Author |
Message
|
ydsk |
Posted: Tue Jan 17, 2006 10:03 am Post subject: Access to resources thru toolkit in v6 |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
We created a v6 configmgr on a AIX box.
Is it manadatory to have ACLs for v6 security ? Until v5 we were using groups ( mqbrkrs, mqbrtpic, mqbeasgn) to control security and access to objects on the configmgr machine.
But it looks like we must use ACLs to control access on the configmgr box in v6. Is this true ? Or can we still use groups ?
Can somebody please clarify ?
Thanks.
ydsk. |
|
Back to top |
|
 |
mqmatt |
Posted: Tue Jan 17, 2006 10:26 am Post subject: |
|
|
 Grand Master
Joined: 04 Aug 2004 Posts: 1213 Location: Hursley, UK
|
You must use ACLs in v6.
However, when you migrate a v2.1 or v5 Config Manager to v6, access control entries are automatically created for the mqbr* groups, so you don't need to do any additional configuration.
-Matt |
|
Back to top |
|
 |
ydsk |
Posted: Tue Jan 17, 2006 10:38 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Hi,
I am am complete novice to ACLs. an you please point me to links where I can learn about ACLs and create them for my configmgr on AIX ?
Appreciate your help.
Thanks.
ydsk. |
|
Back to top |
|
 |
wschutz |
Posted: Tue Jan 17, 2006 11:29 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
|
Back to top |
|
 |
ydsk |
Posted: Tue Jan 17, 2006 1:48 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
I just read in the configuration and admin manual for WMB v6 that we can continue to use the existing group level security without any changes, and that we don't need to use ACLs.
Can somebody comment on this ?
I am a bit confused on whether we really need to go for ACLs in v6.
Thanks for your time.
ydsk. |
|
Back to top |
|
 |
ydsk |
Posted: Tue Jan 17, 2006 4:35 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Here is what I tried without creating any ACL so far.
I have 2 local user-ids created on my desktop ( Win XP) mb6id, and ydskid. Both are part of Administrators, mqm, and all mqbr* groups.
The same user-ids are created on the AIX box where the v6 configmgr is created. They both are a members of mqbrkrs, and mqm on the AIX box.
mb6id ( one of the 2 user-ids above) is actually the service-id of the v6 configmgr on the AIX box.
When I logged in to my desktop with the mb6id and opened the v6 toolkit I was able to connect to the v6 configmgr and I was able to add an existing v6 broker to the domain. I was also able to deploy a test msgflow and pass messages through it. But the broker appears with a big GREEN arrow pointing to the right...not sure why.
When I logged in to my desktop with ydskid ( the other id listed above) and opened the toolkit, I couldn't connect to the configmgr and I got a BIP0889E error.
As I mentioned above I was able to connect and deploy without having any ACLs with one id but not with the other.
Now, can mqmatt or somebody else please explain if we need to create ACLs in v6 ? The documentation isn't very clear on this.
Thanks.
ydsk. |
|
Back to top |
|
 |
ydsk |
Posted: Tue Jan 17, 2006 4:37 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Please ignore the big GREEN arrow stuff that I mentioned...it is quite normal even in v5.
But please answer my other questions. |
|
Back to top |
|
 |
ydsk |
Posted: Wed Jan 18, 2006 8:31 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Hi,
Can some expert from Hursley please throw some light on this issue.
Thanks.
ydsk. |
|
Back to top |
|
 |
mqmatt |
Posted: Wed Jan 18, 2006 8:47 am Post subject: |
|
|
 Grand Master
Joined: 04 Aug 2004 Posts: 1213 Location: Hursley, UK
|
Hello,
Yes, you do need to use ACLs in v6.
Use the mqsicreateaclentry command to define the set of users/machines and what they can access. Those users also need to be able to access the Config Manager's queue manager; you can use setmqaut to do this.
However, by default the service userid and userid used to start the Config Manager will always get full control of everything. This is to stop the Config Manager from becoming inaccessible if (for whatever reason) all the defined ACLs get deleted.
