How to share Websphere MQ QM and listener between multiple remote clients?

Question

I need to share a QM and its listener between multiple clients in order to utilize system resources.

my concern is security - access control. as all clients will have access to the listener port i can't use firewall to manage access rights.

how can i make sure a client can only access his specific queues under the shared QM? i know i can assign MCAUSER to client level channels, but still, what makes a client being able to only connect to a specific channel?

i have assigned an MCAUSER to a channel and set permissions. now, from the client java JMS API, how do I connect to that specific channel, and what forbids other clients from connecting to this specific channel?

Answer 1

You are on the right track. I would recommend reading the security presentations from the IBM conference as background. Go to this page and scroll down a bit.

Remember that the client can specify any channel name other than the one you provisioned for them so in addition to setting MCAUSER on the one channel, you need to have set it on all channels. Channels named SYSTEM.DEF.* and SYSTEM.AUTO.* should be disabled with an MCAUSER that cannot be used as a valis user ID. We are currently recommending MCAUSER('*NOACCESS') since *NOACCESS is a reserved word in WMQ V7.1 and later.

Now that you've blocked the unused channels, you need to arrange to map the client connections to their respective user IDs. The way you do this is different depending on which version of WMQ QMgr that you have. In V7.0 and earlier it requires an exit. The BlockIP2 exit at MrMQ.dk is one that the community has contributed to over the years and is owned and maintained by an IBMer. In V7.1 and later the functions in BlockIP2 have been implemented natively in WMQ as CHLAUTH rules.

Specifically, the exit or in V7.1 the CHLAUTH rules allow you to map the connecting client's asserted ID, IP address or SSL Distinguished Name to a user ID to place into MCAUSER when the channel connection is made.

If you need to validate user ID and password, then you would need to write or purchase an exit to do that. Neither WMQ nor BlockIP2 validate ID and password at this time. However, business partners such as Capitalware sell exits which do just that. If you wished to write such an exit, the BlockIP2 source code is a good place to start.