| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQExplorer on NT machine to Solaris box - authorization prob |
« View previous topic :: View next topic » |
| Author |
Message
|
| Pierre-Yves Lesage |
 Posted: Fri Sep 21, 2001 4:34 am Post subject: |
 |
|
Novice
Joined: 21 Aug 2001
Posts: 17
Location: London, UK
|
Hi,
we have installed the MQSeries Explorer on an NT machine. We are trying to get it connected to the Solaris box on which we have a queue manager.
The user exists both on the Solaris box and the NT machine. On the Solaris box, he does not belong to the mqm group.
When trying to connect, we get a "you are not authorized .." type of message. However, if we ssh to the Solaris machine as the user and issue runmqsc commands, it works fine.
When we log on to the NT machine with a user that does belong to the mqm, everything works fine.
In conclusion, it seems that the only way to user MQExplorer is to use a user that belongs to the mqm group on the target unix machine. However, we don't want that because we don't want to give this particular user the same permissions as mqm users.
Does anybody know of any workaround?
Thanks !
Pierre-Yves Lesage |
|
| Back to top |
|
 |
| jhalstead |
| Posted: Fri Sep 21, 2001 4:59 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Hey Pierre, if it doesn't have to be explorer there is a support pack which effectively wraps up the runmqsc command line such the it can be configured to a particular user requirements. i.e. they can use runmqsc and display queues etc. however have no access to other MQSC commands...
Obviously explorer is a graphical interpretation of runmqsc so users must be in mqm. I too would be extremely keen to know of a workaround!
Good luck!
Jamie |
|
| Back to top |
|
|
| jhalstead |
| Posted: Fri Sep 21, 2001 5:00 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Support pack is MS0E!
Jamie |
|
| Back to top |
|
|
| Pierre-Yves Lesage |
| Posted: Fri Sep 21, 2001 6:09 am Post subject: |
|
|
Novice
Joined: 21 Aug 2001
Posts: 17
Location: London, UK
|
Thanks Jamie.
However, we would love to impress our users with MQExplorer if there is an option available besides putting them in the mqm group!
Pierre-Yves |
|
| Back to top |
|
|
| EddieA |
| Posted: Mon Sep 24, 2001 10:23 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Hi
Firstly, one point in the 1st post doesn't seem quite right. If the userid on the NT/Solaris machine isn't part of mqm, then trying to use the Explorer should give the 'not authorized' return. But connecting to the Solaris box and using runmqsc should do the same. Hmmmm.
OK. Back to the question. On the Solaris box use setmqaut to give the following authorizations for a user (actually, it would be preferable to use a group) that isn't part of mqm.
For the qmgr, process, namelist, and every (yes EVERY) queue give: allmqi & dsp.
Now try connecting from a user in this new group. You will get a warning when you try and access the queues. This is because you cannot give anyone (other than mqm) access to the AUTH.DATA queue. However, everything else is fine.
This user (group) can now look at all the properties, but cannot modify them. You might want to tailor the allmqi part if you want to restrict access to messages on the queues.
You can also use the same technique to open up access to MQJExplorer.
BTW The one thing you can't open up to non-mqm users are Channel commands.
Cheers.
_________________
Eddie Atherton
IBM Certified Specialist - MQSeries
IBM Certified Specialist - MQSeries Integrator
[ This Message was edited by: EddieA on 2001-09-24 11:24 ] |
|
| Back to top |
|
|
| Pierre-Yves Lesage |
| Posted: Wed Oct 10, 2001 5:47 am Post subject: |
|
|
Novice
Joined: 21 Aug 2001
Posts: 17
Location: London, UK
|
Eddie,
Sorry about the late response.
Thank you very much for your answer. It works.
I also confirm my first post. The userid on the NT/Solaris machine isn't part of mqm. Connecting to the Solaris box and using runmqsc works as we have given executable permission to 'other' on the runmqsc command.
When using runmqsc, if the user tries to display queues that he is not authorized to, he gets:
dis ql(FORBIDDEN_QUEUE)
1 : dis ql(FORBIDDEN_QUEUE)
AMQ8135: Not authorized.
I have a question however. Could you explain why your solution works? IBM support told us on several occasions that only users belonging to the mqm group are able to use MQExplorer. How is your solution going past this?
Many Thanks!
Pierre-Yves
[ This Message was edited by: Pierre-Yves Lesage on 2001-10-10 06:50 ] |
|
| Back to top |
|
|
| EddieA |
| Posted: Wed Oct 10, 2001 8:31 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Pierre-Yves,
Ah-ha. It's the 'change' to the executable permissions that I didn't know about when I made my first comment.
OK, Explorer. The IBM support is correct. The user has to be a memeber of mqm in order to use the Explorer. But that's only on the LOCAL NT box where they actually run the Explorer.
Once you use Explorer to connect to another machine, the commands issued, to that second machine, are based on the userid that the Explorer is running and as such are treated just like any other client connection and are subject to 'normal' MQ authorisation.
Or you could use the MCAUSER option on the SYSTEM.ADMIN.SVRCONN channel on the Solaris box, so all connections from Exporers (and anyone else using that channel) will use that userid instead of there own. But beware, this 'could' pose a secuity problem.
Hope that explains it.
Cheers.
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
