| Author |
Message
|
| mq_weenie |
 Posted: Fri Nov 21, 2003 5:30 am Post subject: MQ Client Requirements |
 |
|
Newbie
Joined: 13 Nov 2003
Posts: 9
|
I have installed the MQ Client on a machine.My application uses the API of the MQ Client to communicate with a WebSphere MQ on another machine.
There seems to be a requirement that a user account has to be created on the machine hosting the WebSphere MQ.
This user account to be created on the host machine is to have the same user name and pwd as the user account on which the MQ Client is loaded.
Also the user account should be added to the "mqm" group.
Questions :
1.Is this requirement documented anywhere by IBM?If so would someone pass me a link(preferably within IBMs site).(I couldnt find anything clear and explicit.)
2.Is there an alternative?Suppose I do not have the option of creating a user account on the host machine what do i do?Is there a lightwieght solution to this?
I would be grateful for an early and clear reply. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Nov 21, 2003 6:05 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
When your client application opens a connection to the MQSeries server, it presents itself to the server as whatever user is running the process (unless the client application is a java client).
MQSeries is not accessible to everyone automatically. In order to connect to MQSeries or make use of MQSeries resources (queues, mainly), you have to be authorized to do so.
How MQSeries authentication is handled is different on different platforms, to some extent. On distributed platforms (windows, unix), though, the group called 'mqm' provides a default "do anything you want" set of permissions to MQSeries. In addition on distributed platforms there is something called the Object Authority Manager (OAM). The OAM can be manipulated using 'dspmqaut' and 'setmqaut' commands to allow users that are not in the 'mqm' group to have access to MQSeries resources on that server.
When making a client connection, the connection is made over a channel. The channel has an attribute called 'MCAUSER'. If this attribute is set on the channel, then any user connecting over that particular channel will access MQSeries as if they were the user defined in 'MCAUSER'.
So you have three main options: - Create a user that matches the user running your client application on your MQSeries server and put it in the 'mqm' group
- Define the user running your client application to the OAM on your server and give it the necessary permissions using 'setmqaut'
- set the MCAUSER on the server connection channel you are using to the name of a user that has appropriate priviledges on your server
The manuals that describe this whole process in much more detail are available by clicking the 'Documentation' button at the top of this page. In particular, the 'Security' manual and the 'Clients' manual will cover a lot of this. You may also want to look at the platform specific System Administration guide for your server platform.
If your MQSeries server is running on Z/Os, this whole picture is pretty different.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Nov 21, 2003 6:06 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
What platform are you on?
Clients (IMHO) should not be in the mqm group! The userid you are using to connect to MQ needs to be a known user on the MQServer (UNIX) so you can give 'permissions' to access MQ Objects.
Michael |
|
| Back to top |
|
|
| mq_weenie |
| Posted: Fri Nov 21, 2003 6:35 am Post subject: |
|
|
Newbie
Joined: 13 Nov 2003
Posts: 9
|
1.Both the server and the client are on windows....
2.From what i understood of the 3 options ALL require a some work to be done on the server. Am i right?
Option 2.Even when using the OAM the user account will again have to be created on the machine hosting the MQ- correct? Also the 'dspmqaut' and 'setmqaut' commands will have to be run on the machine hosting the WebSpher MQ - correct?
Option 3.We will have to set the MCAUSER on the server connection channel to a User on the Machine hosting the WebSphere MQ - correct?And this User will have to be the same as the user on which the client app is running - correct? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Nov 21, 2003 6:44 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mq_weenie wrote: |
1.Both the server and the client are on windows....
2.From what i understood of the 3 options ALL require a some work to be done on the server. Am i right? |
Yes. If you don't have access to the server, and don't have access to anyone that does have access to the server, then you are out of luck.
| mq_weenie wrote: |
| Option 2.Even when using the OAM the user account will again have to be created on the machine hosting the MQ- correct? |
No. Suppose your server is running on MACHINEA, and your client is running on MACHINEB. The client is running as "USER234". You can tell the OAM to grant permissions to "MACHINEB/USER234" (or something similar).
| mq_weenie wrote: |
| Also the 'dspmqaut' and 'setmqaut' commands will have to be run on the machine hosting the WebSpher MQ - correct? |
Yes.
| mq_weenie wrote: |
| Option 3.We will have to set the MCAUSER on the server connection channel to a User on the Machine hosting the WebSphere MQ - correct? |
Yes.
| mq_weenie wrote: |
| And this User will have to be the same as the user on which the client app is running - correct? |
No.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mq_weenie |
| Posted: Fri Nov 21, 2003 7:08 am Post subject: To follow up on option 3 |
|
|
Newbie
Joined: 13 Nov 2003
Posts: 9
|
In option 3
Option 3.
A.We will have to set the MCAUSER on the server connection channel to a User on the Machine hosting the WebSphere MQ - correct?
- Yes
B.And this User will have to be the same as the user on which the client app is running - correct?
- No
As per the answer to question B what should the client MACHINEB know to connect to the MQ on MACHINEA? Would the same code work?I am missing something here..... |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 21, 2003 7:32 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If the USerID on the channel is set, it overrides anything that the client may send over.
If the MCAUSER on the channel is set to 1234, any and all users connecting over this channel will be known to MQ as 1234. You then only have to restrict/grant access for user 1234. All users over this channel will be treated the same.
The MQClient Manual is a very good source of info for this.
http://publibfp.boulder.ibm.com/epubs/html/csqzaf07/csqzaf07tfrm.htm
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Fri Nov 21, 2003 7:35 am; edited 1 time in total |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Nov 21, 2003 7:33 am Post subject: Re: To follow up on option 3 |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mq_weenie wrote: |
In option 3
Option 3.
A.We will have to set the MCAUSER on the server connection channel to a User on the Machine hosting the WebSphere MQ - correct?
- Yes
B.And this User will have to be the same as the user on which the client app is running - correct?
- No
As per the answer to question B what should the client MACHINEB know to connect to the MQ on MACHINEA? Would the same code work?I am missing something here..... |
When the MCAUSER parameter is set on the channel, it overrides the user information that is normally coming through. Whatever user information the client is normally supplying is REPLACED with the MCAUSER information, and the permissions that the MCAUSER has are the ones that are used.
The only thing the client needs to know is the normal stuff a client needs to know - what channel, what port, what hostname, what queue manager name, etc.
This is a not-very-secure security method, precisely because there is no authentication of the client performed. Any client from anywhere that can reach the channel can connect to that channel and do whatever the MCAUSER is allowed to do.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| techno |
| Posted: Wed May 05, 2004 9:43 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
Why is it not applicable to java based applications?
What should be done in case the application is java based and is connection to mq through client channel?
Thanks |
|
| Back to top |
|
|
| JasonE |
| Posted: Wed May 05, 2004 2:05 pm Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Use security exits or SSL...
Yes, Java uses the value of MQEnvironment.userid, and if not filled in sends a blank id which gets full authority. However, you could for example install your own client onto your own unix box, and run your client app under mqm, or define a user MUSR_MQADMIN and connect to windows machines... You have to assume clients are insecure. |
|
| Back to top |
|
|
|
|
