Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Checking MQ authorities and MCAUSER in Linux

Tags:

linux

ibm-mq

mq

I want to check all the authorities and access levels of queues and channels in my MQ-manager and check if there is a client queue or channel with administrative access. In order to do that I used ./dmpmqaut command and I successfully dumped all the objects' authorities. However, I have two problems here:

1- There are a lot of objects in my Q-manager which has the entity of mqm and their authority is set to: almqi dlt chg dsp clr. So is this normal? I mean all I know is that the clients should not have mqm entity name and the authorities are not restricted at all here. Am I right?

2- I want to check all the channels and queues MCAUSER like what I can see in MQ-Explorer on windows. Is there any way that I can check it in Linux machine?

like image 795
A23149577 Avatar asked Mar 12 '26 21:03

A23149577

1 Answers

Whenever an MQ object is created, the user who created it (or that user's primary group in non-Windows Distributed platforms) is granted all rights to the object. In practice, this usually means that the mqm group is visible on every object when you do an auths dump. On windows, this is often adminID@domain in addition to mqm.

On Linux you can do...
echo "dis chl(*) mcauser | runmqsc [qmgrname]
...from the command line to see what the MCAUSER is on the channels. You can also see this using MQ Explorer.

The defined MCAUSER for all inbound channels should be one that blocks all access. I used to recommend nobody but since this is potentially a valid ID on some systems, I now recommend *nobody. Note that by "inbound channels" I mean those of type RCVR, RQSTR, CLUSRCVR, and SVRCONN. By "all" I mean channels named SYSTEM.AUTO.*, SYSTEM.DEF.*, and any that you define yourself.

Make sure that an exit or a CHLAUTH rule maps the MCAUSER to the expected value when the connection request is authenticated. The CHLAUTH rules are available on any version of MQ from 7.1 on up. This mapping ensures that only an authenticated user or partner QMgr can connect.

If authorizations (setmqaut or SET AUTHREC commands) are defined without also defining the CHLAUTH rules or setting up a security exit, the effect is worse security, not better. The reason being that legitimate users will appear to have restrictions placed on their connection but malicious users will be able to easily spoof an administrative user ID.

Please see the basic MQ Security Hardening slides at http://t-rob./net/links for more on this topic.

like image 131
T.Rob Avatar answered Mar 16 '26 07:03

T.Rob
Sign in to Comment

Related questions

What does openpty() do? What does it mean that "the openpty() function finds an available pseudoterminal"?
Plink passing arguments
Error using test command in if statement
How to interpret kernel panics?
mono : Is remote debugging possible with monodevelop?
Determine files modified by process
How can I determine the mount path of a given file on Linux in C?
Unable to create a jpackage installer on Fedora but it works in Ubuntu, macOS, and Windows
How do I enter a new line/move to the next line without executing command while in a shell or bash if the command has more than 1 line? [closed]
boot.scr rebuild in buildroot
command line arguments to execute a C++ program
Resolving symbolic links algorithm
How to parse a question mark as parameter in zsh/shell script?
exec Exit Code Meaning for 11
Best way to monitor for a key press without stopping a loop

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!