,
Tim

-----Original Message-----
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Dominique Courtois
Sent: Thursday, October 02, 2014 10:06 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: MQ eclipse plug in for developers and access into development qmgrs.

I think I remenber +inq is mandatory for Java apps (MQExplorer), whatever the app is actually doing.
Regards
Dominique

----- Mail original -----
De: "Andrew Hunt" <***@HOTMAIL.COM>
À: ***@LISTSERV.MEDUNIWIEN.AC.AT
Envoyé: Jeudi 2 Octobre 2014 16:47:02
Objet: Re: MQ eclipse plug in for developers and access into development qmgrs.

Dave,

I have just tested it with SYSTEM.ADMIN.COMMAND.QUEUE only having +put and MQ Explorer does not connect to the QMGR (AMQ4036). Adding +inq allows it, so I think you can safely get away without the +get leaving this as the suite of setmqauts to allow GUI access;

setmqaut -m $QMGR -t qmgr -g $IDGROUP +connect +inq +set +setall +setid +dsp setmqaut -m $QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g $IDGROUP +browse +get +inq +put +dsp setmqaut -m $QMGR -n 'SYSTEM.MQEXPLORER.**' -t queue -g $IDGROUP +browse +get +inq +dsp setmqaut -m $QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g $IDGROUP +browse +inq +put

Works with MQMon also.

hunty

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http:/

Loading...