headers
Guy Shavitt | 1 Jun 2009 14:58
Picon
Favicon

Impact of disk fragmentation on MQ performance

Hello, I am running WebSphere MQ Server on Windows 2003 Server.
 
My question is:
 
is it required/recommended to run defrag on the drives used by MQ (queues, logs...) once in a while ?
Does it improve MQ's performance (or maybe the opposite) ?
 
What is the general rule in this regard ? Any reply of someone from the Hursley team would be greatly apperciaited! Thanks for your help!Guy
What can you do with the new Windows Live? Find out
List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
Meekin, Paul | 1 Jun 2009 15:29

Re: Changing the MQ userid on Windows in a program/script

Hi Peter,

 

Trouble is tracking down these functions. I have spent days trying to figure out how to do a particular “function” in Windows (ever tried to get a comprehensive list of what software products are installed on a Windows box?) and was hoping that someone on the list might have done the donkey work!

 

And even if you do happen upon a function that seems to do what you want it only works with NT/AD security (delete as applicable) or was deprecated with Win2003 or needs VB .NET (but might work in JScript if MS bothered to give sample code).

 

Searching through MSDN – is that even possible without already knowing what you’re looking for? Only now do I understand the idea of being in a maze of twisty little passages that all look the same!

 

Cheers,

Paul

 

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Heggie, Peter
Sent: 29 May 2009 15:59
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Re: Changing the MQ userid on Windows in a program/script

 

all of these functions are available as Windows APIs, however I can't tell you the names. Might be through WMI. I'm sure you can find the info searching through MSDN.

 

Peter Heggie
Integration Center of Excellence
ICoE, Enterprise Technical Services
IS

National Grid
Syracuse Office Complex

Office:315-428-3193
Cell: 315-263-2210
Peter.Heggie-F0ssv5Xc6C1Wk0Htik3J/w@public.gmane.org

Please consider the environment before printing this email. 

 

 

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Meekin, Paul
Sent: Friday, May 29, 2009 10:53 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Changing the MQ userid on Windows in a program/script

Hi,

Does anyone know if it is possible to change the id that runs the QMgr processes on Windows programmatically? I know you can use amqmjpse.exe but that requires an interactive dialogue.

Also it seems there are some (undocumented-ish) options you can use with amqmsrvn.exe but the trouble there is this seems to fire off a new process so you get no indication as to whether the command has completed or if the update has been successful.

dcomcnfg.exe is yet another means to do it but again uses an interactive dialogue.

Basically I need to be able to run a command that will accept a userid and password and set the MQ id accordingly. Any help would be very much appreciated.

Cheers

Paul Meekin

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

********************************************************************************
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
David C. Partridge | 1 Jun 2009 15:51

Re: Changing the MQ userid on Windows in a program/script

>maze of twisty little passages that all look the same!

My goodness that takes me back a *long* way!  People still remember collosal
cave!

Dave

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Permalink | Reply | 0 comments |
headers
Phil Willoughby | 1 Jun 2009 16:23
Picon
Favicon

Re: Impact of disk fragmentation on MQ performance

I haven't tested this, but I suspect that there will be little to no difference for a normal system.  Your queue files won't be very busy and your logs will be contiguous anyway so there's nothing to be gained there.

If you want to try it and let us know, that'd be interesting.

Regards,

Phil Willoughby
--
Staff Software Engineer IBM Certified System Administrator - WebSphere MQ V6.0
- IBM WebSphere MQ for z/OS IBM Certified Solution Designer - WebSphere MQ V6.0
Senior Inventor IBM Certified SOA Solution Designer




From: Guy Shavitt <guy_shavitt-deqWdTs+PzCuvtTkCOosKA@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Date: 01/06/2009 14:11
Subject: Impact of disk fragmentation on MQ performance




Hello,


I am running WebSphere MQ Server on Windows 2003 Server.

My question is:

is it required/recommended to run defrag on the drives used by MQ (queues, logs...) once in a while ?
Does it improve MQ's performance (or maybe the opposite) ?

What is the general rule in this regard ?   Any reply of someone from the Hursley team would be greatly apperciaited!
 
