This morning I noticed a new blog posting over at IBM’s MQdev Blog called Compiling IBM MQ sample programs on AIX platform using XL C/C++ Compiler by Prema Laxmanachar.
This is a prime example of someone starting out with a good intentions but takes a short-cut and ends up writing an extremely bad MQ security article.
The first MQ security issue is:
def chl(C) chltype(svrconn) trptype(tcp) sslcauth(optional) mcauser(‘mqm’)
If the MQ authorizations are done correctly then there is ABSOLUTELY no need to put ‘mqm’ for the UserID in the channel definition. By doing this, you are giving ‘god’ (full) authority for any and all users connecting on that channel.
The next MQ security blunder is:
SET CHLAUTH(‘SYSTEM.DEF.SVRCONN’) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(CHANNEL)
SET CHLAUTH(‘*’) TYPE(BLOCKUSER) ACTION(REMOVEALL)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
alter qmgr CHLAUTH(DISABLED)
REFRESH SECURITY(*) TYPE(CONNAUTH)
What in the world is this person thinking. They are disabling CHLAUTH and CONNAUTH security for that particular queue manager. Stupid, stupid, stupid thing to recommend.
I realize that Prema Laxmanachar is trying to demonstrate his newly compiled MQ applications but you don’t disable MQ security to do it. People from around the world will copy this information and then setup their MQ QA and/or production environments with it and say that they got it from IBM.
Bad, bad, bad, very bad idea posting this information in an IBM blog. And you wonder why there are so many security breaches in companies when you have IBM people posting in blogs how to disable security. Ahhhhhhhhhhhhhhhhhhhhhhhhh. I spend my life trying to get companies to actually do proper security then you see a blog posting like this and I just blow my top.
I put the following comment on the blog:
You have some issues with your blog posting.
(1) Fix the table compiler table so that the columns actually line up
(2) Small annoyance but you do know the difference between the PrtScn button and the Alt-PrtScn button. If not google it.
(3) Never ever tell someone to put ‘mqm’ in the SVRCONN channel definition. Basically, you are giving full authority to any AND all users that connect to that channel. Bad, VERY bad idea.
(4) Never ever tell someone to turn off security (CHLAUTH & CONNAUTH) in MQ. I don’t care that you are showing someone how to do a quick test of a newly compiled application, this is WRONG.
People in the real world will copy what you have done and actually put it into a production MQ environment and say that they got the instructions from IBM.
What you have posted is WRONG and either needs to be corrected immediately or your blog posting deleted.
Never ever post information that its ok to circumvent MQ security.
Hopefully, someone will wake up and smell the coffee and either fix the article or delete it.