| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SupportPac MS0R - Authentication Issue |
« View previous topic :: View next topic » |
| Author |
Message
|
| reldb |
 Posted: Wed Jan 02, 2008 1:05 pm Post subject: SupportPac MS0R - Authentication Issue |
 |
|
Apprentice
Joined: 06 Sep 2006
Posts: 34
|
Hi
I am trying to use SupportPac MS0R in my environment. it is working but i have 2 questions about it
I am using MQMON on windows XP, MQ 6.0.2 on Sun 10 Sparc
1) if i use ClientExitIBM(SecurityExit) in security exit of MQ Mon -
During queue access i am getting a popup window with title WbSphere Mq Security Suite asking user name, password and Domain is shown as blank
logs shows as below
2008-01-02|14:50:34|SecurityUserData=[*;-d;+p;] nDebugFlag [1] UseridUpperLowerCase [0]
2008-01-02|14:50:34|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT ChannelType=MQCHT_SVRCONN
2008-01-02|14:50:34|PWServer QMgr=[MYQM] ChannelName=[TEST_TEST] ConnName=[10.7.xxx.xx] Uid=[]
2008-01-02|14:50:34|PWServer SCYDATA=[*;-d;+p;]
2008-01-02|14:50:34|Patterns to process [*;]
2008-01-02|14:50:34|Connection accepted for pattern [*], ConName [10.7.xx.xx
2008-01-02|14:50:34|ExitResponse=MQXCC_OK (0)
2008-01-02|14:50:35|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_SEC_MSG ChannelType=MQCHT_SVRCONN
2008-01-02|14:50:35|Connecting User is [myuser@mymachine] on Channel=[TEST_TEST] from ConnName=[10.7.xxx.xxx]
2008-01-02|14:50:35|ExitResponse=MQXCC_SEND_AND_REQUEST_SEC_MSG (-3)
2008-01-02|14:50:35|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_SEC_MSG ChannelType=MQCHT_SVRCONN
2008-01-02|14:50:35|Network group []
2008-01-02|14:50:35|ExitResponse=MQXCC_SEND_AND_REQUEST_SEC_MSG (-3)
After entering proper user name and password i press Login and then the same window comes again and log shows as below
2008-01-02|14:53:09|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_SEC_MSG ChannelType=MQCHT_SVRCONN
2008-01-02|14:53:09|cpwd2 []
2008-01-02|14:53:09|cpwd2 []
2008-01-02|14:53:09|cpwd2 []
2008-01-02|14:53:09|PWServer Rem Uid=[myuser] Full user name [myuser] received from partner Security exit
2008-01-02|14:53:09|Users: [] len [0]
2008-01-02|14:53:09|CONList[i] = [*;myuser,my2;MCA=mqm;]
2008-01-02|14:53:09|CON Pattern matched [*] CON name [10.7.xxx.xxx]
2008-01-02|14:53:09|CON Userid: [myuser,my2]
2008-01-02|14:53:09|CON/RemUid Pattern matched [myuser,myuser2] RemUID [myuser]
2008-01-02|14:53:09|CON MCA specified
2008-01-02|14:53:09|CON Set MCA userid to [mqm] from [myuser]
2008-01-02|14:53:09|Password check bypassed, Channel [TEST_TEST] ConName [10.7.225.93] User [myuser]
2008-01-02|14:53:09|Connection may be accepted, Channel [TEST_TEST] ConName [10.7.225.93] Pattern [*;] Flags [SAFOff=Y ] User [myuser]
2008-01-02|14:53:09|ExitResponse=MQXCC_OK (0)
2008-01-02|14:53:09|ExitResponse=MQXCC_OK (0)
2008-01-02|14:53:09|SecurityUserData=[*;-d;+p;] nDebugFlag [1] UseridUpperLowerCase [0]
2008-01-02|14:53:09|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT ChannelType=MQCHT_SVRCONN
2008-01-02|14:53:09|PWServer QMgr=[MYQM] ChannelName=[TEST_TEST] ConnName=[10.7.xxx.xxx] Uid=[]
2008-01-02|14:53:09|PWServer SCYDATA=[*;-d;+p;]
2008-01-02|14:53:09|Patterns to process [*;]
2008-01-02|14:53:09|Connection accepted for pattern [*], ConName [10.7.225.93]
2008-01-02|14:53:09|ExitResponse=MQXCC_OK (0)
2008-01-02|14:53:09|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_SEC_MSG ChannelType=MQCHT_SVRCONN
2008-01-02|14:53:09|Connecting User is [myuser@mymachine] on Channel=[TEST_TEST] from ConnName=[10.7.xxx.xxx]
2008-01-02|14:53:09|ExitResponse=MQXCC_SEND_AND_REQUEST_SEC_MSG (-3)
2008-01-02|14:53:09|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_SEC_MSG ChannelType=MQCHT_SVRCONN
2008-01-02|14:53:09|Network group []
2008-01-02|14:53:09|ExitResponse=MQXCC_SEND_AND_REQUEST_SEC_MSG (-3)
if i press login again then it works fine.
Question - why the same login window is coming 2 times instead of once
2)
f i DONT use ClientExitIBM(SecurityExit) in security exit of MQ Mon -
During queue access i am getting a popup window from MQMON (userid is selected in MQMON) i enter user name and password and press login
then i am getting 2059 error and MQMON is not showing anything in logs.
