| Author |
Message
|
| rparti |
 Posted: Wed Aug 08, 2007 9:48 am Post subject: MQ Client security |
 |
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
Our MQServerConnection Channel has MCA User ID specified based on the application. Consider the MCA User ID specified as "APPL1"
If I remove the MCA user ID from svrconn defination and try to connect using a windows client, (either through MQSERVER defination or MQCHLTAB/MQCHLLIB defination), I am able to connect to the queue using amqsputc.
If I put back the MCAUSER ID in svrconn defination as "APPL1" and try to connect using amqsputc, i get a 2035. (security error) which is understandable.
On the server machine, I then defined a local user APPL1 with a password.
On the client machine i then defined env variables, MQ_USER_ID and MQ_PASSWORD as APPL1 and password respectively.
I still get a 2035.
Can anyone help me with this? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Aug 08, 2007 9:57 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Those ENV variables don't do anything, as far as I know.
The C client always uses the logged on user.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| rparti |
| Posted: Wed Aug 08, 2007 11:16 am Post subject: |
|
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
Thanks for your reply Jeff
After your reply I tried something else which again gave me a 2035
On the client machine, I created a user APPL1 (user part of the local computer users)
The svrconn channel had APPL1 as the MCAUSER
I logged on as APPL1
I got a 2035 and looking at the logs I found the following error
I then did a setmqaut for the queue I was trying to access. I still got the same error.
Any ideas
----------------------------------------------------------------------------
AMQ8077: Entity 'appl1' has insufficient authority to access object
'FUQMND.TEMP01'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
---------------------------------------------------------------------------- |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 08, 2007 11:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you have an MCAUSER, you don't need a local user with the same name.
That error is extremely specific about what's wrong, and what you need to do to fix it.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| rparti |
| Posted: Wed Aug 08, 2007 11:25 am Post subject: |
|
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
| I'm sorry, I missed your point |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 08, 2007 11:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| rparti wrote: |
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
---------------------------------------------------------------------------- |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| rparti |
| Posted: Wed Aug 08, 2007 11:50 am Post subject: |
|
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
[quote="rparti"]
I got a 2035 and looking at the logs I found the following error
I then did a setmqaut for the queue I was trying to access. I still got the same error.
quote]
Looking at the error I did a setmqaut -m qmgr - n queuename -t queue -p APPL1 +all
Did I miss anyting else? |
|
| Back to top |
|
|
| EddieA |
| Posted: Wed Aug 08, 2007 12:34 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
rparti. Please re-read Jeff's last reply, and take careful note of the highlights.
Jeff. Are you sure about not needing the local user. You can't do a setmqaut for a non-existent user.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 08, 2007 12:57 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| EddieA wrote: |
| Jeff. Are you sure about not needing the local user. You can't do a setmqaut for a non-existent user. |
Local to the client, I meant.
Yes, the MCAUser must be local to the server.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| EddieA |
| Posted: Wed Aug 08, 2007 1:16 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Oooops. Missed the part about it being defined on the Client. 
Cheers.
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| rparti |
| Posted: Wed Aug 08, 2007 1:30 pm Post subject: |
|
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
Jeff and Eddie.....thank you very much
On the server I did the following
setmqaut -m QMName -t qmgr -p APPL1 +connect
It worked. I was able to run the amqsputc without error
I then deleted APPL1 user form Server. When I tried connecting again, I got 2035 again
Then I recreated the APPL1 user, setmqaut on queue and qmgr and refreshed security. It worked again |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 08, 2007 2:53 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| rparti wrote: |
| Then I recreated the APPL1 user, setmqaut on queue and qmgr and refreshed security. It worked again |
Just for future reference, not that it really hurts things, but...
You don't need to follow setmqaut with refresh security.
You only need "refresh security" when you have changed os authorities/group memberships.
setmqaut ensures that the OAM is properly updated.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Aug 09, 2007 7:24 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| jefflowrey wrote: |
| You don't need to follow setmqaut with refresh security. |
True enough, but since he:
| rparti wrote: |
. . . deleted APPL1 user . . .
recreated the APPL1 user . . . |
the refresh security probably was required. And as you say it doesn't hurt to run it. |
|
| Back to top |
|
|
| rparti |
| Posted: Thu Aug 09, 2007 7:33 am Post subject: |
|
|
Voyager
Joined: 05 Oct 2005
Posts: 86
Location: U.S.A.
|
bbburson is correct.
I had to do refresh because i had deleted the user.
Before refresh the setmqaut did not take affect. |
|
| Back to top |
|
|
|
|
