|
|
|
|
|
|
BEA MessageQ Security
This chapter describes the BEA MessageQ for OpenVMS security features that allow system managers to:
Rights Identifiers Used By BEA MessageQ
There are two rights identifiers used by BEA MessageQ. The identifiers are created during installation by the kit installation procedure if they do not already exist.
In order to run the loader (DMQ$EXE:DMQ$LOADER), the user must have either VMS OPER privileges or be granted the DMQ$MANAGER rights identifier.
The following actions require either OPER privileges or the DMQ$MANAGER rights identifier:
The other identifier is DMQ$OPERATOR. The following actions require either OPER privileges or the DMQ$OPERATOR rights identifier:
See Defining Access Control on Queues for more information on the DMQ$OPERATOR rights identifier.
Defining Access Control on Queues
To control queue access, the system manager must have an account that holds a DMQ$OPERATOR rights identifier or the VMS OPER privilege. The system manager can limit which processes are allowed to read from a queue by setting the flag in the Check ACL column of the Queue Configuration Table in the DMQ$INIT file to Y. When the flag is set to Y, BEA MessageQ checks a zero-length access control file called DMQ$ACCESS:DMQ$bbbbgggggqqqqq.DAT, where:
|
bbbb |
is the 4-digit bus ID |
|
ggggg |
is the 5-digit group ID |
|
qqqqq |
is the 5-digit queue number |
To read from a queue, a process requires read access to the queue's access control file. BEA MessageQ checks access control by determining if the process can perform an OPEN/READ operation on the DMQ$ACCESS:DMQ$bbbbgggggqqqqq.DAT file.
To set up access control for a queue, you must create the access control file before processes can access its associated queue. Use the CREATE command at DCL level to create the file and use the SET ACL command to give the user account read access to the file. The logical DMQ$ACCESS is specific to each group and is defined in DMQ$USER:DMQ$BOOT.COM. The default value of DMQ$ACCESS is the BEA MessageQ group-specific directory referred to by the logical DMQ$USER.
For example, use the following commands to give user identification code (UIC) [345,333] access to queue 4, on group 1, bus 15:
$ CREATE DMQ$ACCESS:DMQ$00150000100004.DAT
$ Ctrl/Z
$ SET ACL/ACL=(IDENTIFICATION=[345,333],ACCESS=READ) -
_$ DMQ$ACCESS:DMQ$0015000010004.DAT
$ SET PROT=(S,O,G,W) DMQ$ACCESS:DMQ$00150000100004.DAT
Securing Readout of Permanent Queues
If Check ACL is set to Y on a primary or secondary message queue, BEA MessageQ validates whether a process is allowed to read from a queue when the process first attaches to the queue. If the queue is a multireader queue (MRQ), BEA MessageQ validates access at the first attempt to read from the queue.
Securing the Creation of Temporary Queues
If Check ACL is set to Y on the TEMPORARY_Q queue and the queue number is 0, then only those processes that can read DMQ$ACCESS:DMQ$bbbbggggg00000.DAT) are allowed to create temporary queues. This protection works for processes that call the pams_attach_q function. However, securing access to temporary queues results in the disabling of the message interface to the COM Server to create temporary secondary queues.
Setting the Global Section Protection Mask
You can configure a protection mask to restrict access to BEA MessageQ global sections. When the protection mask is configured, an access control list (ACL) can be applied to control individual user access. All BEA MessageQ global sections use one protection mask and, therefore, each requires an ACL to be set after the COM Server is booted.
BEA MessageQ uses system global sections, which are owned by UIC [1,4]. If the owner has not been granted access, the COM Server will be unable to initialize the global sections.
Defining Protection Mask Logical Name
The logical name controlling the global section protection mask definition is called DMQ$SET_GBLSEC_PROT. Define the logical name using the following command:
$ DEFINE/TABLE=DMQ$LNM_TBL/EXEC DMQ$SET_GBLSEC_PROT sogw
where:
Table 13-1 shows typical combinations of protection settings.
Table 13-1 Sample Settings for DMQ$SET_GBLSEC_PROT
|
Setting |
Description |
|
YYYY |
Default; unrestricted access to global sections |
|
NYNN |
Access only for BEA MessageQ Server processes and ACLs |
|
NNNN |
Access only through ACLs |
Setting ACLs for Global Sections
When you set the ACL for the global sections, you must apply the ACL to all five global sections shown in Table 13-2. Set an ACL for a global section (called, in this case, DMQ$MCS_C_bbbb_ggggg) as follows:
$ SET ACL/OBJ=SYSTEM_GLOBAL_SECTION/ACL=(ID=__,AC=__) -
_$ DMQ$MCS_C_bbbb_ggggg
Note: You must set the ACL after the COM Server is running. For example, you can add the ACL command to DMQ$BOOT.COM after the line that executes DMQ$COM_START.COM.
Table 13-2 shows the names for the five global sections where bbbb is the 4-digit bus ID and ggggg is the 5-digit group ID.
Table 13-2 BEA MessageQGlobal Section Names
|
Section Name |
Description |
|
DMQ$MCS_C_bbbb_ggggg |
Control section |
|
DMQ$LLS_S_bbbb_ggggg |
Small buffer pool section |
|
DMQ$LLS_M_bbbb_ggggg |
Medium buffer pool section |
|
DMQ$LLS_L_bbbb_ggggg |
Large buffer pool section |
|
DMQ$GNT_C_bbbb_ggggg |
Group Name Table (GNT) section |
|
DMQ$GRP_C_bbbb_ggggg |
Cross-group control section |
|
DMQ$MRQ_C_bbbb_ggggg |
Multireader queue (MRQ) control section |
Controlling Network Access to Queuing Group
The Link Drivers can limit incoming cross-group connections to the nodes found in the cross-group connection table. The incoming cross-group connections are controlled by the XGROUP_VERIFY parameter in the Profile section of the DMQ$INIT.TXT file (see Configuring Cross-group Connections, for more information).
When XGROUP_VERIFY is enabled, the cross-group connection table functions use an ACL to validate all connections against a known list of valid nodes and BEA MessageQ group IDs. If a connection fails to match exactly, that connection is dropped and a security match failure event is logged.
|
|
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|