2008-01-02|15:03:37|SecurityUserData=[*;-d;+p;] nDebugFlag [1] UseridUpperLowerCase [0]
2008-01-02|15:03:37|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT ChannelType=MQCHT_SVRCONN
2008-01-02|15:03:37|PWServer QMgr=[STQM] ChannelName=[TEST_TEST] ConnName=[10.7.xxx.xxx] Uid=[]
2008-01-02|15:03:37|PWServer SCYDATA=[*;-d;+p;]
2008-01-02|15:03:37|Patterns to process [*;]
2008-01-02|15:03:37|Connection accepted for pattern [*], ConName [10.7.xxx.xxx]
2008-01-02|15:03:37|ExitResponse=MQXCC_OK (0)
2008-01-02|15:03:37|ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2008-01-02|15:03:37|Users: [] len [0]
2008-01-02|15:03:37|CONList[i] = [*;myuser,myuser2;MCA=mqm;]
2008-01-02|15:03:37|CON Pattern matched [*] CON name [10.7.xxx.xxx]
2008-01-02|15:03:37|CON Userid: [myuser,myuser2]
2008-01-02|15:03:37|Connection refused, Channel [TEST_TEST] ConName [10.7.xxx.xxx] User [mynetuser] was not accepted in CON=
2008-01-02|15:03:37|ExitResponse=MQXCC_SUPPRESS_FUNCTION (-1)
2008-01-02|15:03:37|Channel closed [TEST_TEST] Connection Name [10.7.xxx.xxxx]
2008-01-02|15:03:37|ExitResponse=MQXCC_OK (0)
Question - As per logs my NTlogin userid is going to security exit instead of login id which i provided in mqmon login prompt.
is there any way to use the given login id instead of NTNET login
Thanks
rel |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Thu Jan 03, 2008 9:57 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
hi rel,
Well, The reason for two pop-ups are that MQMON by default issues two MQCONNX, this can be turned off by selecting "single thread" under options under "Location Settings"
The second one, using the MQMON popup is blocked by the CON= statement in your configuration file:
CONList[i] = [*;myuser,myuser2;MCA=mqm;]
Because it seems like you're trying to connect with mynetuser
2008-01-02|15:03:37|Connection refused, Channel [TEST_TEST] ConName [10.7.xxx.xxx] User [mynetuser] ...
Maybe you should add another CON= like:
CON=*;mynetuser;MCA=mqm;
I hope this helps you.
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| reldb |
| Posted: Thu Jan 03, 2008 10:25 am Post subject: Authentication issue |
|
|
Apprentice
Joined: 06 Sep 2006
Posts: 34
|
Hi Jørgen
Thanks a lot for reply
Issue 1 is solved now
Regarding issue 2.
I am entering myser in the popup window which is coming from MQMON (Not from the support pac as i am not using security exit in MQMON settings)
but in MS0R logs it shows that received user is mynetuser which is not the same as entered. actually it is my NT user, using this id i logged in to my window machine.
As per logs my NT login userid is going to security exit instead of login id which i provided in mqmon login prompt.
is there any way to use the given login id instead of NTNET login [without using ClientExitIBM(SecurityExit) in security exit of MQMON connection settings)
Thanks a lot for such a wonderful supportpac, its really working great.
I am just trying to configure it as per my requirement  otherwise it is working perfectly
can we get a HP version too ?
Regards
Rel |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Thu Jan 03, 2008 1:21 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Glad to hear that it work for you too..
I see your point about the issue #2 but it's currently not possible to handle due to ythe nature of the exit logic.
The reason is: It's doing filtering long time before (in MQXR_INIT_SEC) the userid is received (in MQXR_SEC_PARMS), so it can currently only be done on the remote user id. In this case the nt-userid.
I've not seen this as a problem because you would typicly (I think) use the authenticated userid and just allow all users to authenticate.
But if this is wrong I'll have to investigate the path for a solution. So let me know.
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| reldb |
| Posted: Fri Jan 04, 2008 8:34 am Post subject: Authentication issue |
|
|
Apprentice
Joined: 06 Sep 2006
Posts: 34
|
Jørgen
Thanks for reply.
Actually i don't want to do authentication based on ntnet user id. suppose if i give admin rights to Jørgen then there can be multiple Jørgen in my organization so all of them will get the access. I would prefer to give access based on userid and password entered in mqmon popup.
suppose CONList[i] = [*;myuser1,myuser2;MCA=mqm;]
in this case all ntnet users with the name myuser1 and myuser2 will get the admin rights.
I can not force everyone in organization to use ClientExitIBM(SecurityExit) in security exit of MQMON connection settings. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Tue Jan 08, 2008 1:13 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
First of all, I would normally like to grant the authenticated users the needed rights on the MQServer so you can track who did what.
There is a little thing that some of us have to accept and comply to like SOX.
And to do that; omit the CON= keywords, this would give authenticated users access according to their personal rights. Yes, I know it gives you more work setting the access rights... because your primary group will automaticly be granted.
You could also have two channels; One for users (not using client exit) and one for administrators where they use the ClientExitIBM(SecurityExit) exit. I expect that you're able to convince your administrators friends....
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
