The availability of your MQ Light installation, and the integrity of data it is going to process, can affect the decisions you make about security settings. There are steps that you can take to ensure that the files that comprise your MQ Light server installation are adequately protected.

MQ Light is designed to be installed and run by a single operating system user (who is not root, or Administrator), and requires no special privileges. When a message is sent to MQ Light, it can be written to the filesystem where MQ Light is installed, which ensures that the message can be reliably delivered to its recipient. However, without security settings in place, anyone with access to the filesystem, or the MQ Light installation can read data as it passes through the MQ Light server. Additionally anyone with access to the filesystem, or the MQ Light installation would be able to modify or delete the program files in the MQ Light installation, where they could change the behavior of MQ Light, or prevent MQ Light from functioning correctly.

Note: On Linux, if multiple users need to be able to start, stop and maintain an MQ Light installation, it is possible to create a non-login user to extract and run MQ Light, and use the su utility to authorize other users to administer MQ Light.

The archive file that MQ Light is installed from contains a restrictive set of file permissions, which are typically applied to the files when they are unpacked.

When an application sends a message to the MQ Light server, the data inside the message can be temporarily written to disk. MQ Light writes message data to disk to ensure that it can be recovered if either MQ Light, or the system hosting MQ Light, fails or is restarted.

If MQ Light writes message data to disk, then the file containing the data is only accessible by the operating system user that started the MQ Light server. In addition, any files used to temporarily store message data are written in a sub-directory of the directory which holds the MQ Light installation.

Note: MQ Light does not encrypt message data that is written to disk, nor does it implement a scheme for securely deleting files that contain message data. It is possible that the operating system that is used to run MQ Light can implement a virtual memory scheme, that swaps message data held in the memory by MQ Light onto disk. In this scenario, it would be possible for someone with physical access to the system that is hosting MQ Light, to recover message data that has flowed through the server.

You can protect your host system by using it’s disk encryption support. This can be configured to protect both the MQ Light installation, as well as any data stored by the virtual memory implementation of the operating system.

Join The Discussion

Your email address will not be published.