| Author |
Message
|
| WBI_user |
 Posted: Thu Aug 10, 2006 10:17 am Post subject: How to use username server |
 |
|
Partisan
Joined: 07 Aug 2001
Posts: 386
|
I am using WBI MB V6 and I want to turn on Topic security.
I created a username server under Qmgr UNSQM
My broker is under Qmgr BKQM
my config manager is under Qmgr CMQM
UNSQM, BKQM and CMQM are in a cluster BK_CLUSTER
I issued
mqsichangebroker MYBROKER -s UNSQM -j
mqsichangeconfigmgr MBCONFIGMGR -s UNSQM
to associate MYBROKER and the config mgr with the Usernameserver and turn on topic ssecurity
The system was restarted
I then created a topic alled WBI/TOPIC1 with ACL
On the MB toolkit, Under Topic I can see
Principal Publish Subscribe Persistent
grp1 yes yes yes
grp2 Deny Deny yes
Where grp1 is a group under windows with a user usr1 and grp2 is another group with a user usr2
A full deploy is performed.
Proper MQ authority is set so that usr1 and usr2 can put out MQ messages.
Base on the ACL, I expect usr1 can subscribe to WBI/TOPIC1 and usr2 cannot.
logon as usr1 and used RFTUTIL to send the subscription to the broker on WBI/TOPIC/#
logon as usr2 and used RFTUTIL to send the subscription to the broker on WBI/TOPIC/#
On the toolkit subscripotion panel, I saw
Topic user Broker
WBI/TOPIC/# usr1 MYBROKER
WBI/TOPIC/# usr2 MYBROKER
This said that subscriptions from both users were successful.
Why is usr2 not stopped ? What did I miss ? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Aug 10, 2006 10:21 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The users and the groups have to be defined in the security context that the UserName server is using.
Under windows, this means that the User Name Server needs to be either using the local machine security and all users and groups are defined there, or it is using a Domain and all users and groups are defined there.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| WBI_user |
| Posted: Thu Aug 10, 2006 10:33 am Post subject: |
|
|
Partisan
Joined: 07 Aug 2001
Posts: 386
|
both grp1 grp2 usr1 usr2 are local (not in a domain)
BTW, I have also added usr1 and usr2 to the ACL
what I have now under Topic is
Principal Publish Subscribe Persistent
grp1 yes yes yes
grp2 Deny Deny yes
usr1 yes yes yes
usr2 Deny Deny yes
But bot user can still subscribe |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 10, 2006 10:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What options did you specify to mqsicreateusernameserver?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| WBI_user |
| Posted: Thu Aug 10, 2006 10:43 am Post subject: |
|
|
Partisan
Joined: 07 Aug 2001
Posts: 386
|
it was just
mqsicreateusernameserver -i admin -a admin -q UNSQM |
|
| Back to top |
|
|
| WBI_user |
| Posted: Thu Aug 10, 2006 11:09 am Post subject: |
|
|
Partisan
Joined: 07 Aug 2001
Posts: 386
|
| just noticed by the administrator, the service userid "admin" used to create the usernameserver is a domain Id. The same id admin is used for the creation of the borker and the config manager. I am not sure if that will cause the username server to look for domain ids instead of the local ids (usr1, usr2 ,grp1, grp2). I am not a WIndows expert to say if this can be the cause of the probelm. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 10, 2006 11:14 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Are there errors in the Event Viewer?
The documentation says that if you don't specify the domain name on the -d parameter, then it will default to the local machine security registry. And as long as the machine isn't a domain controller, that will be the local machine security and not the domain.
Does the uns service user have permissions to query group membership in the local security domain? (member of adminstrators, basically).
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| WBI_user |
| Posted: Thu Aug 10, 2006 12:30 pm Post subject: |
|
|
Partisan
Joined: 07 Aug 2001
Posts: 386
|
There is no error in the event viewer. I actual saw this information entry saying that the broker is ready for pubsub security.
I just cannot understand why it is not working.
==============================================
The broker has successfully processed the initial message from the User Name Server.
The broker has received the latest authentication and/or authorization information from the User Name Server. If this is the first time that the broker and User Name Server have ever communicated, then the broker will now be ready to support pubsub security services.
No user action required.
============================================= |
|
| Back to top |
|
|
|
|
