| Author |
Message
|
| specsri |
 Posted: Wed Aug 23, 2006 12:44 am Post subject: |
 |
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
I am trying to execute a java program to test this environment. Please check the program below.
| Code: |
package com.ibm.examples;
import com.ibm.mq.*;
import java.util.*;
public class MQPutMOH {
private static String qMgr1= "TLMRZTM2" ;
private static String myQueue1 = "LMR.EMS.MOH.REQUEST.LQ" ;
private static MQQueueManager qMgr= null;
private MQQueue myQueue = null ;
private static String channel="LMR.EMS.TO.MOH"; //SYSTEM.DEF.SVRCONN;
private static String transport="MQSeries";
private static int port=1415;
private static String hostname ="10.10.40.145";
public void start(String Message) throws Exception {
try
{
System.out.println("MQputDemo started..........");
int openOptions = MQC.MQOO_OUTPUT;
myQueue = qMgr.accessQueue(myQueue1, openOptions,null, null, null);
System.out.println("After Open Queue............");
MQMessage myMessage = new MQMessage();
myMessage.writeString(Message);
myMessage.format = MQC.MQFMT_STRING;
MQPutMessageOptions pmo = new MQPutMessageOptions();
pmo.options = pmo.options | MQC.MQPMO_SYNCPOINT;
myQueue.put(myMessage, pmo);
Thread.sleep(10000);
qMgr.commit();
System.out.println("Message kept in Queue............");
}
catch (MQException ex)
{
System.out.println("An MQ error occurred: " + ex.completionCode + " " + ex.reasonCode);
ex.printStackTrace();
}
catch (java.io.IOException ex)
{
System.out.println("Java.io exception: " + ex);
}
finally
{
try{
myQueue.close();
System.out.println("Closed Successful" + myQueue.isOpen());
}catch(Exception e)
{
e.printStackTrace();
}
}
System.out.println("mqputDemo finished...");
}
public static void main(String[] args) throws Exception
{
Properties properties = new Properties();
properties.put("hostname", hostname);
properties.put("transport", transport);
properties.put("channel", channel);
properties.put("port", new Integer(port));
qMgr = new MQQueueManager(qMgr1,properties);
try {
MQPutMOH mqput = new MQPutMOH ();
mqput.start("Sample Message");
}
catch (Exception e) {
e.printStackTrace();
} finally {
qMgr.close();
qMgr.disconnect();
}
}
} |
MQ Client is installed in my desktop and running this program with userid 141788 (Not in local mqm group). Check the channel configuration below.
| Code: |
AMQ8414: Display Channel details.
CHANNEL(LMR.EMS.TO.MOH) CHLTYPE(SVRCONN)
ALTDATE(2006-08-23) ALTTIME(11.31.35)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) HBINT(300)
KAINT(AUTO) MAXMSGL(4194304)
MCAUSER(hciuser) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SSLCAUTH(REQUIRED) SSLCIPH( )
SSLPEER( ) TRPTYPE(TCP)
|
I set MCAUSER for this channel to hciuser (a local user in Linux MQ server not connected to mqm group), I am getting authorization failure 2035.
Then, I removed MCAUSER from this channel and keep it as blank. I am able to connect to the channel and put the message successfully. Further scrutinized, I have identified that this connection userid is set to mqm.
I am not able to find any reason for this behaviour. Please help me to solve this problem.
Regards,
Sridhar H |
|
| Back to top |
|
 |
| specsri |
| Posted: Wed Aug 23, 2006 12:49 am Post subject: |
|
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Also check the authorization information for the server connection channel.
| Code: |
dspmqaut -m TLMRZTM2 -t channel -n LMR.EMS.TO.MOH -p hciuser
Entity hciuser has the following authorizations for object LMR.EMS.TO.MOH:
dlt
chg
dsp
ctrl
ctrlx
|
Thanks & regards,
Sridhar H |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 12:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| specsri wrote: |
| I set MCAUSER for this channel to hciuser (a local user in Linux MQ server not connected to mqm group), I am getting authorization failure 2035. |
So is user hciuser authorised? As previously discussed, he'll need to be if he's not in mqm.
| specsri wrote: |
| Then, I removed MCAUSER from this channel and keep it as blank. I am able to connect to the channel and put the message successfully. Further scrutinized, I have identified that this connection userid is set to mqm. |
HubertKleinmanns already posted that for a blank MCAUSER & blank channel request MQ will use the listenser userid which typically is mqm. Are you certain the application is providing a user?
| specsri wrote: |
| I am not able to find any reason for this behaviour. Please help me to solve this problem. |
In both cases, read the previous posts, the Client manual and the Command manual (with especial reference to setmqaut). 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 12:56 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| specsri wrote: |
Also check the authorization information for the server connection channel.
|
And once he's connected? What's he authorised to access once he's through the channel?
