I am using IBM WebSphere MQ 8.x and would like to secure it.
How can I secure my WebSphere Queue Messaging with username/password, so that only valid user can perform operations.
this is how I am accessing Queue right now
Context jndiContext = getInitialContext();
String qcf= getJMSDetailsBean().getQueueConnectionFactory();
QueueConnectionFactory qconFactory = (QueueConnectionFactory) jndiContext.lookup(qcf);
qcon = qconFactory.createQueueConnection();
Could you please guide me on below:
How can I secure my MQ first?
After #1, How can I access MQ using QueueConnectionFactory ?
Thanks
Like many other things in technology there are multiple ways to accomplish the task you are asking about, below describes one method using the IBM MQ provided functionality.
To answer the simpler question first, if you want to pass a username and password to MQ you can call createQueueConnection with the arguments of username and password
createQueueConnection("username", "password")
On the MQ side if you can upgrade I would suggest you move to 9.0.0.5 LTS, if you cannot upgrade to v9.0 then I suggest you upgrade to 8.0.0.10 + IFIX IT25591, you can download the IFIX for this right from the APAR page at the top.
You do not mention which Operating system the queue manager is running on. For most operating system versions you can configure the queue manager to validate credentials against either the Operating System (IDPWOS) or LDAP (IDPWLDAP). You will point the QMGR CONNAUTH property to an AUTHINFO object with AUTHTYPE of either of the above options.
On Unix Operating Systems such as Linux you can configure IDPWOS authentication method (AUTHENMD) as either OS (uses crypt and compare against shadow password entries) or PAM (uses Pluggable Authentication Module). If you go with IDPWOS I recommend PAM because it can provided crypt and compare support (same as the OS method) but also supports anything you can do with PAM, for example authenticate against Windows Active Directory.
For security you want to tell MQ to adopt the user that is authenticated, this is the ADOPTCTX(YES) setting on the AUTHINFO object. You should configure the queue manager for ChlauthEarlyAdopt=Y in the qm.ini file (Note these are both now the default behavior in MQ v9.0.4 CD and higher and on 9.1.0.0 LTS (also 9.1.1 CD) and higher.
If you are sure you want every SVRCONN channel on the queue manager to require a valid username/password to be sent you can set CHCKCLNT(REQUIRED) on the AUTHINFO object. If you need to be more granular you can set this to CHCKCLNT(OPTIONAL) which means if a username and password is present, the password needs to be valid for the username, but it also means if a password is not provided MQ will not attempt authentication. You may want this if you for example have some existing channels where you use a different authentication method such as TLS certificates, or a security exit. If it is set to OPTIONAL at the QMGR level, you can setup CHLAUTH rules to uplift the setting to CHCKCLNT(REQUIRED) for specific channels.
Remember that if you make any changes to the queue manager CONNAUTH settings you need to run REFRESH SECURITY TYPE(CONNAUTH) for those to take effect.
If the MQ client is at MQ v8 or higher, the password if sent on a non-TLS channel will be protected by default with a 3DES encryption, the exception here is for Java and JMS clients you must enabled MQCSP mode (compatibility is the default).
The setting PasswordProtection=always can be set in the qm.ini to ensure that MQ enforces that the password must either be protected by the password protection feature or use a TLS channel with a non-NULL cipherspec. This also means that on non-TLS channels any client that is less than v8 will be rejected.
I'll update this answer provide some example commands to implement the settings above, please let me know if this answer is going in the direction you are looking for?
I scanned the Fix list for IBM MQ Version 8.0 and found the following of interest either related to CONNAUTH or security in general that are fixed in versions later than 8.0.0.3, this is not a complete list there are many more:
8.0.0.5:
IT12825: IBM MQV8: A CLIENT APPLICATION FAILS TO CONNECT TO A QUEUE MANAGER WITH ERROR AMQ9777: CHANNEL WAS BLOCKED.
IT11645: AN IBM MQ V8 CLIENT CONNECTION IS INCORRECTLY ALLOWED WHEN PASSWORDPROTECTION=ALWAYS AND USER_AUTHENTICATION_MQCSP=FALSE
CVE-2015-7473: IBM WebSphere MQ Improper access control for some local MQSC commands
CVE-2016-0259: IBM WebSphere MQ Improper access control for some display commands in local runmqsc
8.0.0.6:
CVE-2016-3052: IBM MQ Java clients might send a password in clear text
8.0.0.7:
IT18052: ChlauthEarlyAdopt modifications
8.0.0.8:
IT22419: All username/password authentication requests hang. Queue manager is configured to request via PAM
IT21306: Ensure consistency among mechanisms for enabling MQCSP authentication mode in Java
IT21384: Setting COM.IBM.MQ.CFG.JMQI.USEMQCSPAUTHENTICATION=Y does not enable the MQCSP authentication mode after IT15833
8.0.0.10:
IT20275: USERMAP CHLAUTH rules and ChlauthEarlyAdopt do not map to the correct user
8.0.0.11 (not release yet):
IT25591: Connection to queue manager fails after upgrade to MQ 8.0.0.10, error log reports user missing CTRL authority on qmgr (AMQ8077)
Related
I have a local MQ which my IIB connects to in client mode (i.e. not as a trusted application). I've set check client connection security on in the QM and now the IIB can't connect because it doesn't send a password and it's sending the wrong username (by default it uses the user that the process starts with). I've seen lots of documentation around setting dbparms mq::*. I could be wrong that but that only seems to affect the MQ Input and Output nodes ? Not the actual broker and it's config manager connections to MQ?
However, I've tried setting those values so that all client connection to my QMGR get a user/passwd but it still comes across as failing and I can see in the MQ logs that it's trying to connect using the userid that the IIB process was started with (and presumably without a password).
So, how do I get IIB to ALWAYS send a user/passwd to MQ when connecting the node/config mgr to the QM using client connections??
Clarification:
I have set mq::MQ -u -p and still the node attempts to connect to the QMGR using the ID that the MQSI process is started with and not the -u param. I have no execution groups and (of course) no flows in my broker so this can only be a core IIB component that's attempting the connection.
According to the IBM Integration Bus v10.0.0.10 Knowledge Center page "Connecting to a secured WebSphere MQ queue manager" you can set this in three ways:
On each MQ Node by specifying a Security identity property.
For all MQ connections to a named queue manager
For all MQ connections.
The order of which ID will be used is the same as above, so if you have a ID setup for all queue managers, you can override it for a specific queue manager or a specific MQ Node.
If you have a queue manager you are already connecting to called for example IIBQM, you could specify the following command so that all connections to that queue manager would use the specified username and password.
mqsisetdbparms integrationNodeName -n mq::QMGR::IIBQM -u username -p password
The KC page tells how to set it all three ways. If you have any specific questions please update your question by clicking edit and add more details and I can update my answer.
Hurrah - I've worked this out !
Although, I had not enabled chcklocal or chckclnt MQ, the fact that I had a idpwldap authinfo set meant that MQ was going to LDAP to find out who the user was that I was logging in with (presumably so that it could check what group permissions it had). So, I had to put my local user into LDAP and set its group.
This got my broker working (with no execution groups or flows). Once I deployed my simple mqinput and MQ output node flow it failed due to authorisations using the same ID. I could then see that it was binding locally and not as a client (which i had first considered). Phew - all done. So, to review: the answer was to put the user id that the mqsi bip/bipbroker process runs under into LDAP. Then give various MQ permissions so that the broker NODE and it's MQ flow NODES could connect to MQ correctly and put/get etc.
thanks for your help - and maybe this will help someone else in the future when someone puts on MQ security and they have a local QM with IIB.
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
I am using same version of MQ in both machines and when I try to connect the above error occurs using Windows machines for connection.