So in your case, mb6id will have full control over everything as it's your service id. But ydskid is not, so it doesn't.
As Wayne says, do take a look through the docs - it should all be explained there.
Hope this helps.
-Matt |
|
Back to top |
|
 |
ydsk |
Posted: Wed Jan 18, 2006 9:18 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Thanks for the explanation mqmatt.
I should say the documentation isn't very clear on this subject. I read in v6 configuration and admin manual (pdf file) that we can continue to use groups like in v2.1.
When I created the configmgr I think an ACL got created automatically that gave full access to the service user-id. Without creating any ACLs, I did an mqsilistaclentry and saw it.
But the syntax of the ACL related commands in the documentation are slightly different from how they work.
For example, when I created a v6 configmgr on AIX I didn't give a name to it. And even the documentation for mqsilistaclentry says the configmgrname is optional. But when I type mqsilistaclentry on the AIX box where configmgr resides, I get an error saying a mandatory argument ( configmgrname) is missing.
Hope this is corrected in the documentation.
regds,
ydsk. |
|
Back to top |
|
 |
mqmatt |
Posted: Wed Jan 18, 2006 9:54 am Post subject: |
|
|
 Grand Master
Joined: 04 Aug 2004 Posts: 1213 Location: Hursley, UK
|
Thanks for the feedback.
I know this was just one example, but regarding the mqsilistaclentry command I think that both the docs and the syntax help for the ConfigMgr name argument is OK:
http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r0m0/index.jsp?topic=/com.ibm.etools.mft.doc/an23050_.htm wrote: |
configmgrName
(Optional - Windows. Required - Linux, UNIX systems, and z/OS) ...
The default name on Windows, if this parameter is not specified, is 'ConfigMgr'.
|
mqsilistaclentry -help wrote: |
'configMgrName' name of the Configuration Manager (may be omitted on Windows)
|
As a rule, the Config Manager name is always optional on Windows and mandatory on everything else.
Regards
-Matt |
|
Back to top |
|
 |
ydsk |
Posted: Wed Jan 18, 2006 4:56 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
mqmatt, can you tell me how I can add a Windows domain user-id to a configmgr on AIX ?
I want to create an ACL on AIX ( the configmgr box) to give full access to a Windows domain user-id.
I know there is a -m flag to specify a machine name but the documentation doesn't say how we can add a windows domain id or show any examples of how we can do it.
Thank you.
ydsk. |
|
Back to top |
|
 |
ydsk |
Posted: Thu Jan 19, 2006 9:04 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Can someone from Hursley please give an example of how we can creatre an ACL on a AIX-configmgr for a windows domain id ?
Thank you.
ydsk. |
|
Back to top |
|
 |
ydsk |
Posted: Mon Jan 23, 2006 1:45 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005 Posts: 410
|
Hursley guys,
Can you pls tell me how an ACL can be created on a AIX-configmgr for a Windows domain id ? The -m flag on the mqsicreateaclentry command is accepting the domain name ( and machine names as well) though the flag is meant for machine names alone. This creates a security hole. This is very confusing.
I know the syntax of the command mqsicreateaclentry. But I need an example of creating an ACL for a Windows domain id. Assume the domain id is DMN\mqsiuser , where 'DMN' is the domain name and 'mqsiuser' is the id.
Thanks.
ydsk. |
|
Back to top |
|
 |
jefflowrey |
Posted: Mon Jan 23, 2006 3:20 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002 Posts: 19981
|
Actually, if you read http://www.mqseries.net/phpBB2/viewtopic.php?t=24941
a little more carefully, you'll see that there are some bugs with the Toolkit and the ConfigMgr that make it difficult to get windows users authenticated on Unix.
I haven't checked the APAR list for RP 1 for WMB v6 to see if these fixes are included. But I think you should definitely open a PMR to see what's what. _________________ I am *not* the model of the modern major general. |
|
Back to top |
|
 |
|