| Author |
Message
|
| maurito |
 Posted: Thu Apr 17, 2014 3:23 am Post subject: Unable to connect toolkit (IIBv9) to aix queue manager |
 |
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
I have installed IIBv9 in windows (runtime and toolkit) and connected the qm to the toolkit.
then I installed mq and broker (9.0.0.1) in aix, created broker and qm, defined listener on 1414 and started it.
I did a
| Code: |
| setmqaut -m queueManager -t qmgr -g mqm +connect |
my windows id is a network one of the form domain/fred.bloggs
when I try to connect the toolkit to the qm I get 'the user 'fred.blogs' is not authorized to connect to qm xxxx (mqreason 2035)
I have set chlauth(disabled)
I am sure I am missing something , but cannot see what
any help will be appreciated |
|
| Back to top |
|
 |
| maurito |
| Posted: Thu Apr 17, 2014 4:28 am Post subject: |
|
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
| SORTED: changed the system.broker.config channel to mcauser(mqm) |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Apr 17, 2014 4:54 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| maurito wrote: |
| SORTED: changed the system.broker.config channel to mcauser(mqm) |
Whilst that may have solved your particular problem, you have just made your broker qmgr totally unsecured. In some places doing this (changing the mcauser to 'mqm') is a sackable offense.
There are many posts on this forum describing why doing this is a really bad idea.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| maurito |
| Posted: Thu Apr 17, 2014 5:07 am Post subject: |
|
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
@smdavies99 thanks !, it is just a test broker.
would you say that if I create a different channel with those attributes and use that channel to 'mqm' that would be ok ?
Last edited by maurito on Thu Apr 17, 2014 5:55 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 17, 2014 5:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
actually, 'mqm' is the wrong id on Windows.
It's 'MUSR_MQADMIN'.
setting chlauth to disabled is the wrong thing.
setting mcauser on this channel is the wrong thing.
putting the domain user in the local mqm group is the right thing. |
|
| Back to top |
|
|
| maurito |
| Posted: Thu Apr 17, 2014 5:58 am Post subject: |
|
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
@mqjeff I don't have a 'mqm' id on windows.
I have the MUSR_MQADMIN but I cannot see how to make the domain/fred_bloggs to connect to the remote broker ( in a secure way , i.e. without setting mcauser , etc ) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 17, 2014 6:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Keep chlauth enabled.
Define a channel that will accept admin accounts (chlauth definitions)
Add the user to the local mqm and mqbrkrs groups (on broker server)
Now you should have full remote access to the broker.
Refine with group permissions as needed (create your own groups for that).
Remember MQ caches group membership. So if you are changing it issue refresh security to the qmgr...
:inocent:
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| maurito |
| Posted: Thu Apr 17, 2014 8:44 am Post subject: |
|
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
@fjb_saper thanks very much for your response. Adding my windows id to the aix mqm and mqbrkrs was my first thought, but then I could not create the user in aix, as the windows id is of the form Name.Surname and in my case it is 15 chars long. I tried creating the user using SMIT and it complained about the length.
Now I read that:
| Quote: |
| User names can only be eight characters or fewer in AIX version 5.2 and earlier. Starting with AIX version 5.3, IBM increased the maximum number of characters to 255. |
so I am wondering whether I should just use the mkuser command. Will try that next week, in the mean time, thanks everyone for your help and enjoy the Easter break ! |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Apr 17, 2014 9:26 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
maurito,
Even if AIX will allow a long userID, WMQ will certainly not allow one longer than 12 characters. More over, WMQ will change the case to lower case for distributed.
Seems your Qmgr and broker run on AIX, so think about this:
Map the inbound ID to an ID that is on the AIX box and authorized.
I think using SSL and mapping each Certificate to an ID on the target box is the most secure way to do it. You cannot trust the ID being presented even if you are using SSL and that is why I suggest mapping the certificate to a local ID. The certificate is the most trustworthy thing as far as that goes. The certificate can still get copied (stolen) and used by unauthorized folks. Only you can protect your keystores.  |
|
| Back to top |
|
|
| maurito |
| Posted: Tue Apr 22, 2014 1:56 am Post subject: |
|
|
Partisan
Joined: 17 Apr 2014
Posts: 358
|
| fjb_saper wrote: |
Define a channel that will accept admin accounts (chlauth definitions)
|
ok, I managed to create the user, (there is a setting that needs to be changed in aix to allow userid's longer than 8 chars,
chdev -l sys0 -a max_logname=51 ), added it to the mqm and mqbrkrs, but struggling to define the channel that will accept the adming accounts ( chlauth definitions )...
may I get an example of how to do that please ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 22, 2014 4:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
your default chlauth record refuses admin access and has *MQADMIN in the userlist.
To grant admin access, create a record of the same type, specific to the channel name, refusing access to 'nobody'...
You can also add a list granting access to individual users if you have a backstop refusing access to anybody.... (user mapping type).
And finally you should map the CN of the X509's DN to the user.
(Note as you go cross os, you might have a keystore specific for MQ usage with a DN that is not valid on the originating OS (Win) but is valid on the target OS (AIX).
With that your security would be complete.
Keep Morag's blog on channel auth handy. You will need it to verify your setup even before you test it.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
