wste 03232010 web sphere message broker security administration kirk
TRANSCRIPT
IBM Software Group
®
WebSphere® Support Technical Exchange
WebSphere Message Broker 7 Security Administration
Erik Kirk ([email protected])WebSphere Message Broker Software EngineerMarch 23, 2010
IBM Software Group
WebSphere® Support Technical Exchange 2 of 23
Agenda
Highlights of WMB 7.0 security WMB 7.0 and earlier components Broker administration security
Activating
Authorization queues
Authorization levels
Examples
Deactivating Command changes Migration – Configmgr ACLs and WMB v7 support General debugging techniques Summary
IBM Software Group
WebSphere® Support Technical Exchange 3 of 23
Highlights of WMB 7.0 security
Configuration Manager (Configmgr) removed WMQ security model used
Replacing Configmgr ACLs
Using userid in MQMD Security disabled by default WMB 7.0 broker administration security Pub/Sub function and security moved to WMQ Administrative duties simplified
IBM Software Group
WebSphere® Support Technical Exchange 4 of 23
WMB 7.0 and earlier components
WMB 6.1 Components
Toolkit, CMP API Apps, IS02,
deploy commands
Configuration Manager
Broker commands
Brokers
MQMQ
MQ
IBM Software Group
WebSphere® Support Technical Exchange 5 of 23
WMB 7.0 and earlier components
WMB 7.0 Components
BrokersToolkit, CMP API
Apps, WMB Explorer, deploy
commands
Broker commands
MQ
MQ
IBM Software Group
WebSphere® Support Technical Exchange 6 of 23
Broker administration security – Broker administrator authorizations
mqbrkrs group membership required
mqm group membership required for commands resulting in new queues
IBM Software Group
WebSphere® Support Technical Exchange 7 of 23
During broker creation:mqsicreatebroker MB7BROKER -q MB7QMGR
-s active (default =inactive) After broker creation:
mqsichangebroker MB7BROKER -s active mqm group membership required Security queues created
SYSTEM.BROKER.AUTH.<EGName>
Broker administration security - Activating
IBM Software Group
WebSphere® Support Technical Exchange 8 of 23
Broker administration security – Authorizations
Basic connectivity authorizationsObject Name Permissions
Queue manager The queue manager associated with the broker; for example, MB7QMGR
ConnectInquire
Queue SYSTEM.BROKER.DEPLOY.QUEUE PutQueue SYSTEM.BROKER.DEPLOY.REPLY Get
Put Queue SYSTEM.BROKER.AUTH Inquire
IBM Software Group
WebSphere® Support Technical Exchange 9 of 23
Broker administration security – Tasks and Authorizations
IBM Software Group
WebSphere® Support Technical Exchange 10 of 23
Broker administration security - Authorizations
WMB authority WMQ permissionRead +inqWrite +put
Execute +set
IBM Software Group
WebSphere® Support Technical Exchange 11 of 23
Broker administration security – Authorizations
Examples:
Grant read authority to group dev on all execution groups setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.** -t queue -g
dev +inq Grant write authority to group admin for the broker
setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t queue –g admin +put
Grant execute authority to group dev for an execution group EGNAME setmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH.EGNAME -t
queue –g dev +set
IBM Software Group
WebSphere® Support Technical Exchange 12 of 23
Managing security - Deactivating
Security is disabled by default Disable security
mqsichangebroker MB7BROKER -s inactive Disabling security does not delete any security
queues.
IBM Software Group
WebSphere® Support Technical Exchange 13 of 23
Command changes
-s option added to mqsicreatebroker
• Security is disabled by defaultmqsichangebroker
• -s values = active, inactivemqsideletebroker
• -s option optionally deletes SYSTEM.BROKER.AUTH.* queues
IBM Software Group
WebSphere® Support Technical Exchange 14 of 23
General debugging techniques Command or task fails and security configuration is suspect
Narrow the scope - temporarily add user to mqm and mqbrkrs
Check permissions of user
• dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q –p tester
Check permissions of group
• dspmqaut -m MB7QMGR -n SYSTEM.BROKER.AUTH -t q –g dev
Refresh the queue manager security cache:
• runmqsc qmgrname• REFRESH SECURITY
IBM Software Group
WebSphere® Support Technical Exchange 15 of 23
Migration – Configmgr ACLs and WMB v7 support
Configmgr ACLs are not automatically migrated Use configmgr ACLs as a basis for WMB v7 security implementation
mqsilistaclentry mqsilistaclentry sample output: <principal> - <principaltype> - <accesstype> - <objecttype> -
<objectname>wrkgrp\ali - USER - F - EXE - BROKER\default
IBM Software Group
WebSphere® Support Technical Exchange 16 of 23
Migration – Configmgr ACLs and WMB v7 support
PrincipalsWMB ACLs (prior to v7) WMB v7 supportUsername YesGroup name yesMachine/domain name SSL/exitsAll machines Yes
IBM Software Group
WebSphere® Support Technical Exchange 17 of 23
Migration – Configmgr ACLs and WMB v7 support
Principal typeWMB ACLs (prior to v7) WMB v7 supportUser YesGroup Yes
IBM Software Group
WebSphere® Support Technical Exchange 18 of 23
Migration – Configmgr ACLs and WMB v7 support
Object type
WMB ACLs (prior to v7) WMB v7 support
ConfigManagerProxy NA
PubSubTopology NA
Broker Yes
ExecutionGroup Yes
Subscription NA
TopicRoot NA
IBM Software Group
WebSphere® Support Technical Exchange 19 of 23
Migration – Configmgr ACLs and WMB v7 support
Permissions
WMB ACLs (prior to v7) WMB v7 support
V - View access read
F – Full control Read,write,execute
D – Deploy access Read,write
E – Editor access Read,write
NA Execute
IBM Software Group
WebSphere® Support Technical Exchange 20 of 23
Summary
WMB 7.0 securitySimplified
Relies on WMQ security model Configmgr and user name server removed in WMB 7.0 WMB 7.0 broker administration security can be activated/
deactivated mqsicreatebroker, mqsichangebroker, and
mqsideletebroker command changed to include –s option Migration of Configmgr ACLs is manual
Use mqsilistaclentry output and tables to migrate ACLs
IBM Software Group
WebSphere® Support Technical Exchange 21 of 23
Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access
previously recorded presentations at:http://www.ibm.com/software/websphere/support/supp_tech.html
Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at:http://www.ibm.com/developerworks/websphere/community/
Join the Global WebSphere User Group Community: http://www.websphere.org
Access key product show-me demos and tutorials by visiting IBM® Education Assistant:http://www.ibm.com/software/info/education/assistant
View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically:http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My Notifications emails:http://www.ibm.com/software/support/einfo.html
IBM Software Group
WebSphere® Support Technical Exchange 22 of 23
We Want to Hear From You!
Tell us about what you want to learn
Suggestions for future topicsImprovements and comments about our webcasts
We want to hear everything you have to say!
Please send your suggestions and comments to: [email protected]
IBM Software Group
WebSphere® Support Technical Exchange 23 of 23
Questions and Answers