1st, make sure you are NOT using a SYSTEM.* channel. Create a channel for your application.
2nd, add the appropriate permissions (via setmqaut) to allow the UserId to connect to the queue manager and access the queues.
IBM Support Technote "WMQ 7.1 / 7.5 / 8.0 / 9.0 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 or JMSWMQ2013 when using client connection as an MQ Administrator" has a good write up on diagnosing and resolving this issue.
If you want more specific help, to start with please provide the following details by editing and adding them to your question. Adding them as comments does not help much since the number of characters are limited and you have no way to format them in a comment.
Version of IBM MQ installed on client and queue manager
Errors in the queue manager's AMQERR01.LOG that happen at the same time as the error you receive.
SVRCONN channel name that you are connecting too.
(First of all, sorry for my poor English)
I've got MQ client (v6.0 or higher). I use mqic32.dll to connect to MQ server. I call MQCONNX to connect to the Queue Manager. MCAUser is not specified for this manager. So, I authenticated at server as a current Windows user.
Well, my program option's window has a 'Test' button and 'Login' Edit. When 'Test' pressed, I call MQCONNX - MQOPEN - MQCLOSE - MQDISQ functions sequence to test the connection/queue opening. There are 2 types of users who starts my application - admin & operator. Admin sets options and performs connection tests, simple users sends and recieves MQ messages. They shoul log in Windows as different Windows users.
And my question is:
I call MQCONNX() being logged as Admin. What parameters (among MQCD struct [sub]fields) should i set for MQ server authenticate me as Operator.
Yes, I can start new process (CreateProcessWithLogonW) as an Operator. But is there a decision keeping me in single process?
I know, using client java- libs I can specify user. So, I think, there should be equivalent ability for mqic32.dll, am I right?
I authenticated at server as a current Windows user.
The queue manager does not authenticate an incoming connection. It will use the UserID to check if the user can do those particular actions i.e. MQCONN, MQOPEN, MQPUT, etc.. But that is not authentication.
If you have not implemented an MQ security solution then anyone can connect with any UserID they want.
I call MQCONNX() being logged as Admin. What parameters (among MQCD struct [sub]fields) should i set for MQ server authenticate me as Operator.
You need to create a client-side security exit and use MQCSP structure but it will not do you any good if you do not have a server-side security exit to read it.
Note: You cannot protect your queue manager from a client-side point of view because anyone can simply download one of the free MQ SupportPacs or one of the many free MQ applications and use it to connect to your queue manager. You need an MQ security solution that is implemented at the queue manager.
I'm a beginner on WebSphere MQ, I was working on MQ 6 and it was working fine, but now I've installed MQ 7.1 and when I try to create a new Queue Manager I can do it But it can't connect and it gives me the following error :
Do you have any idea about that? Thank you :)
You can look up any WebSphere MQ error code if either the WebSphere MQ Client or Server are installed using the mqrc command. In this case:
C:\Users\MUSR_MQADMIN>mqrc 2059
2059 0x0000080b MQRC_Q_MGR_NOT_AVAILABLE
The 2059 usually indicates that the listener is not running or the queue manager is down. There's a different error code if the listener is running and the QMgr name is wrong and another one if the connection is made to the right QMgr but the channel name is wrong. Sometimes you can get a 2059 if the channel was closed at the server side by an exit but since you didn't mention any exits, I'm assuming in this case that its listener problem.
Hopefully by now you are defining a listener object rather than using inetd or the runmqlsr command. Defining an object and setting it to start and stop under QMgr control is the most reliable way to configure it.
Once you get past the 2059, you should be aware that as of WMQ V7.1, the queue managers are secure by default and won't accept any remote client connections unless you explicitly authorize them. This is the opposite of the behavior of V6 where on a newly defined queue manager running a listener, anyone with a TCP route to it could administer it and remotely execute OS code as the mqm user. So I expect that the next problem you run into will be 2035 errors.
