| Author |
Message
|
| tkane |
 Posted: Fri Feb 11, 2005 4:46 am Post subject: security for amqsailq |
 |
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
I'm trying to open up security the least amount for an application that is asking for the ability to inquire on the depth of a large number of their queues.
I have done a few PCF programs in the past but none recently and none in a more secure environment.
Can I open up SYSTEM.ADMIN.COMMAND.QUEUE to let the inquire on the depth of a bunch of their queues without giving them the ability to define queues and channels through PCFs?
I got past most of the 2035s in testing. But still have a couple. Any ideas?
Right now I have security set up as:
| Code: |
setmqaut -m MQMGR -t qmgr -g usergrp +connect +inq +dsp
setmqaut -m MQMGR -n TEST.QUEUE -t queue -g usergrp +browse +get +inq +pa
ssall +passid +put +set +setall +setid
setmqaut -m MQMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g usergrp +inq +put
setmqaut -m MQMGR -n MQAI*.** -t queue -g usergrp +browse +get +inq +passall
+passid +put +set +setall +setid
setmqaut -m MQMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g usergrp +browse
+get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp
setmqaut -m MQMGR -t qmgr -g usergrp +None
setmqaut -m MQMGR -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g usergrp +crt
|
And amqsailq runs like this:
| Code: |
$ amqsailq
Display current depths of local queues
Call to get queue attributes failed: Completion Code = 1 : Reason = 3008
Error returned by the command server: Completion Code = 0 : Reason = 0
$ |
When I dump the QMGR.EVENT queue. I get the error having to do with
| Code: |
Queue Manager event: CompCode(WARNING)
Reason = MQRC_NOT_AUTHORIZED
parameter count is 4
MQCA_Q_MGR_NAME MQMGR
MQIACF_REASON_QUALIFIER 4 (X'4')
MQIACF_COMMAND 13 (X'D')
MQCACF_USER_IDENTIFIER usernam
|
I think this means that I'm not allowed to do inquire_q. But not sure on the how or why here.
TIA
Tom |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Fri Feb 11, 2005 1:47 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If all they need is the depth, then all they need is the authority to connect to the QM, open the queue the want to check the depth on , and issue the MQINQ call.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| tkane |
| Posted: Mon Feb 14, 2005 10:41 am Post subject: security for amqsailq |
|
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
Peter,
Thanks. Unfortunately for me they found the sample program and are very happy with what it can do for them. That combined with the fact that I'm attempting to secure them. They aren't properly secured today. Makes this an issue that I'd like to see a better answer for.
There is another sample using the MQAI that creates a queue. If I can allow them to use PCFs (via the MQAI) to display but not create then I'll be happy.
Said another way, if I open up SYSTEM.ADMIN.COMMAND.QUEUE am I giving up the store to them in terms of security??
Any thoughts from IBM????
Thanks
Tom |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Feb 14, 2005 2:46 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
So I'm grappling with this in another thread for a slightly different reason. I want them to not use runmqsc localy, but to just do displays remotely via PCF..
I am pretty sure you can give a remote user display only capability via PCF commands after they have connected to the QM and opened the command queue. Researching.....maybe someone will confirm.....
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Nigelg |
| Posted: Mon Feb 14, 2005 3:36 pm Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| I think the events in the Windows event viewer show the missing authorities. |
|
| Back to top |
|
|
| tkane |
| Posted: Tue Feb 15, 2005 6:51 am Post subject: |
|
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
I'm afraid that I'm on Unix.
Another thought. I managed to get this to work with a modified amqsailq. I changed the "*" to "HILVL*" and it brought back all of the queue information for all of my queues beginning with "HILVL".
But then, using amqsaicq I was able to define a queue with a name of "DIFFERENTHILVL.TEST"
The manual says that
| Quote: |
In order to process any PCF command, the user ID must have dsp authority for the queue manager object on the target system. In addition, WebSphere MQ object authority checks are performed for certain PCF commands, as shown in Table 1 |
http://publibfp.boulder.ibm.com/epubs/html/csqzac03/csqzac03tfrm.htm
Questions:
Are people giving applications access to the command queue? I'd rather not. I'd rather they open and inq on each queue in turn. PCFs seem faster. amqsailq appears to run faster than the program that I wrote several years ago that uses PCFs only to get the list of queues and then does open/inq/close on each queue. That logic seems to slow down on busy systems with lots of queues with messages in them.
TIA
Tom |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Feb 15, 2005 7:27 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| Quote: |
setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp
|
This is wrong for UNIX, which is why I thought you were on Windows. The ** is expanded by the shell into a list of files/dirs in the current directory, and will almost certainly result in an error being returned by setmqaut.
| Quote: |
$ setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp
AMQ7093: An object type is required but you did not specify one.
Usage: setmqaut -m QMgrName [-n ObjName] -t ObjType [-p Principal | -g Group]
[-s ServiceName] Authorizations
$ echo setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp
setmqaut -m MQMGR -n bin defects defs env myefix pmrs src tmp -t queue -g usergrp +inq +dsp
|
The reason it works when you put HILVL* is that the shell does not expand the wildcard because there are no matching files/dirs in the current directory, so the arguments are passed intact into setmqaut.
Enclose all the wildcards in single quotes to protect them from the shell.
| Quote: |
$ echo setmqaut -m MQMGR -n '**' -t queue -g usergrp +inq +dsp
setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp
|
|
|
| Back to top |
|
|
| tkane |
| Posted: Tue Feb 15, 2005 10:00 am Post subject: |
|
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
Nigel,
Thanks but I'm still confused.
| Quote: |
| setmqaut -m MQMGR -n ** -t queue -g usergrp +inq +dsp |
Is part of output from this command: amqoamd -m MQMGR -s | grep usergrp.
I'm afraid I don't have the original command. I put them in files for production but in my testing I entered it manually. I either used single or double quotes.
So I THINK that means I have. In fact I re-entered it with single quotes and I still get the same result.
With respect to HILVL*. I'm not passing that through the shell at all.
It's replaced in the source of amqsailq.c
| Code: |
mqAddString(adminBag, MQCA_Q_NAME, MQBL_NULL_TERMINATED, "HILVL*", &compCode, &rea
son);
CheckCallResult("Add q name", compCode, reason);
|
So I'm still very confused.
Tom |
|
| Back to top |
|
|
|
|