Thanks for your help!
Guy



What can you do with the new Windows Live? Find out


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com







Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU







List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 1 comment |
headers
Meekin, Paul | 1 Jun 2009 16:58

Re: Changing the MQ userid on Windows in a program/script

Hi John,

 

Many thanks but will this set the userid and password used by the “IBM MQSeries” Service itself or the processes started by the Service, i.e. the QMgr processes? It’s actually the latter I am after.

 

Cheers,

Paul

 

From: MQSeries List [mailto:MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of John Harris
Sent: 01 June 2009 15:39
To: MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: Changing the MQ userid on Windows in a program/script

 

Hi Paul

The Windows API functions you require for manipulating the Windows Services are as follows

ChangeServiceConfig    --> which is what you need to modify predefined services.

CreateService    --> Creating a new service  etc etc

The 2 variables that you need in order to modify the userID/password are lpServiceStartName  and lpPassword .

Here is a link the the Windows SDK describing the Services API. I have only used them from within 'C' but I would expect them to be available in the Powershell scripting facility.

http://msdn.microsoft.com/en-us/library/ms681987(VS.85).aspx

I hope that helps.

 


Regards

John Harris,
Tel   : +1 678 386-3269,
Email : John_Harris <at> usa.net



 

------ Original Message ------
Received: 09:47 AM EDT, 06/01/2009
From: "Meekin, Paul" <paul.meekin <at> CITI.COM>
To: MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: Changing the MQ userid on Windows in a program/script

Hi Peter,

 

Trouble is tracking down these functions. I have spent days trying to figure out how to do a particular “function” in Windows (ever tried to get a comprehensive list of what software products are installed on a Windows box?) and was hoping that someone on the list might have done the donkey work!

 

And even if you do happen upon a function that seems to do what you want it only works with NT/AD security (delete as applicable) or was deprecated with Win2003 or needs VB .NET (but might work in JScript if MS bothered to give sample code).

 

Searching through MSDN – is that even possible without already knowing what you’re looking for? Only now do I understand the idea of being in a maze of twisty little passages that all look the same!

 

Cheers,

Paul

 

From: MQSeries List [mailto:MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Heggie, Peter
Sent: 29 May 2009 15:59
To: MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: Changing the MQ userid on Windows in a program/script

 

all of these functions are available as Windows APIs, however I can't tell you the names. Might be through WMI. I'm sure you can find the info searching through MSDN.

 

Peter Heggie
Integration Center of Excellence
ICoE, Enterprise Technical Services
IS

National Grid
Syracuse Office Complex

Office:315-428-3193
Cell: 315-263-2210
Peter.Heggie <at> us.ngrid.com

Please consider the environment before printing this email. 

 

 

From: MQSeries List [mailto:MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Meekin, Paul
Sent: Friday, May 29, 2009 10:53 AM
To: MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT
Subject: Changing the MQ userid on Windows in a program/script

Hi,

Does anyone know if it is possible to change the id that runs the QMgr processes on Windows programmatically? I know you can use amqmjpse.exe but that requires an interactive dialogue.

Also it seems there are some (undocumented-ish) options you can use with amqmsrvn.exe but the trouble there is this seems to fire off a new process so you get no indication as to whether the command has completed or if the update has been successful.

dcomcnfg.exe is yet another means to do it but again uses an interactive dialogue.

Basically I need to be able to run a command that will accept a userid and password and set the MQ id accordingly. Any help would be very much appreciated.

Cheers

Paul Meekin

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

********************************************************************************
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

 

 

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
Meekin, Paul | 2 Jun 2009 11:02

Re: Changing the MQ userid on Windows in a program/script

Thanks Iqbal,

 

Don’t know how I missed that! It seems that you can run amqmjpse.exe in silent mode and it will accept the userid and password in the MQParms file. I have tested this and it works.

 

Unfortunately it still doesn’t quite meet my requirements as the command seems to start a new process and then terminates so I am not getting any response as to whether or not the operation was successful.

 

However, the ability to encrypt the MQParms file could be very useful. If only there were some way of determining if the amqmjpse has been successful......

