| Author |
Message
|
| Manish Kumar |
 Posted: Wed Jun 04, 2014 2:41 am Post subject: |
 |
|
Novice
Joined: 16 May 2014
Posts: 13
|
Hi Morag,
Ye we cannot use the same id under which application is running due to organisation security rules thats why we have created new id.
Let me tell you the current scenario my windows id is "manish81" and application is running under "uprabc" and the new id which we created for MQ connection is "bagabc".
I have made changes in code to pass alternate user id as "bagabc".
actually its a com component in vb6 and and our website which is hosted on IIS has windows authentication using this vb6 connection to connect to MQ client.
But as per logs while making connection my windows id is getting passed i.e. manish81.
Anyhow i need to pass "bagabc" id. Please help me to resolve this issue ASAP. |
|
| Back to top |
|
 |
| Manish Kumar |
| Posted: Wed Jun 04, 2014 2:54 am Post subject: |
|
|
Novice
Joined: 16 May 2014
Posts: 13
|
| This is an intranet application used within organisation only. |
|
| Back to top |
|
|
| IanAlderson |
| Posted: Wed Jun 04, 2014 3:09 am Post subject: |
|
|
Novice
Joined: 23 Apr 2014
Posts: 17
|
Manish,
Did you try searching for setmqaut and altusr? You should find plentiful examples.
As was confirmed at the beginning of this thread, the error you are seeing is on the connection. If you have an MQ admin team that sets MQ admin permissions then they should be able to readily set the correct permissions for you.
But for illustration purposes, here is an example of what you need. For ease of your understanding I am using the userids you have provided. However caveat is that you should only apply the required security for your system.
Authority for process ID to connect to Queue Manager
| Code: |
| setmqaut -m WMQT037 -t qmgr -p uprabc +connect +altusr |
Note that the ID of the process making the connection has authority to connect and make subsequent MQOPEN calls as an alternate user
Whilst it is assumed that the alternate user has appropriate queue level permissions based on your previous response, here is an example for the permissions required by the alternate userid
| Code: |
| setmqaut -m WMQT037 -t q -n MY.QUEUE.NAME -p bagabc +put |
where bagabc is the userid passed in the od.AlternateUserId. This example gives userid bagabc permission to put messages to the queue, but you should apply permissions as you require for your application.
Note that the alternate userid does not require connect authority to the qmgr.
Hopefully that clarifies things for you but if the above still does not make sense then I would strongly recommend that you seek assistance from someone within your organisation that administers the MQ environment. |
|
| Back to top |
|
|
| IanAlderson |
| Posted: Wed Jun 04, 2014 3:28 am Post subject: |
|
|
Novice
Joined: 23 Apr 2014
Posts: 17
|
Manish,
Also as a follow up, I would just like to make the following points
By granting altusr to the Windows ID connecting to MQ, you thereby allow it in theory to open queues under any ID that is permissioned. It sounds like this approach has been mandated to you by the security team, but do they realise that by using alternate user that they may be potentially opening up more access than they intend? Are your processes controlled enough that you can be certain that only the special MQ user is ever passed on any connection from that ID on that Queue Manager? Examples may be where that user is hardcoded on a SVRCONN, the alternate userid is passed in dynamically or other rogue processes could be started under that ID and pass their own alternate userid.
VB6 is indeed very old and as well as I understand it to soon to be out of support with Microsoft, I am not sure on what IBM's position on support is when you are connecting to any of the newer MQ versions if you hit any API issues? I suggest you do your DD and highlight any support issues to your management.
Good luck! |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jun 04, 2014 3:33 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Manish Kumar wrote: |
| I have made changes in code to pass alternate user id as "bagabc". |
As I said in my previous reply, alternate user id will not help you with authoriity on the connect. It can only be used later, i.e. for the MQOPEN. If you cannot have connect authority granted to the user Id you are running the application with, we need the change the user ID that the queue manager sees the application running with.
| Manish Kumar wrote: |
| actually its a com component in vb6 and and our website which is hosted on IIS has windows authentication using this vb6 connection to connect to MQ client. |
I think this means you are telling me that the applcation connects to the queue manager using a client connection. In which case it is a bit easier for us to ensure that the queue manager sees your application running under the user ID you want for it.
