Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>No, WAS is treated like any other connection.</p> <p>In version 6 and earlier of WAS it will send a blank ID if the user ID on the WMQ connection is not specified. You can tell if this is the case by looking at the channel status while WAS is connected. The MCAUSER of the running channel will contain the ID that was used to connect. If the running channel status shows no MCAUSER value then WAS did not present an ID.</p> <p>The other possibility is that the SVRCONN channel <em>definition</em> (not status) has a value such as <code>mqm</code> in the MCAUSER. In this case, the ID presented during the connection request is ignored. Again, check the channel status to see what ID is being used at run time or just check the SVRCONN channel definition to look for an MCAUSER value.</p> <p>Now here's the kicker - if the channel's MCAUSER is blank then WMQ will accept whatever ID is presented. If no ID is presented, then the connected app or user runs as an administrator. If an app or user can be a WMQ administrator then they can do anything on the QMgr and can also remotely execute arbitrary OS commands on the server under the QMgr. Not good.</p> <p>The correct answer is to set the MCAUSER on the channel to whatever value the app is supposed to connect as. At this point, the app cannot use any other ID because the channel will override it. However, anyone can connect to that channel so the next step is to authenticate the connection request. You can use an exit like <a href="http://mrmq.dk" rel="nofollow noreferrer">BlockIP2</a> which is free or <a href="http://capitalware.biz" rel="nofollow noreferrer">MQAUSX</a> which is a commercial vendor product. BlockIP2 will filter incoming requests by IP address which may be sufficient for connections arriving from a static IP in a locked datacenter. MQAUSX will actually check the UserID and password sent during the connection request from WAS (or any client, for that matter). You can also use SSL and the channel's SSLPEER attribute to authenticate requests using X.509 certs. Note that if you use MQAUSX to validate a user ID and password either use SSL encryption with it or use both the client-side and server-side versions of the exit. Otherwise your credentials are flowed in cleartext over the wire which defeats the purpose.</p> <p>Of course, if you secure the app's channel it's necessary to secure the other channels on the host such as SYSTEM.DEF.* and SYSTEM.AUTO.* or else an attacker will simply bypass the app channel. </p> <p>Note that if the RCVR, RQSTR and CLUSRCVR channels do not authenticate requests or contain an MCAUSER value they also expose admin access. For example, if I want to control your QMgr and you locked the SVRCONN channels, I'd create a QMgr on my desktop, delete my SYSTEM.DEF.RECEIVER, create a new <em>SDR</em> channel called SYSTEM.DEF.RCVR and point it at yout QMgr. If your SYSTEM.DEF.RCVR (or S.D.RQSTR or S.D.CLUSRCVR) or any other of these channel types that you have defined lack SSL or an exit then I can connect and if they lcak an MCAUER then I can administer the QMgr anonymously and execute OS commands.</p> <p><strong><em>Any channel definition without an MCAUSER value allows administrative access.</em><br> <em>Any channel without SSL/SSLPEER and/or an exit allows anonymous connections.</em></strong></p> <p>For more on this, please see the WMQ Hardening presentation and WMQ Security Lab documents at <a href="https://t-rob.net/links" rel="nofollow noreferrer">https://t-rob.net/links</a>. Also, please see the articles on SSL and other WMQ security topics in the <a href="http://bit.ly/MisMesIDX" rel="nofollow noreferrer">Mission:Messaging</a> column on IBM developerWorks Tech Journal.</p>
    singulars
    1. This table or related slice is empty.
    1. POWMQ special consideration for WAS clients?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USzigdon
    1. UST.Rob
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POWMQ special consideration for WAS clients?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThanks Rob! That is a very lucid answer.
      singulars
      1. PO
      1. USdvlpr
    2. COI thought that maybe JMS Message --> MQ Message transformation was stripping out the User Id fields. But I will check the running channel's MCAUSER as you suggested. Thanks.
      singulars
      1. PO
      1. USdvlpr
    3. COYeah, the JMS fields get mapped in or out of the MQMD. It's an MQ message first and the JMS structure is mapped over top of it. The JMS field can be viewed an alias for the underlying MQMD value.
      singulars
      1. PO
      1. UST.Rob
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload