Securing messaging directories and log files

Use this task to restrict access to the /var/mqm directories and log files needed for WebSphere embedded messaging or WebSphere MQ as the JMS provider.

 

Overview

You need to set the permissions described in this topic, to reduce the risk of severe security exposures.

Note: The /var file system is used to store all the security logging information for the system, and is used to store the temporary files for email and printing. Therefore, it is critical that you maintain free space in /var for these operations and prevent unauthorized access to the file system. If you do not create a separate file system for messaging data, and /var fills up, all security logging will be stopped on the system until some free space is available in /var. Also, email and printing will no longer be possible until some free space is available in /var.

This procedure involves steps that you complete at different stages of installing and using IBM WebSphere Application Server, as described below. The steps are also described at appropriate points in other tasks, but are collected here for completeness.

This procedure applies only to the ordinary UNIX file system. If your site uses access-control lists, secure the files by using that mechanism. Any site-specific requirements can affect the desired owner, group and corresponding privileges. For example, on AIX, complete the following steps:

1. Before installing WebSphere embedded messaging or WebSphere MQ, create and mount a journalized file system called /var/mqm.Use a partition strategy with a separate volume for the messaging data. This means that other system activity is not affected if a large amount of messaging work builds up in /var/mqm.

2. Install WebSphere embedded messaging or WebSphere MQ as the JMS provider.

   This stage is described in the following topics:

   • Installing WebSphere embedded messaging as the JMS provider

   • Installing WebSphere MQ as the JMS provider

   As part of this stage, the installation program creates the /var/mqm/errors and /var/mqm/qmgrs/@SYSTEM/errors directories used to hold messaging logging files.

3. Restrict access to the /var/mqm/errors directory and the logging files, by using the following commands:

   chmod 3777 /var/mqm/errors
   chown mqm:mqm /var/mqm/errors
   
   touch /var/mqm/errors/AMQERR01.LOG 
   chown mqm:mqm /var/mqm/errors/AMQERR01.LOG
   chmod 666 /var/mqm/errors/AMQERR01.LOG
   
   touch /var/mqm/errors/AMQERR02.LOG
   chown mqm:mqm /var/mqm/errors/AMQERR02.LOG
   chmod 666 /var/mqm/errors/AMQERR02.LOG
   
   touch /var/mqm/errors/AMQERR03.LOG
   chown mqm:mqm /var/mqm/errors/AMQERR03.LOG 
   chmod 666 /var/mqm/errors/AMQERR03.LOG
   

4. Restrict access to the /var/mqm/qmgrs/@SYSTEM/errors directory and the logging files, by using the following commands:

   chmod 3777 /var/mqm/qmgrs/@SYSTEM/errors
   chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors
   
   touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG 
   chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG
   chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG
   
   touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG
   chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG
   chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG
   
   touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG
   chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG 
   chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG
   

5. For each appserver that uses WebSphere embedded messaging or WebSphere MQ, restrict access to the server's /var/mqm/qmgrs/long_server_name/errors directory and its messaging logging files.You should restrict access to the server's directory and logging files, as soon after creating the appserver as possible.

   To restrict access to the server's directory and logging files, use the following commands:

   chmod 3775 /var/mqm/qmgrs/long_server_name/errors
   chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors
   
   touch /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG 
   chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG
   chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG
   
   touch /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG
   chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG
   chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG
   
   touch /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG
   chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG 
   chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG
   

   Where long_server_name is the long name assigned to the server, in the following form: WAS_nodename_server. For example, if you created an appserver called server1 to run on the node called appnode1, the long server name would be: WAS_appnode1_server1.

 

Results

This task has restricted access to the /var/mqm directories and log files needed for WebSphere embedded messaging or WebSphere MQ as the JMS provider, such that only the user ID mqm or members of the mqm user group have write access.

---

Installing and configuring a JMS provider
Moving from the embedded WebSphere JMS provider to WebSphere MQ
Running an Application Server from a non-root user and the nodeagent from root
Running an Application Server and node agent from a non-root user
    

 

---