| Author |
Message
|
| msantos007 |
 Posted: Thu Mar 23, 2006 7:58 am Post subject: Alternate UserId |
 |
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
Hello there,
I´m trying to write an application where i can specify the userid to connect to a queue manager. The application will be written in C#, and I tried to set MQEnvironment.UserId and MQEnvironment.Password to the values of my username and Id. This user is in the mqm group, but I get the ReasonCode 2035 when I try to connect to the queue manager.
Questions:
1-) Can I alter these values to do what I´m planning?
2-) If yes, am I doing it in the right way?
3-) Is there anything I have to do to write an app in this way?
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Mar 23, 2006 8:01 am Post subject: Re: Alternate UserId |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| msantos007 wrote: |
Hello there,
I´m trying to write an application where i can specify the userid to connect to a queue manager. The application will be written in C#, and I tried to set MQEnvironment.UserId and MQEnvironment.Password to the values of my username and Id. This user is in the mqm group, but I get the ReasonCode 2035 when I try to connect to the queue manager.
Questions:
1-) Can I alter these values to do what I´m planning? |
Not that I know of. As far as I know, the only APIs that do not automatically pass on the user id that the program is running under is the Java API( both MQ and JMS) - and only because they have to be written to be 100% pure java and there is no 100% pure Java way to get the user from the OS.
| msantos007 wrote: |
2-) If yes, am I doing it in the right way?
3-) Is there anything I have to do to write an app in this way? |
You'll have to look into forking a process that runs as another user.
Or read about the Alternate User ID permissions in MQ, and how those are handled and used.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 8:04 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
it´s kinda weird,
the app server runs under ASPNET user, so do my application, and I put it in the mqm group
I try to connect without the user and password value sets and bingo! I my connection is successfull, and when I set the user name and password .,,, 2035 
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Mar 23, 2006 8:12 am Post subject: Re: Alternate UserId |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| msantos007 wrote: |
| MQEnvironment.UserId and MQEnvironment.Password |
Did you read up on what those parameters do? They probably don't do what you think they do. 
As for putting users in the mqm group... hopefully you won't do this in production. mqm group is for MQ administrators.  |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 23, 2006 8:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What happens when you set the UserId and Password to the ASPNET user?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 9:56 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
mvic mqm group is for wmq administrators, actually
when we need someone to execute administrative tasks
on wmq, we put that user as member of the mqm group.
About the parameter´s the Using .NET manual only says
MQQueueManager Class
Password(page 33)
public static String Password {get; set;}
The password to be authenticated.
UserId (page 34)
public static String UserId {get; set;}
The UserId to be authenticated.
I don´t know what happens if I set the userid ASPNET, because I don´t know what´s its password, and maybe my IIS stop working 
But the thing is: If I don´t set any parameters, My connection is ok
if I set the parameters(even if I use an administrator account or an mqm acount) I have reason code 2035 (MQRC_NOT_AUTHORIZED) and the Event Viewer says, the user 'user' doesn´t have enough authority to do this.
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 23, 2006 10:06 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Well, if you don't know the password for ASPNET, set it to a user that is in mqm that you do know the password for.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 10:11 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
I did it, and returns 2035 anyway
do I have to set any kind of default layout for user, like
mqm@server or server\mqm ...
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Mar 23, 2006 10:21 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 11:34 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
Am I insane or someone also tried something like
this before?
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 23, 2006 11:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You know that IIS lets you change what user a particular web page and etc. runs as, right? That you can configure IIS to authenticate your users itself, and then the ASPs that the user accesses will run as that windows user, rather than as ASPNET? Similarly, you can configure IIS to run a particular ASP as a fixed user...
Also, again - as you've seen - the MQEnvironment.UserID and Password do not do what you think they do in .NET. They only work that way in Java.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 11:43 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
I´m trying to use this to connect to different queue managers, in different operating systems without fixing the MCAUSER at my SVRCONN channels
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 23, 2006 11:52 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Then you need to look into forking and changing effective user ids in some manner or another.
MQ does this using DCOM objects.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 23, 2006 11:54 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
On the flip side, if you're looking to build a web-based administration tool...
You can look at installing a local qmgr on the web server, and configuring sdr/rcvr channels (possibly with SSL) to all the different qmgrs - and then using PCF through remote queues to the various command server queues.
Or you can look at running local agent processes on each managed qmgr, and using regular TCP/IP to talk to those agent processes.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 12:08 pm Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
I have a new idea,
what if I create a user in each system with permissions only to connect to queue managers. He won´t have permissions to open queues or put messages, but I can set an alternate user on open and put/get calls to a user that has this permissions. You can say 'why is that? I´m calling an ambulance!' the answer is, If the user of the web application doesn´t give me an valid user ID he cannot put messages on my queues even if he´s connected to the queue manager.
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
|
|
