| Author |
Message
|
| paustin_ours |
 Posted: Wed Apr 12, 2006 6:43 am Post subject: V6 security |
 |
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
I read quiet a few posts on this topic and is it true that in V6 there is no group level security and ACLs need to be defined.
i mean do i have to define ACLs or can i just add users ot the broker group and make them connect to the configmgr..
i did try it...
adding user to group dint work..
defing an ACL to the user worked. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Apr 12, 2006 6:53 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Groups are deprecated at least.
You can set ACLs for groups, though.
Also, neither ACLs nor Groups confer MQ priviledges.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 6:58 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
my toolkit is in a domain environment, configmgr in AIX.
i have the same users in AIX under a local group.
i tried,
creating an acl entry for the group with full access to config proxy
it is not able to validate because, the toolkit is sending
domain/user.
i setting toolkit domain awareness to 0
its sending workstationname/user now.
is there something i am missing. anythoughts? |
|
| Back to top |
|
|
| sjensen |
| Posted: Thu Apr 13, 2006 7:21 am Post subject: |
|
|
Centurion
Joined: 18 Dec 2003
Posts: 134
Location: London
|
Hi,
Hi,
Did you use -a on mqsicreateaclentry? You could try to add the machine/domain name using the -m option
Good luck
Stefan |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 7:39 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
cant use - a option with -g option for groups.
tried using -m with -g asweell and wud not work.
the problem is when i turn off the domain awareness property of the toolkit, it still send the workstaion name with the user!!!unlike V5 toolkit. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 13, 2006 7:43 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Are you using RP1 of the Toolkit? There were some fixes in this area. I suspect you are, since you are actually seeing domain/user, but...
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 7:59 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
i am as a matter of fact...i see domain/user
and when i turn off the domain awareness i see
workstationname/user...was expecting only user as it is in V5. |
|
| Back to top |
|
|
| iceage |
| Posted: Thu Apr 13, 2006 8:19 am Post subject: |
|
|
Acolyte
Joined: 12 Apr 2006
Posts: 68
|
I see where you are coming from ...
When one would like to configure acl for multiple users using GROUPS and -g flag , i think there should be way to disable machine name ..
Either probably MachineAwarness flag or -a flag should be allowed along with -g flag ..
From what you are saying , currently i think you have to live with ...
issuing acl entries for each user using -u flag , instead of -g flag .. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 8:39 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| are you saying its a known bug? |
|
| Back to top |
|
|
| mqmatt |
| Posted: Thu Apr 13, 2006 8:52 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
Hi,
I'm getting confused here - please could you post the output of mqsilistaclentry?
By the way- when you specified the -m flag, did you give the domain name or the machine name? (You need to create an ACL for whatever is passed over.)
-Matt |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 9:09 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
i know i am bad when it comes to posting....
let me try to explain it a little better
toolkit on windows domain environment 6.0.0.1
configmgr on AIX.6.0.0.0
have the same userid that has toolkit on the domain workstation
also on the AIX server in a local group devgroup.
now i do not want to define ACL for every user that has toolkit.
i have all the user names in a local group devgroup on AIX.
my acl
BIP1778I: devgroup - GROUP - F - ConfigManagerProxy - ConfigManagerProxy
now it is failing
the toolkit was connecting as domain/user
then i turned off the domain awareness, now it is connecting as
workstaiton/user
in V5 when i turn off the domain awareness it only send the
user.
so i get a permission error |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Apr 13, 2006 9:33 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
the -m option does not go with the group
when i tried to define ACL for individual users i used the -a option and that works just fine.
the thing is i dont wanna do that. |
|
| Back to top |
|
|
| ydsk |
| Posted: Thu Apr 13, 2006 6:32 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005
Posts: 410
|
Hi,
I already faced all the issues that paustin_ours faced so let me know if anyone needs more info on the issue.
The -m flag doesn't distinguish between a machine name and a domain name. It's a bug that IBM said it is going to fix in future. This was about 2 months back so I am not sure if it's been fixed now.
You need to define ACLs in v6. When you create a configmgr an ACL gets created by default, which gives Full access to the configmgr service id on all machines. You can see it for yourself by issuing an mqsilistaclentry command on the configmgr box.
If your windows domain id is say domain\user, you can create an ACL on a unix configmgr in 2 ways using the mqsicreateaclentry command : (1) for 'user' -m 'domain', or (2) for domain\\user ( backslash is an escape character on unix). This is because the product can't distinguish between domain/machine names as of 2 month back, as I already mentioned above.
All this is for message broker so far, but of course you need to have appropriate MQ access to get to the configmgr and do something with it.
Thanks.
ydsk. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 13, 2006 7:05 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What paustin_ours wants to do, as far as I understand it, is this.
Define a local group on unix.
Provide ACLS to that local group.
Add users to that local group, that will "match" the Windows domain users at least for the purpose of the configmgr's authorization checks.
So that paustin_ours doesn't have to issue ACLs for every individual user.
If this is correct - can someone explain how to do it? It doesn't seem to me that paustin_ours can create local users on unix that look like "domain\\username" or "machinename\\username" or any other form of those, that can be added to the local group.
And the toolkit is always either passing "domain\user" or "machinename\user" - whereas previously it had passed "user" (although the configmgr was only on windows and so the user was assumed to be in the same domain as the configmgr used).
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Fri Apr 14, 2006 6:46 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
thats xactly what am tryin to do.
check this out...found this in the readme file for fixpack1
Using the version 6 workbench on Windows, domain support does not work correctly unless the LogonInfo.dll and dependencies are in the path. If it is not, your computer's name is used rather than the domain name.
This can be avoided by starting the workbench from within a WebSphere Message Brokers 6.0 Command Console.
i set toolinglogoninfo.dll in the path. doesnt work
not sure what dependencies they are talkin about. |
|
| Back to top |
|
|
|
|
