Just to make a correction to my previous note before anyone jumps in: The reason why I want to leave the MCAUSER blank is so that I can tell who put the message on the the queue. Status of Svrconn does not show the userid but the connectin name, which is OK.
Thanks, Ruzi --- Ruzi R <[EMAIL PROTECTED]> wrote: > > But if you've got relatively few access levels, > you > > can define a svrconn > > with appropriate MCAUSER for each and then > restrict > > which users are > > permitted to use which connections from the exit. > > Thanks Dennis. However, I think it would be safe and > maybe better to leave MCAUSER blank. Because > BLOCKIP2 will allow only the users (and IP > addresses) > in the security exit file anyway. This would come in > handy during a problem investigation -- for example, > things like inquiring the status of the svrconn > channel or the userid of the message on the queue > etc. would indicate the actual user rather than the > group userid. > > Ruzi > --- "Miller, Dennis" <[EMAIL PROTECTED]> wrote: > > I took a look at the BLOCKIP2 URL provided by SID. > > Very neat. I did > > notice that BLOCKIP2 only supports setting the > > MCAUSER on SSL channels. > > But if you've got relatively few access levels, > you > > can define a svrconn > > with appropriate MCAUSER for each and then > restrict > > which users are > > permitted to use which connections from the exit. > > > > > > > > -----Original Message----- > > From: Ruzi R [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 12, 2004 11:49 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Many Client connections - how many > > svrconn channels? > > > > > > Dennis, > > > > BlockIP2 is the latest version of BlockIP. It is a > > secrity exit program. I don't have the link on the > > computer that I am using right now. Maybe, someone > > on > > the list will post it. It basically lets you > > specify > > the "userids and the IP addresses" from which the > > client connections will be made. > > > > Most (if not all) of these clients will have the > > same authority. I am > > thinking of leaving the MCAUSER blank on an > svrconn > > and specify the > > userids in a file to be used by the security exit. > I > > think this would do > > what I want to acheive. Maybe I could secure this > > file by giving access > > only to MQ admins and MUSR_MQADMIN. > > > > What would you or or anyone else suggest? > > > > Thanks, > > > > Ruzi > > > > > > --- "Miller, Dennis" <[EMAIL PROTECTED]> wrote: > > > I don't see the point of dedicating svrconn's to > a > > > specific number of > > > clients. Dedicating a svrconn a specific > MCAUSER > > > and sharing it among > > > many clients is a different story. Seems you > > would > > > only need one > > > MCAUSER+srvrconn for each authority level. > > > > > > But to gain a semblence of security from either > of > > > those schemes, you > > > still need to control client access to the > > > srvrcon's. Not sure how you > > > accomplish that. Unfortunately, I do not know > > what > > > BlockIP2 is > > > about(and neither does Google). > > > > > > -----Original Message----- > > > From: Ruzi R [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, March 11, 2004 12:35 PM > > > To: [EMAIL PROTECTED] > > > Subject: Many Client connections - how many > > svrconn > > > channels? > > > > > > > > > Hi all, > > > > > > We have over 200 users requiring client > connection > > > from their Windows2000 workstations to the queue > > > managers on Windows 2000 (WMQ 5.3). The company > > does > > > not have and is unwilling to buy any third > > product > > > right now or in the foreseeable future. > > > > > > I have set up 10-15 users with a dedicated > SVRCONN > > > channels with the MCUSER set to their respective > > > userids and giving each userid a limited access. > > > I > > > have started using BlockIP2 as well. I have > > brought > > > up the use of SSL but the company is reluctant > to > > > do > > > that (I don t know about all the concerns > > > surrounding > > > the issue probably something political that I > > don > > > t > > > get involved in as a contractor). > > > > > > Because I want to make the client connections as > > > secure as possible with what I have at my > > disposal, > > > I > > > feel that I should set up the rest of the 200 > > > clients > > > (most of whom will be in the Prod env.) the > same > > > way > > > as the others: Dedicated svrconn channel with > > > MCAUSER > > > populated with a userid having limited access, > and > > > IPBlock2. But then again, since all of the > > > interfaces > > > are internal, maybe I could dedicate 1 svrconn > to, > > > say, 20 people. I can still give limited access > to > > > the > > > users, leave the MCUSER blank and specify the > > valid > > > IP addresses in > > > IPBlock2. What do you think? Any ideas/insights > > > would be much > > > appreciated. > > > > > > Thanks in advance, > > > > > > Ruzi > > > > > > Instructions for managing your mailing list > > > subscription are provided in > > > the Listserv General Users Guide available at > > http://www.lsoft.com > > > Archive: > http://vm.akh-wien.ac.at/MQSeries.archive > > > > > > Instructions for managing your mailing list > > > subscription are provided in > > > the Listserv General Users Guide available at > > http://www.lsoft.com > > > Archive: > http://vm.akh-wien.ac.at/MQSeries.archive > > > > Instructions for managing your mailing list > > subscription are provided in > > the Listserv General Users Guide available at > > http://www.lsoft.com > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > > > Instructions for managing your mailing list > > subscription are provided in > > the Listserv General Users Guide available at > > http://www.lsoft.com > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
