| Author |
Message
|
| sebastia |
 Posted: Mon May 26, 2008 11:31 am Post subject: how to set MCAUser for MQCONNX |
 |
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
In order to provide a "MCA User Id" for a SVRCONN channel connection,
I have coded
strncpy(CliConn.MCAName, "sebas", MQ_MCA_NAME_LENGTH);
but Current Status for the channel
always displays the Windows user I did log on ("wbrkadm").
Channel definition has a "blank" field.
Any clue ?
The name of the channels is provided like this :
strncpy(CliConn.ChannelName, "NAME", MQ_CHANNEL_NAME_LENGTH);
The Structure Data Version is
Connect_options.Version = MQCNO_VERSION_1 ;
Anything else I did forget ?
Data definition :
MQCNO Connect_options = { MQCNO_DEFAULT } ;
MQCD CliConn = { MQCD_CLIENT_CONN_DEFAULT } ;
Linking the structures :
Connect_options.ClientConnPtr = & CliConn ;
Thanks. Seb.
Platform is Windows NT, MQ is "6.0.1.1" |
|
| Back to top |
|
 |
| sebastia |
| Posted: Mon May 26, 2008 11:51 am Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
Now I see that I dont understand the CMQC.H file.
We have :
struct tagMQCNO {
MQCHAR4 StrucId; /* Structure identifier */
MQLONG Version; /* Structure version number */
MQLONG Options; /* Options to control the MQCONNX */
/* Ver:1 */
MQLONG ClientConnOffset; /* Offset of MQCD for client connection */
MQPTR ClientConnPtr; /* Address of MQCD for client connection */
/* Ver:2 */
MQBYTE128 ConnTag; /* Queue-manager connection tag */
/* Ver:3 */
PMQSCO SSLConfigPtr; /* Address of MQSCO structure for
client connection */
MQLONG SSLConfigOffset; /* Offset of MQSCO structure for client
connection */
/* Ver:4 */
MQBYTE24 ConnectionId; /* Unique Connection Identifier */
MQLONG SecurityParmsOffset; /* Offset of MQCSP structure */
PMQCSP SecurityParmsPtr; /* Address of MQCSP structure */
/* Ver:5 */
};
I f I want to use "ClientConnPtr", what "version" shall I code ?
With "1" I get an error (code tries to use MQSERVER envir var)
With "2", the Windows user comes up.
Thanks. |
|
| Back to top |
|
|
| sebastia |
| Posted: Mon May 26, 2008 11:56 am Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
In AMQ sample, it says :
/*
Client connection fields are in the version 2 part of the MQCNO
so we must set the version number to 2 or they will be ignored
*/
So, it seems I have to use version_2 ...
But the CMQC.H file notation still is quite strange ! |
|
| Back to top |
|
|
| sebastia |
| Posted: Mon May 26, 2008 12:29 pm Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
I think I have found a little improvement.
The MAC User Id has to go into "MCAUserIdentifier" field,
so now I am using
strncpy ( ClientConn.MCAUserIdentifier, "sebastianet", 12 ) ;
BUT THE RESULT IS THE SAME : windows user comes up.
MQCD said :
MQCHAR MCAName[20]; /* Reserved */
and
MQCHAR MCAUserIdentifier[12]; // First 12 bytes of MCA user identifier
Any clue is welcome ... |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon May 26, 2008 7:29 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
An interesting conversation you are having with yourself. 
So, you have learnt that you cannot spoof (explicitly set a different) UserId than the one your application is running under.
If you don't want any UserId (i.e. exploit a security hole) then read this post:
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782
If you want to correctly set a different UserId then look-up Alternate UserId.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sebastia |
| Posted: Mon May 26, 2008 11:23 pm Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
Hi, Roger - thanks for the help.
I was at Las Vegas WSTC, heard mr T-Rob Security speech,
and decided to write some code.
First of all, did read "amqscnxc.c" as the connection shall be a Client one,
and we dont want to use MQSERVER envir var, neither a channel table.
Second, I did fill the "MCAUserIdentifier" field. You know the results.
Now you say to use "Alternate UserId" - I shall search all the manuals for this field. Ok.
But if I scan MQCD, I find few interesting fields :
what about "LongRemoteUserIdPtr" and "LongRemoteUserIdLength" ?