 

From: Iqbal Yusaf [mailto:iqbal-wRXphNV3rPE@public.gmane.org]
Sent: 01 June 2009 19:09
To: Meekin, Paul [CCC-OT_IT]
Subject: RE: Changing the MQ userid on Windows in a program/script

 

Hi Paul,

 

A quick check of the IBM doc indicates amqmjpse may be run in silent mode and with an input file (MQParms parameter file) so this may fulfil your requirement for a solution with no user interaction.

 

You could also check out Microsoft Windows PowerShell with or without the “PowerShell for IBM WebSphere MQ” supportpac from IBM.

 

M074: WebSphere MQ –Windows PowerShell Library

http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24017698

 

Example scripts for manipulating Active Directory may be found here:

http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/default.mspx?mfr=true

 

Please do post your solution to the list if any of these options work for you.

 

Good luck!

 

Iqbal Yusaf

San Francisco, CA

 

 

From: Meekin, Paul [mailto:paul.meekin-qa95pOAvxZY@public.gmane.org]
Sent: Monday, June 01, 2009 6:30 AM
Subject: Re: Changing the MQ userid on Windows in a program/script

 

Hi Peter,

 

Trouble is tracking down these functions. I have spent days trying to figure out how to do a particular “function” in Windows (ever tried to get a comprehensive list of what software products are installed on a Windows box?) and was hoping that someone on the list might have done the donkey work!

 

And even if you do happen upon a function that seems to do what you want it only works with NT/AD security (delete as applicable) or was deprecated with Win2003 or needs VB .NET (but might work in JScript if MS bothered to give sample code).

 

Searching through MSDN – is that even possible without already knowing what you’re looking for? Only now do I understand the idea of being in a maze of twisty little passages that all look the same!

 

Cheers,

Paul

 

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Heggie, Peter
Sent: 29 May 2009 15:59
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Re: Changing the MQ userid on Windows in a program/script

 

all of these functions are available as Windows APIs, however I can't tell you the names. Might be through WMI. I'm sure you can find the info searching through MSDN.

 

Peter Heggie
Integration Center of Excellence
ICoE, Enterprise Technical Services
IS

National Grid
Syracuse Office Complex

Office:315-428-3193
Cell: 315-263-2210
Peter.Heggie-F0ssv5Xc6C1Wk0Htik3J/w@public.gmane.org

Please consider the environment before printing this email. 

 

 

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Meekin, Paul
Sent: Friday, May 29, 2009 10:53 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Changing the MQ userid on Windows in a program/script

Hi,

Does anyone know if it is possible to change the id that runs the QMgr processes on Windows programmatically? I know you can use amqmjpse.exe but that requires an interactive dialogue.

Also it seems there are some (undocumented-ish) options you can use with amqmsrvn.exe but the trouble there is this seems to fire off a new process so you get no indication as to whether the command has completed or if the update has been successful.

dcomcnfg.exe is yet another means to do it but again uses an interactive dialogue.

Basically I need to be able to run a command that will accept a userid and password and set the MQ id accordingly. Any help would be very much appreciated.

Cheers

Paul Meekin

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

********************************************************************************
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

 

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
Thomas, Don | 2 Jun 2009 14:30
Picon

Looking for doco on Active/Passive HA set up




Listers,
        I'm looking for doco on setting up MQ in an Active/Passive arrangement on a Solaris platform. Any pointers would be appreciated.

TIA,

Don


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 1 comment |
headers
Robert, Andrew | 2 Jun 2009 14:31

Re: Looking for doco on Active/Passive HA set up

Check out support pack mc91
 

Andrew Robert
MQ Architect
Information Technologies
MFS Investment Services
Phone: 617-954-5882
Mobile: 617-838-7759
E-mail: arobert-tT5qeM1EjDQ@public.gmane.org

 

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Thomas, Don
Sent: Tuesday, June 02, 2009 8:30 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Looking for doco on Active/Passive HA set up




Listers,
        I'm looking for doco on setting up MQ in an Active/Passive arrangement on a Solaris platform. Any pointers would be appreciated.

