Neuron ESB User Network

The Service Bus for the Connected Business

Hi,

Neuron generates powershell scripts to create queues for Topics that use the Msmq transport. These scripts create unauthenticated queues with full access to Everyone, as in:

$qnew.SetPermissions("Everyone", [System.Messaging.MessageQueueAccessRights]::FullControl)

$qnew.SetPermissions("Anonymous Logon", [System.Messaging.MessageQueueAccessRights]::FullControl)

What I want is to create the queues as

$qnew.SetPermissions("user@domain", [System.Messaging.MessageQueueAccessRights]::FullControl)
$qnew.SetPermissions("Administrators", [System.Messaging.MessageQueueAccessRights]::FullControl)
$qnew.Authenticate = "True"

How can I configure the Topic's security for this to work? The Msmq transport gives you a few security options in the right-hand properties. If I select 'Message' as the Security Mode and the Message Credential Type as 'Windows' or 'UserName', what user is actually used to communicate with MSMQ?? (there is no option to specify the user name) Is it the user configured for the endpoint of the topic? If user@domain has access to the queues how can I tell Neuron to use that user to accesss the queues?

Thanks 

Tags: msmq, security

Views: 423

Reply to This

Replies to This Discussion

Hi,

You can make the permissions more restrictive...but you definitely want to test.  When you do test (i.e. by sending a message to the bus...and successfully receiving it) make sure you enable WCF tracing through the logging options exposed through the Configure Server button of the Neuron ESB Explorer. There are many errors that, Microsoft's WCF team, in their infinite wisdom decided NOT to expose to anyone using their bindings.  This is the only way you can capture some of these...so it's something you want to enable when configuring and testing your environment.  However, once you're done....disable it, as it will generate lots of data...

Let's start by the actual queues that Neuron will require.  There are Topic specific queues, and Party specific queues. Each Topic and Party will have a pair of queues associated with it.  One that supports transactions, and the other that does not. The ones that do not, always have their name appended with the extension "_nontransactional".

 

The naming convention for Topics is:

 

          'topicName'

          'topicName_nontransactional' 

 

The naming convention for Parties is:

 

          'partyName_topicName'

          'partyName_topicName_nontransactional' 

Our new request/reply queues are slightly different whereas they use the "nt" extension to denote non transactional queues. There will be a pair for every party:

          'partyName_topicName_req'

          'partyName_topicName_rsp''

          'partyName_topicName_nt_req'

          'partyName_topicName_nt_rsp''

by default, ALL the queues that Neuron ESB creates (or generates scripts for) have the following permissions:

 

          Everyone - Full rights

          physical machine (defined as machinename$) - Get Properties, Get Permissions

          Administrator - Full rights

          Anonymous Logon - Full rights.

 

There are two scenarios you have to consider when attempting to apply more restrictive permissions to the Neuron ESB queues.  The first one is enabling the Neuron ESB Service to read (not just peek) from the topic based queue and distribute (write) to the party queues.

 

To accomplish this, the best route is to run the Neuron ESB service under a domain user account that is also an admin on the local Neuron ESB machine. Then, on the remote (or local) MSMQ machine, you can add the new Neuron ESB Service account to the Security tab of the Topic queues and enable the following permissions:

 

          Delete

          Receive Message

          Peek Message

          Get Properties

 

Next, modify the existing ANONYMOUS LOGON account so that it ONLY has the following rights:

 

          Send Message

 

This should be sufficient for the Neuron ESB service to successfully receive messages from publishers and distribute messages to subscribers.  This should also be sufficient for scenarios where all Parties are running in the Neuron ESB hosting environment ( i.e. Adapters, client and service connectors). 

 

Lastly, remove the Everyone and the MachineName$ accounts from the security list of the Topic queues.

 

The Second scenario you have to consider is when the Neuron ESB Client API is being remotely hosted by another .NET application, either on the Neuron ESB Server (i.e. the Neuron Test Client is a good example) or remotely..in another user application on another machine.

 

IN this scenario, the Neuron ESB Client API will be running under either the remote users identity or under an assigned service account.  You can take two approaches.  The first approach is that you can put all these users in a domain group (i.e. Neuron ESB Subscribers) and then grant that group the following rights on all the Party queues:

 

          Delete

          Receive Message

          Peek Message

          Get Properties

 

The second approach is that you can grant each individual the above rights but only for their respective pair of Party queues.

 

In all cases though, the ANONYMOUS LOGON account must be given following rights to all Party queues:

 

          Send Message

 

let us know how it works for you.

Hi Marty, thanks for the detailed explanation. I think not giving ANONYMOUS LOGON rights to Send Message is probably where I fell over. I have to try that (after we get our first release over the line).

However I'm still confused about the different security settings. 

In a Topic, what does it mean to use 'Transport' as the Security Mode and "WindowsDomain'' as the Authentication Mode? I understand the gist of Transport security here but I don't see what windows account is used when the topic is configured this way. The service account? How is that different to specifying None as the Security Mode?

Also, where do the security settings of the endpoint fit in? If the topic above has a dependency on an endpoint which is configured with Run As credentials, what account is being used for what???

*confused*

Lionel.

 

RSS

Neuron ESB Product Support Forums and Communities

Latest Activity

Anupama Nair posted a discussion

Marketo Adapter Invalid Token

Hi,We are using the Marketo adapter to push account updates to Marketo. It works well for some time then starts failing with Invalid Token unless restarted. Is there a configuration that can be done so it can auto refresh the token when required?Thanks!See More
Nov 6, 2023
Sayantini Basak posted a discussion

Maximum payload size(REST API) for requests interfacing to NeuronESB

I am new to Neuron ESB and in our current scenario,We need to process batch transactions comprising of ~1000 records and send them to Neuron ESB for further processing. I would like to understand what is the maximum size of payload that can be transferred using REST interface to Neuron ESB.See More
Jul 22, 2022
Profile IconRobert E Dunie and Sayantini Basak joined Neuron ESB User Network
Apr 28, 2022
Profile IconDayanand, Frederic C, Steffen Greve-Oksfeldt and 1 more joined Neuron ESB User Network
Mar 16, 2022
Profile IconCam Vong and Mitja Luznar joined Neuron ESB User Network
Jan 27, 2022
Profile IconWill Hitzges, Chad Parsons, michael larsen and 4 more joined Neuron ESB User Network
Jun 11, 2021
Anupama Nair posted a discussion

ODBC stored proc polling with temporary tables

We have set up an ODBC adapter to poll a stored proc.We found that if the stored proc has a temporary table defined the rows returned are always 0.Any idea why this would be and what we can do to get around it?See More
Dec 14, 2020
Prasanth Kharade is now a member of Neuron ESB User Network
Dec 30, 2019

Badge

Loading…

© 2024   Created by Neuron Admin.   Powered by

Badges  |  Report an Issue  |  Terms of Service