| Author |
Message |
 Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
 Forum: IBM MQ Security Posted: Sun Dec 14, 2014 7:03 pm Subject: query about CLNTUSER & MCAUSER |
Well looks like everything is lower case wing...
Now you need to check your different chlauth setup.
You may have a hole somewhere in there and that lets wing through in the specific case...
Easy ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Thu Dec 11, 2014 5:30 pm Subject: query about CLNTUSER & MCAUSER |
| Can you show the entries from your MQ error log when you had the rules that blocked everything? What you displayed above doesn't look like the MQ error log. It looks like some tool's display of the MQ ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Thu Dec 11, 2014 7:41 am Subject: query about CLNTUSER & MCAUSER |
| It sounds like to me that you have some type of CHLAUTH rule that is mapping any user id to wing. Have you checked all of your CHLAUTH rules to see if you have a rule that would do that (i.e. SSLPEER ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Thu Dec 11, 2014 12:55 am Subject: query about CLNTUSER & MCAUSER |
| Finally I tried again with single blocking rule only and turned on the trace to see what is happening. No matter what userid passed, 'wing', 'mqm', 'Wing' and 'WING', all just logged in event message ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Wed Dec 10, 2014 7:22 am Subject: query about CLNTUSER & MCAUSER |
What should be next step..... 
Authority Events are a Queue Manager property. Just flip the setting.
One more diagnostic idea. Actually, do this instead of the Authority ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Wed Dec 10, 2014 7:18 am Subject: query about CLNTUSER & MCAUSER |
You may want to try tracing the amqrmppa processes when you connect, to see if the trace has any other helpful diagnostics in tracking down the user id that is flowing to the queue manager.
strmqtr ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Tue Dec 09, 2014 10:58 pm Subject: query about CLNTUSER & MCAUSER |
Authority Events are a Queue Manager property. Just flip the setting.
One more diagnostic idea. Actually, do this instead of the Authority Events.
Create a rule that blocks your connection. Try ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Tue Dec 09, 2014 4:17 am Subject: query about CLNTUSER & MCAUSER |
| This is a tricky one. I think its going to end up being something along the lines to what FJ mentioned earlier, and maybe kinda like my troubles in my other thread. The ID you think you are sending ov ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 8:44 pm Subject: query about CLNTUSER & MCAUSER |
... Are you seeing the same information in MQExplorer's view of the connection as you are seeing in a runmqsc 'DIS CONN' (or at least for 'DIS CHSTATUS') for the same connection?
Also, remember th ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 7:03 pm Subject: query about CLNTUSER & MCAUSER |
You show the permissions for the wing group, but can you tell us what groups the wing ID is in.
Is the wing ID in the mqm group? Or if on Windows, in the Administrators or mqm group? Or in some oth ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 6:44 am Subject: query about CLNTUSER & MCAUSER |
... Are you seeing the same information in MQExplorer's view of the connection as you are seeing in a runmqsc 'DIS CONN' (or at least for 'DIS CHSTATUS') for the same connection?
Also, remember th ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 6:24 am Subject: query about CLNTUSER & MCAUSER |
... does "dis CONN" show the MCAUSER? I've forgotten.
The big question, really, is if 'wing' is not getting mapped to 'mqjmsapps', then what is it getting mapped to?
Jeff, it didn't m ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 5:46 am Subject: query about CLNTUSER & MCAUSER |
| Peter, yes I have a rule to map 'wing' to 'mqjmsapps' and expect it cannot be connected as the object authorization didn't set for 'mqjmsapps'. All the detail can be found in my screen shots in post t ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Mon Dec 08, 2014 1:11 am Subject: query about CLNTUSER & MCAUSER |
Probably because there is a subtle difference between userid 'wing' and MQ.Environment,userID= "wing "; (case, domain = machine name, no domain, missing trailing blanks, etc...)
Make ... |
| Topic: query about CLNTUSER & MCAUSER |
hklbj
Replies: 33
Views: 32452
|
Forum: IBM MQ Security Posted: Sun Dec 07, 2014 6:52 pm Subject: query about CLNTUSER & MCAUSER |
Check out the fun I had here, where the case of the ID mattered when it came to CHLAUTH rules.
http://www.mqseries.net/phpBB2/viewtopic.php?t=65612&postdays=0&postorder=asc&start=0
... |
