Anda di halaman 1dari 23

®

IBM Software Group

WebSphere Message Broker 7


Security Administration

Erik Kirk (eakirk@us.ibm.com)


WebSphere Message Broker Software Engineer
March 23, 2010

WebSphere® Support Technical Exchange


IBM Software Group

Agenda
 Highlights of WMB 7.0 security
 WMB 7.0 and earlier components
 Broker administration security
 Activating
 Authorization queues
 Authorization levels
 Examples
 Deactivating
 Command changes
 Migration – Configmgr ACLs and WMB v7 support
 General debugging techniques
 Summary

WebSphere ® Support Technical Exchange 2 of 23


IBM Software Group

Highlights of WMB 7.0 security

 Configuration Manager (Configmgr) removed


 WMQ security model used
Replacing Configmgr ACLs
Using userid in MQMD
 Security disabled by default
 WMB 7.0 broker administration security
 Pub/Sub function and security moved to WMQ
 Administrative duties simplified

WebSphere ® Support Technical Exchange 3 of 23


IBM Software Group

WMB 7.0 and earlier components


WMB 6.1 Components

MQ MQ
Configuration
Manager
Toolkit, CMP API
Apps, IS02, Brokers
deploy commands

MQ

Broker commands

WebSphere ® Support Technical Exchange 4 of 23


IBM Software Group

WMB 7.0 and earlier components


WMB 7.0 Components

MQ

Toolkit, CMP API


Apps, WMB
Explorer, deploy
commands
Brokers

MQ
Broker commands

WebSphere ® Support Technical Exchange 5 of 23


IBM Software Group

Broker administration security – Broker administrator authorizations

 mqbrkrs group membership required

 mqm group membership required for commands


resulting in new queues

WebSphere ® Support Technical Exchange 6 of 23


IBM Software Group

Broker administration security - Activating

 During broker creation:


mqsicreatebroker MB7BROKER -q MB7QMGR
-s active (default =inactive)
 After broker creation:
mqsichangebroker MB7BROKER -s active
 mqm group membership required
 Security queues created
SYSTEM.BROKER.AUTH.<EGName>

WebSphere ® Support Technical Exchange 7 of 23


IBM Software Group

Broker administration security – Authorizations

Basic connectivity authorizations


Object Name Permissions
Queue manager The queue manager associated with Connect
the broker; for example, MB7QMGR Inquire
Queue SYSTEM.BROKER.DEPLOY.QUEUE Put
Queue SYSTEM.BROKER.DEPLOY.REPLY Get
Put
Queue SYSTEM.BROKER.AUTH Inquire

WebSphere ® Support Technical Exchange 8 of 23


IBM Software Group

Broker administration security – Tasks and Authorizations

WebSphere ® Support Technical Exchange 9 of 23


IBM Software Group

Broker administration security - Authorizations

WMB authority WMQ permission


Read +inq
Write +put
Execute +set

WebSphere ® Support Technical Exchange 10 of 23


IBM Software Group

Broker administration security – Authorizations

Examples:

 Grant read authority to group dev on all execution groups


 setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.** -t queue -g
dev +inq
 Grant write authority to group admin for the broker
 setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t queue –g
admin +put
 Grant execute authority to group dev for an execution group EGNAME
 setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.EGNAME -t
queue –g dev +set

WebSphere ® Support Technical Exchange 11 of 23


IBM Software Group

Managing security - Deactivating

 Security is disabled by default


 Disable security
 mqsichangebroker MB7BROKER -s inactive
 Disabling security does not delete any security
queues.

WebSphere ® Support Technical Exchange 12 of 23


IBM Software Group

Command changes
 -s option added to
mqsicreatebroker
• Security is disabled by default
mqsichangebroker
• -s values = active, inactive
mqsideletebroker
• -s option optionally deletes
SYSTEM.BROKER.AUTH.* queues

WebSphere ® Support Technical Exchange 13 of 23


IBM Software Group

General debugging techniques


 Command or task fails and security configuration is suspect
 Narrow the scope - temporarily add user to mqm and mqbrkrs
 Check permissions of user
• dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q
–p tester
 Check permissions of group
• dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q
–g dev
 Refresh the queue manager security cache:
• runmqsc qmgrname
• REFRESH SECURITY

WebSphere ® Support Technical Exchange 14 of 23


IBM Software Group

Migration – Configmgr ACLs and WMB v7 support

 Configmgr ACLs are not automatically migrated


 Use configmgr ACLs as a basis for WMB v7 security implementation
 mqsilistaclentry
 mqsilistaclentry sample output:
<principal> - <principaltype> - <accesstype> - <objecttype> -
<objectname>
wrkgrp\ali - USER - F - EXE - BROKER\default

WebSphere ® Support Technical Exchange 15 of 23


IBM Software Group

Migration – Configmgr ACLs and WMB v7 support

Principals
WMB ACLs (prior to v7) WMB v7 support
Username Yes
Group name yes
Machine/domain name SSL/exits
All machines Yes

WebSphere ® Support Technical Exchange 16 of 23


IBM Software Group

Migration – Configmgr ACLs and WMB v7 support

Principal type
WMB ACLs (prior to v7) WMB v7 support
User Yes
Group Yes

WebSphere ® Support Technical Exchange 17 of 23


IBM Software Group

Migration – Configmgr ACLs and WMB v7 support

Object type
WMB ACLs (prior to v7) WMB v7 support
ConfigManagerProxy NA
PubSubTopology NA

Broker Yes
ExecutionGroup Yes

Subscription NA
TopicRoot NA

WebSphere ® Support Technical Exchange 18 of 23


IBM Software Group

Migration – Configmgr ACLs and WMB v7 support

Permissions
WMB ACLs (prior to v7) WMB v7 support
V - View access read
F – Full control Read,write,execute

D – Deploy access Read,write


E – Editor access Read,write

NA Execute

WebSphere ® Support Technical Exchange 19 of 23


IBM Software Group

Summary
 W MB 7.0 security
 Simplified
 Relies on W MQ security model
 Configmgr and user name server removed in W MB 7.0
 W MB 7.0 broker administration security can be activated/
deactivated
 mqsicreatebroker, mqsichangebroker, and
mqsideletebroker command changed to include –s option
 Migration of Configmgr ACLs is manual
 Use mqsilistaclentry output and tables to migrate ACLs

WebSphere ® Support Technical Exchange 20 of 23


IBM Software Group

Additional WebSphere Product Resources


 Learn about upcoming WebSphere Support Technical Exchange webcasts, and access
previously recorded presentations at:
http://www.ibm.com/software/websphere/support/supp_tech.html

 Discover the latest trends in WebSphere Technology and implementation, participate in


technically-focused briefings, webcasts and podcasts at:
http://www.ibm.com/developerworks/websphere/community/
 Join the Global WebSphere User Group Community:
http://www.websphere.org
 Access key product show-me demos and tutorials by visiting IBM® Education Assistant:
http://www.ibm.com/software/info/education/assistant

 View a webcast replay with step-by-step instructions for using the Service Request (SR)
tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html
 Sign up to receive weekly technical My Notifications emails:
http://www.ibm.com/software/support/einfo.html

WebSphere ® Support Technical Exchange 21 of 23


IBM Software Group

We Want to Hear From You!


Tell us about what you want to learn

Suggestions for future topics


Improvements and comments about our webcasts
We want to hear everything you have to say!

Please send your suggestions and comments to:


wsehelp@us.ibm.com

WebSphere ® Support Technical Exchange 22 of 23


IBM Software Group

Questions and Answers

WebSphere ® Support Technical Exchange 23 of 23