I've been told this means more work for the WMQ administrator. The only case in which that's true is if the V6 or earlier queue manager had been configured without security. If the tasks to secure a V7.0 QMgr are compared to the tasks to provision access on a v7.1 and higher QMgr are compared, provisioning access turnds out to be easier. However if you liked the V7.0 behavior, you can always alter the QMgr to disable CHLAUTH rules. Needless to say, leaving security enabled is highly encouraged.
To debug security errors, alter the QMgr to enable authorization events using the runmqsc command ALTER QMGR AUTHOREV(ENABLED). Next, download and install SupportPac MS0P into WebSphere MQ Explorer. Then when you do get a security error, use WebSphere MQ Explorer to look at the queue. Right-click on the queue and select the option to parse the event messages. This will tell you in excruciating detail all the information you need to debug the authorization error.
Finally, if you wish to read up on the new security features, go to t-rob.net/links and look at the conference presentations there. There are also some articles indexed if you scroll down.
In the screen-shot, I see hostname "127.0.0.1" and port # 1414. If it is a local queue manager then connect directly to it.
Also, each queue manager MUST use a unique port number. If you had it working with WMQ v6 queue manager, is this the same queue manager? If not, then make sure each queue manager uses a different port number (i.e. 1415, 1416, etc...)
I got same problem. but i resolved this by :
1. created a listener manually (define lstr(lstr1) port(xxxx) control(qmgr)
2. setmqaut mcauser('mqm').
Now I use the websphere MQ client connect to remote MQ Server(7.0 version) using c#, and occurs a problem of authority,Which is the user running the MQ client application have insufficient authority to access qmgr.Then I use the 'setmqaut' command to grand the user sufficient authority and it works.
I think it's not very convenient and must be a better way.May via adding user's IP in MQ Server? But I have no idea how to do it.
Any suggestions would be greatly appreciated.
Thanks
WebSphere MQ does not perform any authentication. Local applications are authenticated by the operating system and so their ID can be trusted. (By definition, if you cannot trust the local OS authentication then the entire server is compromised.) Just as with local connections, WMQ trusts that the ID connecting remotely is genuine. It is up to the WMQ administrator to determine what level of authentication to employ. In WMQ v7 there are two choices - authenticate with SSL/TLS channels, or use a channel exit to authenticate.
In either case, it is the channel's MCAUSER value that decides what ID is used for authorization. If the MCAUSER is left blank then the channel will use the user ID that the client sends. In your case you received a 2035 error because the client sent an ID that was not in the administrative (mqm) group. Had your client sent the ID 'mqm' (or on Windows 'MUSR_MQADMIN'), the connection would have succeeded. If your program is Java or JMS, the ability to select the ID presented is part of the API. Just tell the QMgr who you want to be.
If you are willing to allow remote connections to execute OS commands on the server, then just put the administrative ID in the channel's MCAUSER. (For example, MCAUSER('mqm') on UNIX/Linux or typically MCAUSER('MUSR_MQADMIN') for Windows.) However, be aware that remote users with admin rights can remotely execute arbitrary OS command-line code using the QMgr. This is a feature of WMQ and not a bug, hence we NEVER recommend this in Production. In fact, I personally recommend that development environments enable security. Waiting until Production to figure out how to authenticate connections and what authorizations are needed often leads to unnecessary deployment delays.
If you want to use IP filtering to mitigate that threat, you can either move to WMQ v7.1 which includes this feature natively, or use an exit such as BlockIP2. Either of these solutions will allow you to create rules that filter incoming connection requests by IP address, user ID, etc.
Note that on a v7.0 QMgr all the channels are unprotected by default. So even if you filter incoming requests on one channel, if the others are left in their default state, anyone can still connect and execute commands as the administrator. For a comprehensive review of all this, please take a look at the Hardening WebSphere MQ presentation at t-rob.net. Scroll down to the v7.0 presentations.