| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| user authentification while triggering transaction from CKTI |
« View previous topic :: View next topic » |
| Author |
Message
|
| haqshaik |
 Posted: Thu Sep 08, 2005 11:23 am Post subject: user authentification while triggering transaction from CKTI |
 |
|
Novice
Joined: 08 Sep 2005
Posts: 13
|
Hi ,
I am new to the MQ series world. I just added code to get to the userid which is being used as primary authentification to invoke the transaction when it is being triggerd from the MQ by the CKTI adapter. The userid that is running the transaction in CICS region.
EXEC CICS ASSIGN
USERID(WS_USER_ID)
END_EXEC.
I have writen the WS-USER-ID in a TSQ and the value for WS-USER-ID shows the cicsregion name. Let the CICS region name is CICSXXXX. The the userid shown is CICSXXXX. As the transaction is running under the control of CICSXXXX, this is the userid which is being picked to do any database calls. As there is no such user id exists, when I am trying to access other resources like Database calls, i am getting -922 sqlcode.
In my case the message will come from the unix solaries box.
The value in field user identifier of the MQMD structure reflects AAAA. But this userid is not the one underwhich the transaction is being invoked as a preimary authenticator, under which the database calls are being made. This user id will be popluated from the environment underwhich the message is constructed.
I wrote a bacth Job to put a message from a flat file into the loacl queue and enabled the trigger. Still the userid that is invokng the transacation is shown as CICSXXXX. But this time my tso userid got populated inthe user identifier field.
when I disabled the trigger and run the transacetion from the terminal, my userid is being refelectd and as my userid has got the authority to do the databse calls, its working fine.
what is my concern is the user id which is comming in the MQMD, should be able to run the transaction that is being triggered from the CKTI transacation rather than by the userid CICSXXXX.
if the user id comming in theMQMD structure as AAAA, the same user id should be able to run the tranacation xxxx, that is being triggered by the CKTI contact admin. On the Mainframe, we can create a userid XXXX, which will have access to the database calls, so that the database calls work fine.
My other conecrn is how to make the userid AAAA, be able to run the contact admin that is being triggered by the CKTI, by keeping the trigger enabled. Once the trigger is enabled, I do not have nay control to change the userid. even if I have i can not set to AAAA, to the already strated transaction by the userid CICSXXXX.
Hope I am clear..
Any thoughts will be helpful..
Thanks,
Salauddin |
|
| Back to top |
|
 |
| zpat |
| Posted: Thu Sep 08, 2005 12:22 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Write your own trigger monitor program which starts transactions under the MQMD.Userid value.
(define SURROGAT class rules in RACF to allow the CICS region id to start transactions for other userids). |
|
| Back to top |
|
|
| haqshaik |
| Posted: Fri Sep 09, 2005 5:53 am Post subject: |
|
|
Novice
Joined: 08 Sep 2005
Posts: 13
|
Hi Zpat,
let me put this way, If my understanding is correct. As per your post, I am deriving at the following conclusion.
We have two options
1) Write your own trigger monitoring application and pass the userid to start the transaction. if you are not using the IBM supplied CKTI transaction
2) If you are using IBM supplied CKTI transaction, create a CICS region id as an RACF group. Define a surrogat rules for the group CICS region id with the userid's from the MQMD structure. This will allow the transaction to be run under the userid of the MQMD structure.
I am not well versed with the RACF lingo and do not know much how it works as well.
Please correct me if my understanding is wrong.
Thanks for your help..
Thanks,
Salauddin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Sep 09, 2005 9:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
CKTI does not start transactions under different userids. But any program that does so without providing a password for the user needs a permit to the surrogate RACF class SURROGAT profile *.DFHSTART.
What you could do is write a program that starts the target transaction using the userid from the MQMD in the message. It might be easier just to grant the CICS region id access to your resources though. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
