|
Home > Archive > WebSphere Application Server > April 2005 > Security concerns with WAS Embedded and WMQ under AIX NIS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Security concerns with WAS Embedded and WMQ under AIX NIS
|
|
|
| We have recognized a large security hole in our AIX environment and we are seeking a recommendation to fix this issue.
In our environment user authentication under AIX is managed by NIS. We have a mix of servers that use WebSphere App Server v5.0 & 5.1. These servers utilize JMS by way of WebSphere Embedded Messaging. According to the WAS documentation, the userid startin
g the JMS server must be a member of the mqm group. As it so happens, these userids and passwords are known to many people who support these applications. These are users outside of our WMQ Administration team.
On other servers, where Embedded messaging is not installed, we have full WMQ running. Sharing the 'mqm' group between these related but very different products poses a gigantic security hole to our WMQ servers since anyone knowing the JMS userid/passwor
d can log in to our WMQ servers with full WMQ administrative priviliges.
IBM WebSphere App Server support has provided us a quick answer that the user starting the jms server MUST be in the mqm group. Our PMR has been transferred to WMQ Support.
This doesn't seem like a new problem. Does anyone have experience with this issue?
Is there a way to remove the WAS JMS userid's from the 'mqm' group? Is it possible write setmqaut scripts for these WAS servers so they'll be operational, but limit the scope of authority?
| |
| Paul Ilechko 2005-04-14, 6:06 pm |
| jantonitis@yahoo.com wrote:
> We have recognized a large security hole in our AIX environment and
> we are seeking a recommendation to fix this issue.
>
> In our environment user authentication under AIX is managed by NIS.
> We have a mix of servers that use WebSphere App Server v5.0 & 5.1.
> These servers utilize JMS by way of WebSphere Embedded Messaging.
> According to the WAS documentation, the userid starting the JMS
> server must be a member of the mqm group. As it so happens, these
> userids and passwords are known to many people who support these
> applications. These are users outside of our WMQ Administration team.
>
>
> On other servers, where Embedded messaging is not installed, we have
> full WMQ running. Sharing the 'mqm' group between these related but
> very different products poses a gigantic security hole to our WMQ
> servers since anyone knowing the JMS userid/password can log in to
> our WMQ servers with full WMQ administrative priviliges.
>
> IBM WebSphere App Server support has provided us a quick answer that
> the user starting the jms server MUST be in the mqm group. Our PMR
> has been transferred to WMQ Support.
>
> This doesn't seem like a new problem. Does anyone have experience
> with this issue?
>
> Is there a way to remove the WAS JMS userid's from the 'mqm' group?
> Is it possible write setmqaut scripts for these WAS servers so
> they'll be operational, but limit the scope of authority?
Don't use Embedded Messaging in production.
| |
| Sunit Patke 2005-04-14, 6:06 pm |
| The id which runs the WAS process has to be in mqm group only if you use
Transport Type of BINDINGS.
Instead use Transport Type of CLIENT.
Sunit
<jantonitis@yahoo.com> wrote in message
news:1291275234.1113495637824.JavaMail.wassrvr@ltsgwas007.sby.ibm.com...
> We have recognized a large security hole in our AIX environment and we are
> seeking a recommendation to fix this issue.
>
> In our environment user authentication under AIX is managed by NIS. We
> have a mix of servers that use WebSphere App Server v5.0 & 5.1. These
> servers utilize JMS by way of WebSphere Embedded Messaging. According to
> the WAS documentation, the userid starting the JMS server must be a member
> of the mqm group. As it so happens, these userids and passwords are known
> to many people who support these applications. These are users outside of
> our WMQ Administration team.
>
> On other servers, where Embedded messaging is not installed, we have full
> WMQ running. Sharing the 'mqm' group between these related but very
> different products poses a gigantic security hole to our WMQ servers since
> anyone knowing the JMS userid/password can log in to our WMQ servers with
> full WMQ administrative priviliges.
>
> IBM WebSphere App Server support has provided us a quick answer that the
> user starting the jms server MUST be in the mqm group. Our PMR has been
> transferred to WMQ Support.
>
> This doesn't seem like a new problem. Does anyone have experience with
> this issue?
>
> Is there a way to remove the WAS JMS userid's from the 'mqm' group? Is it
> possible write setmqaut scripts for these WAS servers so they'll be
> operational, but limit the scope of authority?
|
|
|
|
|