Is it secure to connect to UM with enterprise manager without authentication?

Product/components used and version/fix level:

webMethods Universal messaging 10.15

Detailed explanation of the problem:

Our webMethods Universal Messaging has been installed without authentication configuration on the Server_Common.conf file
(\sag\UniversalMessaging\server\universal_messaging_server_name\bin) :
wrapper.java.additional.18=-DNirvana.auth.enabled=N
wrapper.java.additional.19=-DNirvana.auth.mandatory=N

Is it recommended to use an authentication mecasnim like LDAP ?

Best regards,
Arnaud SIMON

Error messages / full error message screenshot / log file:

Question related to a free trial, or to a production (customer) instance?

Well, that depends on your requirements as well as the surrounding infrastructure.

Without additional information it may be advisable to follow a “better safe than sorry” approach.

In general think about this like a question “Should I wear a tuxedo or camouflage?”. If you are invited to a formal dinner, the tuxedo is likely the better choice. Not so much for a paintball match, though.

3 Likes

If ACLs for UM are properly configured, yes. But most people aren’t even aware there is an ACL configuration for UM, so probably no.

FYI, ACL configuration for UM can be confusing. ACL configurations are defined as username@hostname not as user@domain. The username here is central username, its usually LDAP. Hostname can be DNS or IP address. You need to remove generic access rights and you should also grant full access to *@localhost in order not to lock yourself out. If you add this entry and lock yourself out, you can connect to local and use local Enterprise Manager to fix the configuration.

Check the document below for more information.
https://documentation.softwareag.com/universal_messaging/num10-15/webhelp/num-webhelp/#page/num-webhelp%2Fto-acls.html

2 Likes

Unless there is a firewall needed between connections to UM and it’s client, it is not considered secure at all. Having said that, UM with auth is not supported by some of the wM products itself (at least until 10.5 OFI etc) so there may be instances where you can not enable the auth and use all the products properly.

I personally used the ACL’s on the Queues\Channels level and have found out sometimes these ACL’s do not work as expected due to a corrupted JNDI context. They might sound reliable on documentation but in real life implementations I would not rely only on them. The locking problem that is mentioned in above post happens very frequently as well.

Hi Akshith,

Unless there is a firewall needed between connections to UM and it’s client, it is not considered secure at all. Having said that, UM with auth is not supported by some of the wM products itself (at least until 10.5 OFI etc) so there may be instances where you can not enable the auth and use all the products properly.

This even applies to Broker.

To handle this I was using two different Broker Servers within the same BrokerManager installation.
One for the real payload data, which was secured, and one for the Optimize servers, which remained unsecure, but was only accessible internally.

Regards,
Holger

That is what I had to do as well for UM. One (auth enabled) for handling real business data and another instance on a different port with no auth for OFI etc. I am just pointing out the limitations of the product. At this point a firewall seems to be the only guaranteed way to secure your UM connections…at least that is what my experience has taught me.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.