Original Message:
Sent: Fri August 12, 2022 05:13 AM
From: Morag Hughson
Subject: MQ monitoring via ScienceLogic
I also concur that they likely said "add it to the mqm group" just to save the effort of granting the required authorities via setmqaut. An application cannot distinguish whether it is gain the authorities from one mechanism or the other, so if you prefer to use setmqaut, then there should be no issues with that.
btw - @Martin Evans was not saying that he was going to have a conversation with Science Logic where he said "I think I would contact ScienceLogic and ask..", he was suggesting that this is what you should do. A quirk of English speakers!
I am also curious why you are using such an out of date version of MQ with V6?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu August 11, 2022 09:59 AM
From: Nishchal Gahoi
Subject: MQ monitoring via ScienceLogic
Thank you Martin for the prompt response .
Even i don't see anything on the client connection in the install guide .
I completely agree with the point # 3 .
I will wait for the outcome of your conversation with Science Logic .
Apologies for not mentioning it earlier , but the MQ being monitored is MQ v6
------------------------------
Nishchal Gahoi
Original Message:
Sent: Thu August 11, 2022 08:57 AM
From: Martin Evans
Subject: MQ monitoring via ScienceLogic
Hi Nishchal,
It's not clear from the documentation but they might be connecting via SSH/remote shell and executing commands remotely, and that might explain why there is no channel name or MQ listener port that has to be set - so far as I can see. I think I would contact ScienceLogic and ask if they are using an MQ client connection with username/password over a TLS channel; I had a quick look at the install guide and it's not clear to me that they are. If they are making an MQ client connection then this would be the minimum level of protection I would expect to see.
They are probably asking you to add the user to the 'mqm' group to avoid setting permissions manually, if the user is going to perform a full admin function then this is probably OK but you need to ensure there is a strong authentication mechanism in place.
Keep in mind that if they are using a single user/service account on the MQ server, all audit events will appear to be from that user - if that is the case then you would want to ensure the application audits the actions on a per user basis so that you can see exactly who made a change.
------------------------------
Regards,
Martin Evans
IBM MQ Technical Product Manager
Original Message:
Sent: Tue August 09, 2022 04:24 AM
From: Nishchal Gahoi
Subject: MQ monitoring via ScienceLogic
Hello all the community members
Hi Team
I am trying to do a POC for IBM MQ monitoring via Science logic.
I went through the document and the pre requisites section .
Configuring IBM MQ Monitoring
| Sciencelogic |
remove preview |
|
| Configuring IBM MQ Monitoring |
| Configuration and Discovery The following sections describe how to configure and discover IBM MQ messaging systems for monitoring by SL1 using the PowerPack: To configure the SL1 system to monitor IBM MQ messaging systems using the PowerPack, you must first perform the following: NOTE: Users monitoring MQ on Linux servers do not need to perform these steps. |
| View this on Sciencelogic > |
|
|
My Concern is why the SSH CREDENTIALS ARE required to BE ADDED IN HIGHLY PRIVILEGED MQ I.e mqm group.
If a user is added into a mqm group , it acquires all the privileges as that of MQ administration and can performs the tasks such as deleting the MQ Queue Manager which is not the intended task of a monitoring application .
MQ has got the feature to grant the exclusive authorisation ( using setmqaut )
Kindly let me know if I am missing anything.
------------------------------
Nishchal Gahoi
------------------------------