TIA,

Don


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

MFS Mail Relay Service made the following annotation on 06/02/09, 08:31:52
---------------------------------------------------------------------------------------------------------------------------------------
This email communication and any attachments may contain proprietary, confidential, or privileged information. If you are not the intended recipient, you are hereby notified that you have received this email in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. The sender does not waive confidentiality or any privilege by mistransmission. If you have received this email in error, please notify the sender immediately, delete this email, and destroy all copies and any attachments. ==============================================================================
List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
Jefferson Lowrey | 2 Jun 2009 14:33
Picon
Favicon

Re: Changing the MQ userid on Windows in a program/script


I thought one of the options on amqmdain let you change the dcomcfg user.

-Jeff Lowrey


From: "Meekin, Paul" <paul.meekin-qa95pOAvxZY@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Date: 06/02/2009 05:10 AM
Subject: Re: [MQSERIES] Changing the MQ userid on Windows in a program/script




Thanks Iqbal,
 
Don’t know how I missed that! It seems that you can run amqmjpse.exe in silent mode and it will accept the userid and password in the MQParms file. I have tested this and it works.
 
Unfortunately it still doesn’t quite meet my requirements as the command seems to start a new process and then terminates so I am not getting any response as to whether or not the operation was successful.
 
However, the ability to encrypt the MQParms file could be very useful. If only there were some way of determining if the amqmjpse has been successful......
 
From: Iqbal Yusaf [mailto:iqbal <at> rtik.com]
Sent: 01 June 2009 19:09
To: Meekin, Paul [CCC-OT_IT]
Subject: RE: Changing the MQ userid on Windows in a program/script
 
Hi Paul,
 
A quick check of the IBM doc indicates amqmjpse may be run in silent mode and with an input file (MQParms parameter file) so this may fulfil your requirement for a solution with no user interaction.
 
You could also check out Microsoft Windows PowerShell with or without the “PowerShell for IBM WebSphere MQ” supportpac from IBM.
 
M074: WebSphere MQ –Windows PowerShell Library
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24017698
 
Example scripts for manipulating Active Directory may be found here:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/default.mspx?mfr=true
 
Please do post your solution to the list if any of these options work for you.
 
Good luck!
 
Iqbal Yusaf
San Francisco, CA
 
 
From: Meekin, Paul [mailto:paul.meekin-qa95pOAvxZY@public.gmane.org]
Sent: Monday, June 01, 2009 6:30 AM
Subject: Re: Changing the MQ userid on Windows in a program/script
 
Hi Peter,
 
Trouble is tracking down these functions. I have spent days trying to figure out how to do a particular “function” in Windows (ever tried to get a comprehensive list of what software products are installed on a Windows box?) and was hoping that someone on the list might have done the donkey work!
 
And even if you do happen upon a function that seems to do what you want it only works with NT/AD security (delete as applicable) or was deprecated with Win2003 or needs VB .NET (but might work in JScript if MS bothered to give sample code).
 
Searching through MSDN – is that even possible without already knowing what you’re looking for? Only now do I understand the idea of being in a maze of twisty little passages that all look the same!
 
Cheers,
Paul
 
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Heggie, Peter
Sent: 29 May 2009 15:59
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Re: Changing the MQ userid on Windows in a program/script
 
all of these functions are available as Windows APIs, however I can't tell you the names. Might be through WMI. I'm sure you can find the info searching through MSDN.
 

Peter Heggie
Integration Center of Excellence
ICoE, Enterprise Technical Services
IS

National Grid
Syracuse Office Complex

Office:315-428-3193
Cell: 315-263-2210
Peter.Heggie-F0ssv5Xc6C1Wk0Htik3J/w@public.gmane.org

Please consider the environment before printing this email.  
 
 



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Meekin, Paul
Sent: Friday, May 29, 2009 10:53 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Subject: Changing the MQ userid on Windows in a program/script

Hi,

Does anyone know if it is possible to change the id that runs the QMgr processes on Windows programmatically? I know you can use amqmjpse.exe but that requires an interactive dialogue.

Also it seems there are some (undocumented-ish) options you can use with amqmsrvn.exe but the trouble there is this seems to fire off a new process so you get no indication as to whether the command has completed or if the update has been successful.

dcomcnfg.exe is yet another means to do it but again uses an interactive dialogue.

Basically I need to be able to run a command that will accept a userid and password and set the MQ id accordingly. Any help would be very much appreciated.