And "LongMCAUserIdPtr" ?
Do you know if I can use them from the client code ?
Another question : I know how to code a User Data Exit.
Do you think I can modify those fields "on the fly" ?
I am talking about
(*) MQCD.UserIdentifier[12]
(*) MQCD.MCAUserIdentifier[12]
(*) MQCD.LongMCAUserIdPtr & length
(*) MQCD.LongRemoteUserIdPtr & length
If there is some "architectural" barrier,
I dont want to lose my time on impossible code !
Cheers ! Seb. |
|
| Back to top |
|
|
| sebastia |
| Posted: Tue May 27, 2008 3:38 am Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
Roger : if customer has a (MQ) central based application,
and has 200 (maybe 1000) MQ clients in small shops
around the country,
it is impossible to have the same Windows user-id in all of them.
So, if I want to control (SETMQAUTH) the queues my clients do access
the only way I have is to set few SVRCHANNELs
and use a different MCAUSER in each of them, I am right ?
You shall agree that a very elegant solution would be to have
each mq client have a pre-configured MCA_User_Id
so I can set very specific permissions on the central site ...
Cheers. Seb. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue May 27, 2008 8:45 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| sebastia wrote: |
| it is impossible to have the same Windows user-id in all of them. |
True.
| sebastia wrote: |
So, if I want to control (SETMQAUTH) the queues my clients do access
the only way I have is to set few SVRCHANNELs
and use a different MCAUSER in each of them, I am right ? |
Yes and No. Yes, you can but then anybody can connect on that channel or any other channel.
| sebastia wrote: |
You shall agree that a very elegant solution would be to have
each mq client have a pre-configured MCA_User_Id
so I can set very specific permissions on the central site |
Well, since you asked... Have a look at MQ Authenticate User Security Exit
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sebastia |
| Posted: Fri Jun 06, 2008 2:55 pm Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
Roger - it DID take me a while ( I do not like JAVA at all, I promise)
but I did it - I wrote a Java program.
And now I can do it ....
You said "you have learnt that you cannot spoof (explicitly set a different) UserId than the one your application is running under"...
and I can do as easy as this code attached at the end of this note.
So, now I would like to understand what is the meaning
of this "windows" MQ restriction,
that tis not available when I write Java code .. ???
A message going into a SVRCONN channel from a C program
and a Windows platform
has a forced MCA UserID equal to the Windows logon user.
This code is free to set whatever user you want to :
I just dont understand it.
Please, give me some light ...
===========================================
//
// ===========================================================================
// WebSphere MQ classes for Java sample application
//
// To compile this sample :
// "c:\Program Files\IBM\Java142\bin\javac" MQSample.java
//
// To run this sample :
//
// java MQSample
//
import com.ibm.mq.* ; // Include the WebSphere MQ classes for Java package
public class MQSample
{
private String qManager = "INDI" ; // define name of queue manager to connect to.
private String szQueueName = "QD1" ;
private MQQueueManager qMgr ; // define a queue manager object
public static void main ( String args[] ) {
new MQSample();
}
public MQSample() {
try {
MQEnvironment.hostname = "192.168.187.136" ; // host
MQEnvironment.port = 1466 ; // port
MQEnvironment.channel = "CON.NET" ; // SVRCONN channel name
MQEnvironment.userID = "sebastia" ;
MQEnvironment.password = "any" ;
// Create a connection to the queue manager
System.out.println ( "The Qmgr Name is : " + qManager ) ;
qMgr = new MQQueueManager ( qManager ) ;
// Set up the options on the queue we wish to open...
// Note. All WebSphere MQ Options are prefixed with MQC in Java.
int openOptions = MQC.MQOO_INPUT_AS_Q_DEF |
MQC.MQOO_OUTPUT ;
// Now specify the queue that we wish to open, and the open options...
System.out.println ( "The Queue Name is: " + szQueueName ) ;
MQQueue system_default_local_queue = qMgr.accessQueue ( szQueueName, openOptions ) ;
// Define a simple WebSphere MQ message, and write some text in UTF format..
MQMessage hello_world = new MQMessage();
hello_world.writeUTF ( "Hello World !" ) ;
// specify the message options...
