ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » OAM security problem

Post new topic  Reply to topic
 OAM security problem « View previous topic :: View next topic » 
Author Message
Twilight
PostPosted: Mon Jul 13, 2009 10:18 am    Post subject: OAM security problem Reply with quote

Apprentice

Joined: 04 Aug 2004
Posts: 49

Hi,
I tried to give an access to queue object to userid under AIX but it looks like no effect at all.
I did as below:
setmqaut -m TESTQMGR -t queue -n MY.TEST.QUEUE -p mquser +get +put
+browse +dsp
also, I gave same authorities to group -g mqgroup.
dspmqaut shows right authorities to user mquser and group mqgroup.

but still, userid mquser can't put a msg or issue dsp command.
I got MQRC=2035 all the time. only user "mqm" can put a msg at this point.
Anything I missed ?
thanks in advance.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Jul 13, 2009 10:25 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Are you sure the 2035 is coming from the put, or could it be coming from the connect? Are you sure mquser is a member of mqgroup?

(Authorities on AIX are at group level, not principle)

If you're sure all the permissions are correct, enable security events and see what's failing. Be sure to disable them again once you've found the problem or you'll be knee deep in event messages!
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Twilight
PostPosted: Mon Jul 13, 2009 10:45 am    Post subject: Reply with quote

Apprentice

Joined: 04 Aug 2004
Posts: 49

I'm using BlockIP2 channel exit that shows log details it passed connection fine.
that's why mqm worked ok, I think.
I may turn on sec event to trace this.
thanks for advice.
_________________
WMQ/WMQI/WBI Consultant
Toronto, Canada
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Jul 13, 2009 11:10 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Twilight wrote:
I'm using BlockIP2 channel exit that shows log details it passed connection fine.


I think you'll find that indicates the exit didn't block the connection, not that the connection was allowed by the queue manager.

Twilight wrote:
that's why mqm worked ok, I think.


No, mqm works because it's not passed to the OAM. The mqm user is allowed to do anything and indeed can't (via OAM) be disallowed.

Twilight wrote:
I may turn on sec event to trace this.


Solid plan.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Twilight
PostPosted: Mon Jul 13, 2009 11:44 am    Post subject: Reply with quote

Apprentice

Joined: 04 Aug 2004
Posts: 49

I got an event on QMGR.EVENT. it shows userid and windows program I used to MQPUT after sec event on.
there is no channel name on QMGR.EVENT queue.
It looks like 1. exit passed wrong userid padded with blank or something
2. amqsputc requires auth also ?
3. svrconn needs auth too ?
tnks.
Back to top
View user's profile Send private message
Twilight
PostPosted: Mon Jul 13, 2009 12:42 pm    Post subject: Reply with quote

Apprentice

Joined: 04 Aug 2004
Posts: 49

you're right.
mquser don't have authority to connect Qmgr.
I gave mquser to +connect as below:
setmqaut -m TEST.QMGR -t qmgr -p mquser +connect
thanks a lot.
_________________
WMQ/WMQI/WBI Consultant
Toronto, Canada
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » OAM security problem
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.