Cheers

Paul Meekin
 



List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

********************************************************************************
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.
 



List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


 


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com



List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Permalink | Reply | 0 comments |
headers
T-Rob | 2 Jun 2009 15:00
Picon
Favicon

Re: Security issues poll

Thanks, Ray!

-- T.Rob

MQSeries List <MQSERIES@...> wrote on
05/29/2009 
03:24:52 PM:

> [image removed] 
> 
> Re: Security issues poll
> 
> Ray Powers 
> 
> to:
> 
> MQSERIES
> 
> 05/29/2009 03:25 PM
> 
> Sent by:
> 
> MQSeries List <MQSERIES@...>
> 
> Please respond to MQSeries List
> 
> >0) Achieving a secure messaging network requires deep skills and too 
many
> >individual tasks.
> This is particularly a problem for us at Hewitt when setting up WMQ
> connections with 3rd parties, as it often takes considerable extra time 
to
> ensure that the external party has sufficient security to protect the 
data
> we send and receive.  It took one party 7 months to implement security 
in
> their system, and we had to abandon using WMQ with another party because
> they just didn't have the people with the skills needed.
> 
> >1) Securing remote admin access requires provisioning user IDs and 
groups,
> >in some cases hundreds of them.
> This has been a significant effort for us to implement.  It is, in part, 
the
> same as #0, as this is a lot of work and understanding to know what is
> needed and why.  Basic security of Admin access should be basic to 
implement.
> 
> >2) Clusters cannot be secured to the same level of granularity as a
> >point-to-point network (different MCAUSER per remote node).
> This is a serious concern for Hewitt.  We have applications with 
hundreds of
> clustered queues that are accessed across dozens of QMgrs spanning 
multiple
> platforms.  We have done what we can to reduced the security exposure. 
> However, the cluster is still a weak link in the security of our WMQ
> environment.
> 
> >3) No way to strongly authenticate messages arriving on the command
> >server.
> This might be nice to have.  However, this doesn't represent as big a
> concern for us as the others in this list.
> 
> >4) Ordinary users with sufficient authorization can place messages onto
> >QMgr internal queues such as the channel sync queue.
> The consequence of having any holes in our security is that users may 
gain
> access to system queues (like INITQs).  That access means an otherwise 
minor
> risk, now becomes potential remote code execution (in the case of 
INITQs) or
> DoS risk (for channel sync queues and others).  So, nearly every 
security
> exposure in our WMQ environment has to be treated as a major risk.  This 
is
> a big issue for our business.
> 
> >5) Not able to control whether report options are honored.  (COA/COD
> >spoofing.)
> I just learned about this risk at IMPACT, and I don't know how to lock 
it
> down other than changing the applications that get messages from the 
queues
> (a slow and arduous process at best).  If there is a way to change WMQ 
to do
> this, it would be a significant benefit.
> 
> >6) Users not in the mqm group generate a 2035 and auth event when
> >displaying queues in WMQ explorer, M071, etc.
> The use of WMQ Explorer and MO71 are limited to the WMQ Admins here. So,
> this is not a big concern for us.  However, the reason we only allow the 
WMQ
> Admins access to these tools is that there are too many security 
concerns
> with letting others use them.
> 
> I would also like to add #7. 
> 7) The process to apply WMQ maintenance, including security patches, 
takes a
> long time to deploy across a large WMQ shop.
> -
> At Hewitt, it can easily take a couple years to get maintenance applied
> across our entire WMQ environment, and by that time (at least lately),
> another vulnerability in the WMQ product has been publicized.  Thus, it
> seems that we can never get to a level of maintenance across our whole
> environment that is current enough to be secure.  (#4 above makes this 
an
> even bigger problem).
> One of the keys to this problem is that the applications that use WMQ 
must
> be down while installing WMQ maintenance.  Though the really big
> applications have enough redundancy across multiple servers that this is 
not
> a big issue for them, most of our applications do not.  This means that 
the
> patches can only be applied during a limited window of time, by people 
who
> have "root" (or equivalent) authority (and those people are quite busy
> during these limited windows).
> 
> Ray Powers
> Hewitt Associates

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Permalink | Reply | 0 comments |

Gmane