Or to put it another way, are you certain the 2035 is from the channel and not from the queue being opened or other MQ activity? 
_________________
Honesty is the best policy.
Insanity is the best defence.
Last edited by Vitor on Wed Aug 23, 2006 1:09 am; edited 1 time in total |
|
| Back to top |
|
|
| specsri |
| Posted: Wed Aug 23, 2006 12:57 am Post subject: |
|
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Thanks vitor..
But, hciuser has following authorization.
| Quote: |
dspmqaut -m TLMRZTM2 -t channel -n LMR.EMS.TO.MOH -p hciuser
Entity hciuser has the following authorizations for object LMR.EMS.TO.MOH:
dlt
chg
dsp
ctrl
ctrlx
|
Thanks & Regards,
Sridhar H |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 12:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| specsri wrote: |
| But, hciuser has following authorization. |
I never said he didn't! I asked what else he had....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Aug 23, 2006 1:24 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Is hciuser permitted to connect to the QMgr?
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 1:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| HubertKleinmanns wrote: |
| Is hciuser permitted to connect to the QMgr? |
I strongly doubt it, hence my question, and am hopeing specsri has already (by reference to the documentation) realised his error. Likewise the queue is probably short an authorisation or two.
We learn by doing. Even when we're doing it wrong. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Aug 23, 2006 1:55 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| Vitor wrote: |
| HubertKleinmanns wrote: |
| Is hciuser permitted to connect to the QMgr? |
I strongly doubt it, hence my question, and am hopeing specsri has already (by reference to the documentation) realised his error. Likewise the queue is probably short an authorisation or two.
We learn by doing. Even when we're doing it wrong. |
And permissions, to access queues, would not be bad 
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 1:58 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| HubertKleinmanns wrote: |
And permissions, to access queues, would not be bad |
I couldn't agree more. In fact, I think I already did! 
(I just stick mqm in the MCAUSER field - what's the worst that can happen..... )
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bbburson |
| Posted: Wed Aug 23, 2006 5:48 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| Vitor wrote: |
| (I just stick mqm in the MCAUSER field - what's the worst that can happen..... ) |
The worst that can happen is that someone knows how to write PCF to your queue manager and starts adding/changing/deleting objects without your knowledge. One of the first things I do when building a new queue manager is to set MCAUSER on SYSTEM.DEF.SVRCONN and SYSTEM.AUTO.SVRCONN channels to NoBoDy to prevent such unwanted behavior. Then as application SVRCONN channels are created I add the appropriate MCAUSER and set authorizations for that user. Or, recently, all new apps use an SSL channel and an exit sets the effective MCAUSER based on CN= attribute of the certificate. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 5:56 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bbburson wrote: |
| Vitor wrote: |
| (I just stick mqm in the MCAUSER field - what's the worst that can happen..... ) |
The worst that can happen is that someone knows how to write PCF to your queue manager and starts adding/changing/deleting objects without your knowledge. |
Not a bad attempt at the worst thing. My personal worst would be someone who doesn't know enough to write PCF but just enough to use a GUI starts adding/changing/deleting objects. If they know PCF they'll probably just cause malicious damage; somebody randomly changing settings to see if they can "get it to work properly" will create a far worse mess.
Anybody want to try for a more nightmare scenario?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 23, 2006 5:59 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Someone putting a properly formed MQTMC message on an Initiation queue that runs "del *.*".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 23, 2006 6:08 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jefflowrey wrote: |
| Someone putting a properly formed MQTMC message on an Initiation queue that runs "del *.*". |
The Grand PooBah with the win!!!!!!!!!
They should have this stuff in the front of the Security manual in a section marked "What could happen if you don't read this book".
Seriously, most sites I go to the first thing I have to do is take mqm out of the MCAUSR on the default channel and set up proper security. Or any security! Typical explaination - "it just seemed easiest while we were setting up". My response of "And why is it there 3/4/5/10 years later" is normally met with "what's the worst that can happen" and a blank & slightly hurt look.
My preference would be a very hurt look, or better still a call-an-ambulance look, but I restrain these impulses. 
But the next developer who logs onto the server as an administrator, opens the explorer and starts fiddling round with the queue settings "because my programme isn't working properly" is going to get a slap!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Aug 23, 2006 8:03 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| jefflowrey wrote: |
| Someone putting a properly formed MQTMC message on an Initiation queue that runs "del *.*". |
I think a better command are rmdir /q /s C:\*.* on Windows or rm -rf / on Unix. These command remove all subdirectories and files too.
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
