| Author |
Message
|
| Bahan |
 Posted: Thu Aug 23, 2007 8:30 am Post subject: [MQseries 6.0] Authorities |
 |
|
Apprentice
Joined: 16 Jul 2006
Posts: 47
Location: France
|
Hi everyone.
I have a little problem with my authorities management.
I'm currently trying to change the authorization of a certain user named MyUser concerning a queue manager.
First, this user had every right :
| Code: |
dspmqaut -m MyQM -t qmgr -p MyUser
Entity MyUser has the following authorizations for object MyQM:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall |
I tried to use the setmqaut command to suppress some authorizations :
| Code: |
| setmqaut -m MyQM -t qmgr -p MyUser -altusr -chg -crt -dlt -dsp -set -setall -setid |
After that, I looked in the WebSphere MQ V6 Fundamentals and I found that p307, it is needed to refresh the security cache by using the REFRESH SECURITY COMMAND MQSC.
I did the following thing :
| Code: |
runmqsc MyQM
REFRESH SECURITY |
But then, when I did the dspmqaut command again, I always had every authorization for the user MyUser...
In order to find a solution, I tried to end the Queue Manager and then to start it.
then when it is well stopped.
But it is always the same.
So I was wondering if I was not forgeting something ? Maybe someone can help me ?
Thank you for your help.
Bahan
_________________
Close the world.||.txen eht nepO |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Aug 23, 2007 8:34 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If the user is in the MQM group, you can't change what privileges they have, other than by removing them from MQM.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Aug 23, 2007 11:12 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
Also, you don't need to REFRESH SECURITY or restart the QM is you are concerned with changes you made via setmqaut. Those take immediatly.
The refresh command is only needed if you add or remove users from a group after the QM has started, since the QM caches who is in what groups at start up, for performance reasons.
As of 5.3, there is no need to bounce the QM for this purpose. REFRESH SECURITY will handle it.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mvarghese |
| Posted: Thu Aug 23, 2007 10:52 pm Post subject: App connecting user id issue |
|
|
Centurion
Joined: 27 Sep 2006
Posts: 141
|
The application which is running in same server as MQver6.
We faced some connection problem while connecting Appliaction to MQ QMGR, Application connecting using binding mode ,we didn't put yet any user id and password part of code to connect the Qmgr.Connection problem got solved after putting application Id called APP1 to the mqm group.
But I don't want APP1 ID will get all permision as mqm, how to tackle this issue?.Anyway by using setmqaut we cannot stop APP1 as long as part of mqm group.
Let say if I got with steps http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.?any ideas.
_________________
Jain Varghese
Last edited by mvarghese on Thu Aug 23, 2007 11:12 pm; edited 1 time in total |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 23, 2007 11:10 pm Post subject: Re: App connecting user id issue |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mvarghese wrote: |
problem got solved after putting application Id called APP1 to the mqm group.
But I don't want APP1 ID will get all permision as mqm, how to tackle this issue?. |
I may be missing something here, but why not 1) remove APP1 from the mqm group 2) use setmqaut to provide the necessary permissions (including connect I'd warrant). Is this what you had originally when you experienced "some connection problem"? If so, what was the problem? Exactly? There may be another way to fix it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mvarghese |
| Posted: Thu Aug 23, 2007 11:18 pm Post subject: |
|
|
Centurion
Joined: 27 Sep 2006
Posts: 141
|
Thanks Victor,
Intially APP1 user given connect permission,
Still Binding mode of connection make any impact on this type of authentification.
Intially application errored out saying permission issue to connect to QMGR.Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.?any ideas
_________________
Jain Varghese |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 23, 2007 11:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mvarghese wrote: |
| Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.? |
A bindings connection doesn't use the client channel SVRCONN.
So you gave APP1 connect authority against the queue manager (not the queue) and other authorities as appropriate? And it threw a 2035? You need to enable security events and/or check the logs to determine that your application is using the user you think it is, and the 2035 is being thrown at the point you think it is. Especially if you're running inside an app server or similar.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mvarghese |
| Posted: Thu Aug 23, 2007 11:56 pm Post subject: |
|
|
Centurion
Joined: 27 Sep 2006
Posts: 141
|
Thanks vitor,you are right we getting 2035 in that time.I need to do a retry over this based on present undertanding form the above posts.
My problem we never got a chance to see the developer code .But as per thier version for better performance they using Binding Mode of connection.But we have SVRCONN running to serve the application Connection.
I thought the way of connecting the java client connecting to QMGR makes its binding mode..like using the properties
public static java.util.Hashtable properties ...is am wrong?.
_________________
Jain Varghese |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 24, 2007 12:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
You can't mix and match application connections. Either the application uses a bindings connection (and must be on the same box as the queue manager) or it uses a client connection via SVRCONN or similar (where it may or may not be on the same box). Hence an application coded to use bindings will ignore / be blind to any settings in SVRCONN.
They're right to say a bindings connection gives better performance but it does limit where the application is run.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 24, 2007 5:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
And remember if using JMS you always need to add enquire as permission 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
