| Author |
Message
|
| David.Partridge |
 Posted: Thu Jan 18, 2007 5:24 am Post subject: Client and MQExplorer 5.3 read only access |
 |
|
Master
Joined: 28 Jun 2001
Posts: 249
|
I've got a set of QMs on Unix that I need to lock down to read only from external connections.
Two issues here:
1) Client channels:
I'm proposing to set a special userid into the userid on the channel defn. and set up OAM to allow inquire on all MQ objects and browse (only) on all queues
2) MQ 5.3 Explorer. Is it possible to set up the OAM so that this can be driven from an external user in "look only" mode? Reading earlier posts on this message board suggests this may be possible, but I wasn't 100% clear.
Could some kind soul help with this
Thanks
Dave |
|
| Back to top |
|
 |
| pathipati |
| Posted: Thu Jan 18, 2007 5:30 am Post subject: |
|
|
Master
Joined: 03 Mar 2006
Posts: 296
|
Yes it is possible..  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 18, 2007 8:30 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| David.Partridge |
| Posted: Fri Jan 19, 2007 4:20 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
If my head ins't in a total mess, I *think* that this still leaves things wide open as MQ 5.3 explorer still needs PUT authority to SYSTEM.ADMIN.COMMAND.QUEUE.
I think this means that someone can write an app to put PCF messages to this queue, and bypass any protection I've put in place for the "mqmon" userid that I set in the MCAUSER of the SVRCONN channel. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 19, 2007 4:21 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Given that MQ Explorer is a PCF application... yes.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Fri Jan 19, 2007 4:23 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
...
Or does the command server run the commands with the authority of the the user that put the message onto the SYSTEM.ADMIN.COMMAND.QUEUE?
It makes sense that it would do that, but one never knows ... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 19, 2007 4:42 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Jan 22, 2007 5:22 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
OK, here's what I did:
alter chl(SYSTEM.ADMIN.SVRCONN) chltype(svrconn) mcauser('mqmon')
setmqaut -m TEST123 -t qmgr -g mqmon +connect +inq +dsp
setmqaut -m TEST123 -n '**' -t queue -g mqmon +browse +inq +dsp
setmqaut -m TEST123 -n '**' -t process -g mqmon +inq +dsp
setmqaut -m TEST123 -n '**' -t namelist -g mqmon +inq +dsp
setmqaut -m TEST123 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g mqmon +inq +put +dsp
setmqaut -m TEST123 -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g mqmon +get +inq +dsp
This seems to work for MQ Explorer 6, BUT:
I select "Queues" under the qmgr, the Queues window doesn't populate with the queue names etc.
Strangely if I right click on "Queues" and select "Status", the popup window DOES populate.
Any ideas on what might be causing this. I already enabled authority events on the QM but nothing is being logged there ...
Cheers
Dave |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jan 22, 2007 5:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You are specifying a group -g mqmon rather than a principle?
Have you created an 'mqmon' group with a user of the same name?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Jan 22, 2007 8:01 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Yes, user mqmon with primary group mqmon. This is Unix ...
Dave |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jan 22, 2007 8:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| David.Partridge wrote: |
| ... This is Unix ... |
Sorry, poorly worded question on my part, I was just trying to establish how you were configuring your solution.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
