security adminstration
TRANSCRIPT
IBM Software Group
WebSphere Message Broker 7 Security AdministrationErik Kirk ([email protected]) WebSphere Message Broker Software Engineer March 23, 2010
WebSphere Support Technical Exchange
IBM Software Group
Agenda Highlights of WMB 7.0 security WMB 7.0 and earlier components Broker administration security Activating Authorization queues Authorization levels Examples Deactivating Command changes Migration Configmgr ACLs and WMB v7 support General debugging techniques Summary
WebSphere Support Technical Exchange
2 of 23
IBM Software Group
Highlights of WMB 7.0 security Configuration Manager (Configmgr) removed WMQ security model used Replacing Configmgr ACLs Using userid in MQMD Security disabled by default WMB 7.0 broker administration security Pub/Sub function and security moved to WMQ Administrative duties simplified
WebSphere Support Technical Exchange
3 of 23
IBM Software Group
WMB 7.0 and earlier components WMB 6.1 ComponentsMQ Configuration ManagerToolkit, CMP API Apps, IS02, deploy commands
MQ
Brokers
MQBroker commands
WebSphere Support Technical Exchange
4 of 23
IBM Software Group
WMB 7.0 and earlier components WMB 7.0 ComponentsMQ
Toolkit, CMP API Apps, WMB Explorer, deploy commands
BrokersMQ
Broker commands
WebSphere Support Technical Exchange
5 of 23
IBM Software Group
Broker administration security Broker administrator authorizations mqbrkrs group membership required mqm group membership required for commands resulting in new queues
WebSphere Support Technical Exchange
6 of 23
IBM Software Group
Broker administration security - Activating During broker creation: mqsicreatebroker MB7BROKER -q MB7QMGR -s active (default =inactive) After broker creation: mqsichangebroker MB7BROKER -s active mqm group membership required Security queues created SYSTEM.BROKER.AUTH.
WebSphere Support Technical Exchange
7 of 23
IBM Software Group
Broker administration security Authorizations
Basic connectivity authorizations Object Name Queue manager The queue manager associated with the broker; for example, MB7QMGR Queue Queue Queue SYSTEM.BROKER.DEPLOY.QUEUE SYSTEM.BROKER.DEPLOY.REPLY SYSTEM.BROKER.AUTH Permissions Connect Inquire Put Get Put Inquire
WebSphere Support Technical Exchange
8 of 23
IBM Software Group
Broker administration security Tasks and Authorizations
WebSphere Support Technical Exchange
9 of 23
IBM Software Group
Broker administration security - Authorizations
WMB authority Read Write Execute
WMQ permission +inq +put +set
WebSphere Support Technical Exchange
10 of 23
IBM Software Group
Broker administration security Authorizations Examples: Grant read authority to group dev on all execution groups setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.** -t queue -g dev +inq Grant write authority to group admin for the broker setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t queue g admin +put Grant execute authority to group dev for an execution group EGNAME setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.EGNAME -t queue g dev +set
WebSphere Support Technical Exchange
11 of 23
IBM Software Group
Managing security - Deactivating Security is disabled by default Disable security mqsichangebroker MB7BROKER -s inactive Disabling security does not delete any security queues.
WebSphere Support Technical Exchange
12 of 23
IBM Software Group
Command changes -s option added to mqsicreatebroker Security is disabled by default mqsichangebroker -s values = active, inactive mqsideletebroker -s option optionally deletes SYSTEM.BROKER.AUTH.* queues
WebSphere Support Technical Exchange
13 of 23
IBM Software Group
General debugging techniques Command or task fails and security configuration is suspect Narrow the scope - temporarily add user to mqm and mqbrkrs Check permissions of user dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q p tester Check permissions of group dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q g dev Refresh the queue manager security cache: runmqsc qmgrname REFRESH SECURITY
WebSphere Support Technical Exchange
14 of 23
IBM Software Group
Migration Configmgr ACLs and WMB v7 support Configmgr ACLs are not automatically migrated Use configmgr ACLs as a basis for WMB v7 security implementation mqsilistaclentry mqsilistaclentry sample output: - - - wrkgrp\ali - USER - F - EXE - BROKER\default
WebSphere Support Technical Exchange
15 of 23
IBM Software Group
Migration Configmgr ACLs and WMB v7 support
Principals WMB ACLs (prior to v7) Username Group name Machine/domain name All machines WMB v7 support Yes yes SSL/exits Yes
WebSphere Support Technical Exchange
16 of 23
IBM Software Group
Migration Configmgr ACLs and WMB v7 support
Principal type WMB ACLs (prior to v7) User Group WMB v7 support Yes Yes
WebSphere Support Technical Exchange
17 of 23
IBM Software Group
Migration Configmgr ACLs and WMB v7 supportObject type WMB ACLs (prior to v7) ConfigManagerProxy PubSubTopology Broker ExecutionGroup Subscription TopicRoot WMB v7 support NA NA Yes Yes NA NA
WebSphere Support Technical Exchange
18 of 23
IBM Software Group
Migration Configmgr ACLs and WMB v7 supportPermissions WMB ACLs (prior to v7) V - View access F Full control D Deploy access E Editor access NA WMB v7 support read Read,write,execute Read,write Read,write Execute
WebSphere Support Technical Exchange
19 of 23
IBM Software Group
Summary W MB 7.0 security Simplified Relies on W MQ security model Configmgr and user name server removed in W MB 7.0 W MB 7.0 broker administration security can be activated/ deactivated mqsicreatebroker, mqsichangebroker, and mqsideletebroker command changed to include s option Migration of Configmgr ACLs is manual Use mqsilistaclentry output and tables to migrate ACLs
WebSphere Support Technical Exchange
20 of 23
IBM Software Group
Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Join the Global WebSphere User Group Community: http://www.websphere.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html
WebSphere Support Technical Exchange
21 of 23
IBM Software Group
We Want to Hear From You!Tell us about what you want to learnSuggestions for future topics Improvements and comments about our webcasts We want to hear everything you have to say!Please send your suggestions and comments to: [email protected]
WebSphere Support Technical Exchange
22 of 23
IBM Software Group
Questions and Answers
WebSphere Support Technical Exchange
23 of 23