| Author |
Message
|
| techno |
 Posted: Fri Jun 24, 2005 9:42 am Post subject: Websphere MQ Explorer - V6 |
 |
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I am trying to use explorer of Websphere MQ Version 6. When I am trying to connect to a remote qmgr for administration, it is giving authority exception...
Did
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)
DEFINE QMODEL(SYSTEM.MQEXPLORER.REPLY.MODEL)
And did setmqaut to the windows logged user
(+all for rmit qmgr, admin-command-queue and mqxplorer-model-queue) .
I see MCAUSER(nobody) in CHANNEL(SYSTEM.ADMIN.SVRCONN) definition. Does it affect in anyway?
Am I missing something? |
|
| Back to top |
|
 |
| wschutz |
| Posted: Fri Jun 24, 2005 9:56 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
I would think that would cause a problem. (I assume thats defined in SYSTEM.DEF.SVRCONN and you picked it up from there). Alter the channel for mcauser(' ').....
_________________
-wayne |
|
| Back to top |
|
|
| techno |
| Posted: Fri Jun 24, 2005 10:23 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
|
| Back to top |
|
|
| EddieA |
| Posted: Fri Jun 24, 2005 1:35 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
| Quote: |
| I would think that would cause a problem |
Unless it's part of their security setup, in which case removing it may open up the channel to "unwanted advances".
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| techno |
| Posted: Fri Jun 24, 2005 2:18 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
| I changed the user name( in mcauser) and gave the previleges required. |
|
| Back to top |
|
|
| EddieA |
| Posted: Fri Jun 24, 2005 2:33 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
| Quote: |
| I changed the user name( in mcauser) and gave the previleges required |
Which may be even worse. You may have just authorized any application that connects via the channel to have full administrative control.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Jun 24, 2005 5:44 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
Which may be even worse. You may have just authorized any application that connects via the channel to have full administrative control. |
Its not clear what point you are making here. If the mcauser was "nobody", then its likely that the admin channel couldn't be used at all (unless, of course, the server end had a "nobody" user defined). If mcauser is set to blanks, then the userid at the windows (or linux) end of the channel will be used to perform the security checks, and the security will be controlled by the OAM access to SYSTEM.ADMIN.COMMAND.QUEUE.
Now, you might argue that the client end of the channel can't be trusted, in which case the channel should be secured with SSL.
_________________
-wayne |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 24, 2005 6:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Of course the channel end at the client can't be trusted... think of java....
and MS0B...
Enjoy  |
|
| Back to top |
|
|
|
|