If you are running with a minimum of MQ V7.1, then you can set a CHLAUTH rule on your queue manager something like this, to map the user ID from what is being flowed to what you want to be used.
| Code: |
| SET CHLAUTH(svrconn-channel-name) TYPE(USERMAP) CLNTUSER('manish81') ADDRESS(the-ip-address-of-the-machine-the-app-is-running-on) MCAUSER('bagabc') |
Since this is completely inside your organisation, then I'm comfortable recommending this. For others who read this thread in the future, be aware that this is only as secure as the IP address used. If someone can spoof the IP address, they can set up a client side user and also be mapped to that user at the queue manager end. For anything external you should have some stronger authentication, either SSL/TLS or user ID + Password validation, rather than just trusting an IP address.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Manish Kumar |
| Posted: Wed Jun 04, 2014 11:40 pm Post subject: |
|
|
Novice
Joined: 16 May 2014
Posts: 13
|
Hi Morag ,
SET CHLAUTH(svrconn-channel-name) TYPE(USERMAP) CLNTUSER('manish81') ADDRESS(the-ip-address-of-the-machine-the-app-is-running-on) MCAUSER('bagabc')
On queue managers only group are allowed to authorised and id passed should be part of that group.
Currently i am hitting the website but if any other member hits the website like his windows id is "abc".what i am tring to say is there will be many users which are hitting the website every minute.
But as per code mentioned by you only my id is mentioned
So my concerns here is keeping in my for above 2 conditions that, the code for all users means its a generic code or not.
If a member of abc windows id comes then also bagabc will be passed???
or help me with a code when IIS tries to connect with MQ client.
windows id does not get pass only application id (through which application is running) should be passed. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jun 05, 2014 3:00 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
If you have multiple users, you could create a different CHLAUTH rule to catch all of them:-
SET CHLAUTH(svrconn-channel-name) TYPE(ADDRESSMAP) ADDRESS(an-ip-address-pattern-that-covers-the-ip-addresses-of-the-machines-the-apps-are-running-on) MCAUSER('bagabc')
Once you get to MQ V8 you could make use of user ID + Password validation and ADOPTCTX(YES) to have the application provide the user ID to use in the application itself.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Manish Kumar |
| Posted: Thu Jun 05, 2014 3:39 am Post subject: |
|
|
Novice
Joined: 16 May 2014
Posts: 13
|
How to set this below command, I have set in environment variable like I have set MQSERVER variable or somewhere else.
SET CHLAUTH(svrconn-channel-name) TYPE(ADDRESSMAP) ADDRESS(an-ip-address-pattern-that-covers-the-ip-addresses-of-the-machines-the-apps-are-running-on) MCAUSER('bagabc') |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 05, 2014 4:08 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Manish Kumar wrote: |
| How to set this below command |
Try the Info-Knowledge Centre, also try Morag's very comprehensive blog, which shows you how...
...you are asking people to do your job for you, which is unlikely to get you any more information than has already been given.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jun 05, 2014 5:33 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Manish Kumar wrote: |
How to set this below command, I have set in environment variable like I have set MQSERVER variable or somewhere else.
SET CHLAUTH(svrconn-channel-name) TYPE(ADDRESSMAP) ADDRESS(an-ip-address-pattern-that-covers-the-ip-addresses-of-the-machines-the-apps-are-running-on) MCAUSER('bagabc') |
It's an MQSC command. You could instead issue it via the Explorer GUI if you prefer. btw, you have to replace svrconn-channel-name with the name of your SVRCONN channel, and an-ip-address-pattern-that-covers-the-ip-addresses-of-the-machines-the-apps-are-running-on with what it describes. Don't just type the above straight into your favourite MQSC tool.
P.S. If you haven't come across CHLAUTH before, try typing CHLAUTH into the search bar of the Knowledge Center/Information Center, and have a read.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