MQPutMessageOptions pmo = new MQPutMessageOptions() ; // accept the defaults, same as MQPMO_DEFAULT
// put the message(s) on the queue
int iCnt = 0 ;
while ( iCnt < 1000 ) {
System.out.println ( iCnt + " - put() message." ) ;
system_default_local_queue.put ( hello_world, pmo ) ;
iCnt ++ ;
int j = 0 ;
while ( j < 10000000 ) { j ++ ; } ;
} ;
// get the message back again...
// First define a WebSphere MQ message buffer to receive the message into..
MQMessage retrievedMessage = new MQMessage() ;
retrievedMessage.messageId = hello_world.messageId ;
// Set the get message options...
MQGetMessageOptions gmo = new MQGetMessageOptions() ; // accept the defaults same as MQGMO_DEFAULT
// get the message off the queue...
System.out.println ( "Get() message." ) ;
system_default_local_queue.get ( retrievedMessage, gmo ) ;
// And prove we have the message by displaying the UTF message text
String msgText = retrievedMessage.readUTF() ;
System.out.println ( "The message I have just got is : " + msgText ) ;
// Close the queue...
System.out.println ( "Close() queue." ) ;
system_default_local_queue.close() ;
// Disconnect from the queue manager
System.out.println ( "Disconnect() queue manager." ) ;
qMgr.disconnect() ;
}
// If an error has occurred in the above, try to identify what went wrong
// Was it a WebSphere MQ error?
catch (MQException ex)
{
System.out.println ( "--- A MQ error occurred : Completion code " +
ex.completionCode + " Reason code " + ex.reasonCode ) ;
}
// Was it a Java buffer space error?
catch (java.io.IOException ex)
{
System.out.println ( "--- An error occurred whilst writing to the message buffer: " + ex ) ;
}
}
} // end of sample
=========================================== |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jun 07, 2008 7:44 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Quite simple... the interface to retrieve the username from the OS is OS bound as is your C code. So not a big problem there.
Java however is not OS bound and would need some JNI to retrieve the OS username. But this is not reliable as the JNI code varies from platform to platform... and can probably be spoofed by starting the jvm with the corresponding -D flag...
So I guess nobody worried about putting in the effort.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jhidalgo |
| Posted: Mon Dec 22, 2008 2:42 pm Post subject: |
|
|
Disciple
Joined: 26 Mar 2008
Posts: 161
|
What about if I need to connect to multiple qmgrs with different usernames ?
What classes can be use for this task ? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Dec 22, 2008 3:53 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| jhidalgo wrote: |
What about if I need to connect to multiple qmgrs with different usernames ?
What classes can be use for this task ? |
Read the WMQ Using Java manual and lookup MQQueueManager class. One of the ways to instantiate the class is to use a HashTable. You create and populate different HashTables for different connections.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mq_blr |
| Posted: Wed Feb 04, 2009 7:48 pm Post subject: set userid for MQCONN |
|
|
Apprentice
Joined: 30 Sep 2005
Posts: 49
Location: Brisbane,Australia
|
I just want to confirm , I’m using VC++ /windows trying to achieve same ie. supply specific user-id for MQCONN , appreciate any body can help on this ?
Regards
Durga |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Feb 05, 2009 5:00 pm Post subject: Re: set userid for MQCONN |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| mq_blr wrote: |
I just want to confirm , I’m using VC++ /windows trying to achieve same ie. supply specific user-id for MQCONN , appreciate any body can help on this ?
Regards
Durga |
I recently tested MQCONNX with MQCNO & MQCD in C on Windows MQ 7.0, connecting to a remote qmgr. No matter what MQCD userid fields you set, it will always pass the OS userid to the qmgr. Apparently you can't override it in C like you can in Java.
Note that this userid can be overriden on the qmgr side by MCAUSER or SCYEXIT on the SVRCONN channel def.
_________________
Glenn |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Feb 06, 2009 3:09 am Post subject: Re: set userid for MQCONN |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| gbaddeley wrote: |
| Note that this userid can be overriden on the qmgr side by MCAUSER or SCYEXIT on the SVRCONN channel def. |
Not just can, but should be. |
|
| Back to top |
|
|
|
|
