| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| AMQ4036 mystery !!! Access not permitted. ... |
« View previous topic :: View next topic » |
| Author |
Message
|
| oz1ccg |
 Posted: Tue Aug 08, 2006 3:20 am Post subject: |
 |
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
As rowles said:
| Quote: |
| The user ID sent by the MQ Explorer is the logged on user that launched the Explorer. |
But depending on your company settings, if some one has the ability to create a local userid on his or her computer. Then they wil have the posibility to create the "mqm" user or another MQ admin user account, and start MQExplorer using this user. And the get full authority over your Linux queue manager.....
To prevent this you can use either SSL, Secure MQ, or a security exit solution...
Some great folks did a good job some time ago, a Redbook: WebSphere MQ Security in an Enterprise.
One thing is 100% shure: every queuemenager with "open" SVRCONNs needs security exits and/or SSL requirements.
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Aug 08, 2006 5:17 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| oz1ccg wrote: |
| One thing is 100% shure: every queuemenager with "open" SVRCONNs needs security exits and/or SSL requirements. |
I guess it depends on if you consider a queue manager behind a properly configured firewall to have "open" SVRCONNs.
And a firewall is going to be a lot easier to maintain than a security exit will be. No version dependancies on MQ!
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kayou |
| Posted: Tue Aug 08, 2006 7:39 am Post subject: |
|
|
Novice
Joined: 05 Aug 2006
Posts: 21
|
Thanks for your very helpful answers. They put me on interesting tracks for leaving the "newbie" level.
I'll close the post, right now. |
|
| Back to top |
|
|
| Atlanta06 |
| Posted: Wed Nov 29, 2006 12:39 pm Post subject: |
|
|
Novice
Joined: 29 Nov 2006
Posts: 11
|
| oz1ccg wrote: |
To begin with have a look in:
/var/mqm/errors/AMQERR01.LOG
and in /var/mqm/qmgrs/<your-qmgr>/errors/AMQERR01.LOG
you can use: tail -100 /var/mqm/errors/AMQERR01.LOG
Then check that the QMODEL(SYSTEM.MQEXPLORER.REPLY.MODEL) exists
Next you can change the MCAUSER on the SVRCONN :
ALTER CHL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mqm')
and add it with runmqsc. This will give you connecting user max auth.
And when you see that this works you can play with the other users....
-- Lock it or Lose it |
This worked for me also.thanks a bunch!! |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 29, 2006 1:54 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Atlanta06 wrote: |
| This worked for me also.thanks a bunch!! |
If you have set the MCAUSER to 'mqm', then you have opened up your entire queue manager to any and all players to make any and all changes they want to make.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
