| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security issue.. |
« View previous topic :: View next topic » |
| Author |
Message
|
| mqs_guy |
 Posted: Mon Aug 04, 2003 9:34 am Post subject: Security issue.. |
 |
|
Acolyte
Joined: 09 May 2002
Posts: 71
|
Hi Guys,
I have installed WMQI 2.1 on windows 2000 and have configured it.
I am able to connect to the configuration manager and deploy message flows to the broker.
The problem is, i have installed WMQI using user:db2admin pwd:db2admin on my local computer domain.
Now, when i access the config mgr from other remote machine using the control centre, using a different user id (which is a part of the mq* groups) i am able to connect to it, but am not able to do anything. I am not able to view the broker in the topology tab nor in the assignments tab nor am i able to create message flows. This user id with which i log on, belongs to a different domain, and i have installed WMQI on my local computer domain.
I know it's a security issue. How do i make it work? I am able to see all tabs in the control centre when i log in using different user id and made sure that its a part of all mq* groups.
Thanks in Advance.
Cheers,
Vishal Agrawal |
|
| Back to top |
|
 |
| anhnt |
| Posted: Mon Aug 04, 2003 8:04 pm Post subject: maybe length of your userid over 12 chars |
|
|
Acolyte
Joined: 03 Aug 2003
Posts: 54
|
maybe length of your userid over 12 chars.You truy to create user id with length <=12 chars and grant mq* to it.
anhnt |
|
| Back to top |
|
|
| kirani |
| Posted: Mon Aug 04, 2003 9:33 pm Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
Did you specify -d option when creating Config Mgr? Is the logged on user-id on different machine is created on the Config Mgr machine also and is a part of mq* groups on that machine?
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| mqs_guy |
| Posted: Tue Aug 05, 2003 7:37 am Post subject: |
|
|
Acolyte
Joined: 09 May 2002
Posts: 71
|
No, i am afraid i didn't specify the -d option while creating the configmgr. Can it be done now? I mean modifying the config mgr.
Yes the logged on user id is a part of mq* groups on the config mgr machine.
One more question.
When we install DB2 we are prompted for a user id and pwd. That's when we give db2admin (default - user id). The DB2 installation creates a user db2admin on the local computer. Now, i have installed WMQI logged on as db2admin...Domain -> local system. Are my steps right? We all work in an organisation and our user id's are a part of a domain. Now, when i logon with my user id say tb123456 and domain TB. Here are the following difficulties i face:
1) cannot create database. says tb12345 does have the authority. But when i logon as db2admin, i can create databases in DB2.
2) cannot logon to the control centre using tb12345 though i have added it to the mq* groups (didn't specify -d option while creating config mgr)
Now, Is it mandatory to install WMQI using db2admin or any other user id which is local to the system or we can install it using our service accounts (tb123456) who is an admin. If yes, is there a solution to create databases in db2.
Regards,
Vishal Agrawal |
|
| Back to top |
|
|
| kirani |
| Posted: Tue Aug 05, 2003 8:51 am Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
Vishal,
Can I look at your mqsicreateconfigmgr command?
Just so we understand your problem,
1. You logged on to the Machine A using db2admin and installed WMQI and created Configmgr. I am assuming that you are using db2admin as service user-id and db user-id.
2. All mq* groups are created on Machine A.
3. db2admin user is a part of Administrator, and mq* groups on Machine A.
4. When you logon as db2admin you are able to use Control Center to create message flows and deploy them to the broker on Machine A. I am assuming that you added your broker to the topology and deployed the topology completely before doing this.
5. When you logon to the machine B using domain user-id, lets say tb12345, and open the control center, you cannot see anything in the topology tab.
-d option is optional when creating config mgr. Using this option you can specify Windows Security domain.
You might want to check following,
1. User tb12345 is defined locally on Machine A.
2. User tb12345 is part of all mq* groups.
3. Make sure your are specifying correct queuemanager name, machine name and Port number in the control center.
4. Do you see anything in the assignment tab?
5. In Control center select File->Preferences and make sure you have selected All roles under User roles.
6. Make sure the listner on Config Mgr queue maanger is running.
7. Check for any errors into Event Viewer on MAchine A.
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| mqs_guy |
| Posted: Wed Aug 06, 2003 1:22 pm Post subject: |
|
|
Acolyte
Joined: 09 May 2002
Posts: 71
|
Hi,
The problem looks to be solved. However, it has made me think, whether our installation procedure of WMQI 2.1 was right or no?
Find below the steps we used to install WMQI and please comment on where we went wrong and what should we have done.
1) Installed MQSeries 5.3 using user id : tb12345 domain: TB (user has admin rights to install MQ)
2) Installed DB2 7.1 from WMQI CD. Installation procedure prompted us for a user id and pwd : supplied db2admin/db2admin this creates a user db2admin on local machine and not in the TB domain.
3) After installation of DB2 restarted the machine and logged on as user:db2admin domain: local system
4) Installed WMQI 2.1 using user:db2admin and then restarted the machine.
5) Created 3 databases MQSIDBCM (config Mgr) MQSIDBMR (Message repository) and MQSIDBBK (broker) using user:db2admin
Now, when i logged using user:tb12345 domain: TB i was not able to create databases. " It said user tb12345 does not have authority "
- didn't bother to look that time.
6) Created config mgr, username server and Broker using the command assistant using db2admin user id.
Now my question is..i am able to do everything - creating message flows, deploying it using the user id: db2admin domain:local computer
but when i logon using tb12345 domain:TB i am not able to see the broker, i have registered in the topology tab nor create message flows. Again, i have added tb12345 as a part of all MQ* groups as i did for db2admin.
There was one solution..create a local user tb12345 on the local machine and grant him access to all MQ* groups..this works. But i want it to work for domain TB. Kiran pointed out that i should have used -d option while creating Configmgr. Well, i didnt do that, but later issued the command :
mqsichangeconfigmgr -l -1 (this is available in CSD05) and it worked for me. I was able to see the broker on the toplogy tab and was able to create message flows when logged on as tb12345 domain TB.
Is my installation procedure right? To create Domain awarness is it okie if we issue the createconfigmgr command with -d option. Is that all we need to do to create domain awarness? Does that solve all issues?
Why am i not able to create databases using tb12345?
Your inputs are greatly appreciated.
Thanks in advance.
- Vishal Agrawal |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
