| Author |
Message
|
| leo_grv |
 Posted: Thu Dec 10, 2009 10:53 am Post subject: How can I change the security in the ConfigMgr? |
 |
|
Newbie
Joined: 20 Mar 2009
Posts: 5
|
Hello,
I need Help, I need to configured the Config Manager for only connect for an specify user this user can not do deploys and start or stop EG.
Is this possible ?
MQ 5.3 and Broker 5.0
Thanks. |
|
| Back to top |
|
 |
| rekarm01 |
| Posted: Thu Dec 10, 2009 12:13 pm Post subject: Re: How can I change the security in the ConfigMgr? |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
This should be posted in the WMB forum.
Both the MQ and Broker are out of date; consider upgrading.
It is possible to restrict user access by setting up access control lists. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Dec 10, 2009 1:09 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
WMQ 5.3 and WMB 5.0 is not out of date. It has reached "End of Service". Upgrade. You cannot get support for those.
But yes, read about ACL. |
|
| Back to top |
|
|
| leo_grv |
| Posted: Thu Dec 10, 2009 2:35 pm Post subject: |
|
|
Newbie
Joined: 20 Mar 2009
Posts: 5
|
I'm sorry for put this topic in the Forum.
I check the ACL and is a good option but is only for WMB 6.0, I have a WMB 5.0 with MQ 5.3 en AIX and mi Configmanager is windows 2000 with MQ 5.3.
I think with this setmqaut command I can change the authority for a queues only for the user,
But, what objects I need to change and what authorities too ?
 |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Thu Dec 10, 2009 5:17 pm Post subject: Re: How can I change the security in the ConfigMgr? |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| leo_grv wrote: |
| I check the ACL and is a good option but is only for WMB 6.0 |
ACL is the only available option for WBI MB 5.0.
| leo_grv wrote: |
| I think with this setmqaut command I can change the authority for a queues only for the user, |
All the queues of interest are between the config mgr and the broker; the user in this case is the one running the config mgr, not the one running the toolkit. setmqaut will probably not help here. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Fri Dec 11, 2009 2:53 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
The setmqaut command can only be used to secure WMB objects in v7.0.
In V5 you need to run mqsicreateaclgroup, which in v6 became mqsicreateaclentry. Read up on these.
Edit: Thanks Aditya.
Last edited by mqmatt on Fri Dec 11, 2009 10:40 am; edited 1 time in total |
|
| Back to top |
|
|
| aditya.aggarwal |
| Posted: Fri Dec 11, 2009 10:08 am Post subject: |
|
|
Master
Joined: 13 Jan 2009
Posts: 252
|
| Quote: |
The setmqaut command can only be used to secure WMB objects in v7.0.
In V5 you need to run mqsisetaclgroup, which in v6 became mqsisetaclentry. Read up on these. |
in V6 it is 'mqsicreateaclentry' and not mqsisetaclentry. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jan 26, 2010 3:39 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Does WMB v7 remove these ACL entries and use only the MQ authorities or is this an option, or does it use both? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 26, 2010 5:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| mqmatt |
| Posted: Tue Jan 26, 2010 5:21 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
| zpat wrote: |
| Does WMB v7 remove these ACL entries and use only the MQ authorities or is this an option, or does it use both? |
WMB v7 _only_ uses MQ authorities, it has no ACLs of its own. The link Jeff gave describes this in more detail. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jan 26, 2010 5:33 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Great. Keeps things simple and consistent.
If you could just enable this feature for V6.1 in a fixpack 
| Quote: |
| When you have enabled broker administration security, set up security control by registering WebSphere® MQ permissions for specific user IDs on a set of defined authorization queues that are defined on the broker queue manager |
The above quote is slightly misleading in that it should be possible (and preferable) to authorise access by group name. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Tue Jan 26, 2010 5:55 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
| zpat wrote: |
| If you could just enable this feature for V6.1 in a fixpack |
Hmm, interesting...
:hastily scribbles out V7.0 stickers and replaces them with "v6.1 special fixpack for zpat" ones. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 26, 2010 6:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
| Quote: |
| When you have enabled broker administration security, set up security control by registering WebSphere® MQ permissions for specific user IDs on a set of defined authorization queues that are defined on the broker queue manager |
The above quote is slightly misleading in that it should be possible (and preferable) to authorise access by group name. |
It's MQ permission. on those platforms where MQ uses "users" to determine permission, that's a valid statement. On those platforms where MQ uses "groups" to determine permission, that's still mostly a valid statement - if one understands that MQ uses the user's group for permission rather than the user, even if you specify the userid on setmqaut. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 26, 2010 6:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqmatt wrote: |
| zpat wrote: |
| If you could just enable this feature for V6.1 in a fixpack |
Hmm, interesting...
:hastily scribbles out V7.0 stickers and replaces them with "v6.1 special fixpack for zpat" ones. |
How will you deal with the PMR that will get raised:
"Unable to start ConfigMgr since fixpack installed?"
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 26, 2010 6:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqmatt wrote: |
| zpat wrote: |
| If you could just enable this feature for V6.1 in a fixpack |
Hmm, interesting...
:hastily scribbles out V7.0 stickers and replaces them with "v6.1 special fixpack for zpat" ones. |
How will you deal with the PMR that will get raised |
*He* won't have to deal with it at all. |
|
| Back to top |
|
|
|
|
