| Author |
Message
|
| Ronald_nl |
 Posted: Wed Feb 04, 2009 2:44 am Post subject: Cross domain |
 |
|
Newbie
Joined: 04 Feb 2009
Posts: 1
|
Hello,
I have the following problem:
I have a (windows) MQ client in one domain and a Windows Websphere MQ server in another domain. if i test it with the amqsputc command form the client i receive a 'mqconn ended with error reason code 2035'
On the server i see in the event viewer 'Authorization failed because the SID for entity 'XXXXXXXX' connot be obtained.
According to our windows specialists this is becasue teh user from one domain cannot access a serve rin another domain. Isn't this just what's MQ all about ? ....
Can anyone help me on how to solve this ? exept reinstalling one of the servers in the same domain.... |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Feb 04, 2009 3:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Discuss cross-domain trusts with your Windows Admin people. It's not an MQ thing, it's a Windows security thing.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gunter |
| Posted: Wed Feb 04, 2009 3:47 am Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
Hi,
one solution is to set MCAUSER on the svrconn channel. This is the easiest way, but be aware anybody is able to connect with the access rights from this user to the queue manager. You can protect the channel with an exit or using ssl.
Gunter
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 04, 2009 3:56 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gunter wrote: |
| ...one solution is to set MCAUSER on the svrconn channel... |
As far as I am aware, the MCAUSER will only lock down what objects are accessible to that ID, but the ID flowed down the channel still needs to be authorised for CONNECT etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 04, 2009 4:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MCAUSER replaces the user checked for authentication during MQCONN.
This is why you use SSL to authenticate users. Then you use MCAUSER to lock them into an authorization role. |
|
| Back to top |
|
|
| gunter |
| Posted: Wed Feb 04, 2009 4:06 am Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
| Quote: |
| but the ID flowed down the channel still needs to be authorised for CONNECT etc |
Setting MCAUSER('mqm') disables any access control.
I use the mq explorer(MO71) to manage several queue manager on Windows and Solaris in our test environment. The user id, used by the client is not known on any of the mq boxes. I have full access.
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 04, 2009 4:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gunter wrote: |
| Setting MCAUSER('mqm') disables any access control. |
| gunter wrote: |
| I use the mq explorer(MO71) to manage several queue manager on Windows and Solaris in our test environment. The user id, used by the client is not known on any of the mq boxes. I have full access. |
Possibly because your userid on Windows is the same as the one on Solaris perhaps? And you're an Admin on both platforms methinks...One installation I worked on my userid's for all platforms were the same, so I could remote admin all queue managers on z/OS, AIX, Windows etc.
Happy, as always, to be corrected.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 04, 2009 4:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MCAUSER replaces the id presented for authorization at MQCONN.
Setting MCAUSER('mqm') will give anyone who can establish a network connection to that channel all of the authority of the mqm user on that qmgr.
Setting MCAUSER('nobody') will give anyone who can establish a network connection to that channel all of the authority of the user named nobody on the local machine to that qmgr. If nobody does not exist, then MQCONN will fail.
Setting MCAUSER('mqm') and failing to set SSLCAUTH, SSLCIPH, SSLPEER, and etc. will make your auditors take you out back and shoot you. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Feb 04, 2009 4:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| Setting MCAUSER('mqm') and failing to set SSLCAUTH, SSLCIPH, SSLPEER, and etc. will make your auditors take you out back and shoot you. |
Or tie you to a post, heap Sarbaines-Oxley regulations round you and set light to them.
It's a good way of getting your CEO jail time though.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 04, 2009 4:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| MCAUSER replaces the id presented for authorization at MQCONN... |
I learn something new every day - yet another misinterpretation/misunderstanding blown out the water 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 04, 2009 4:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| It's a good way of getting your CEO jail time though. |
It's usual makes everyone happier to accomplish this by bribing the auditors. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sun Feb 08, 2009 9:23 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mqjeff wrote: |
| This is why you use SSL to authenticate users. Then you use MCAUSER to lock them into an authorization role. |
If you don't want the headache of implementing or managing SSL certs., then you can implement MQ security exit.
There are 3 supported MQ security products in the market place that do full UserId and Password authentication:
- Capitalware's MQ Authenticate User Security Exit
- IBM's WebSphere MQ Extended Security Edition
- Primeur's Data Secure for WebSphere MQ
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
