Re: IBM MQ security

[John McBrearty <johnm () mcbrearty com>]

I worked with MQ security a little over the past couple of years.  I went
through some MQ training materials from IBM and was amused at their
somewhat disingenuous discussion of security issues.  The materials said
something to the effect that, "since MQ is complex and since all our
customers prefer to handle security in their own way, we don't impose any
security recommendations on MQ but let our customers secure it however they
want."

There are several big issues with MQ.  First is to actually turn on
security checking within the messaging system, which may break a lot of
applications if you haven't done it before.  Second, you may be using
"generic" accounts (say in a multi-tiered application) acting to send
messages on behalf of users; you should try instead to capture the
initiating user id information and use it throughout the entire messaging
transaction.  Here, also, you will need to make sure that user accounts are
set up with the proper privileges or things may break.  

Also, you need to look at privileges for running the overall MQ management
and setup tools and make sure that those privileges are granted only to
system administrators with the proper actual authority to control such
things.  Lastly, make sure that you have control over all the user accounts
from any machine capable of initiating MQ transactions.  If someone has
admin control over a machine, they may be able to fake some other userid in
order to initiate a bogus MQ message, inspect MQ traffic, etc.

Hope this helps,

John McBrearty
johnm () mcbrearty com


David Lang wrote:
> > can anyone give me any pointers on the security of the IBM MQ protocol?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards