| Author |
Message
|
| Shalini |
 Posted: Thu Dec 02, 2004 2:11 am Post subject: User Auth for diffrent Groups in MQ |
 |
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi All,
MQ 5.3 CSD5 (Windows and Solaris)
Can I assign a group / user who has all rights other then deleting the MQ Objects (ie they can even stop and start the channel etc....), but should not be able to delete any of MQ Objects incluing the QMGR.
However in MQSI we have different group with different rights but in mq I have only one group.
How to achieve that.
This to be implemented for local our (Windows) and remote QMGR (Solaris).
Both administrated thro mmc explorer.
 |
|
| Back to top |
|
 |
| Nigelg |
| Posted: Thu Dec 02, 2004 5:44 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
You cannot assign user/group rights in Explorer, only administer WMQ objects. Note that a channel is not an object.
You have to use the setmqaut command, and not assign the +dlt authority to the user/group. Check the syntax of the command, and the various authorisations, in the System Admin manual. |
|
| Back to top |
|
|
| Shalini |
| Posted: Mon Dec 06, 2004 5:10 am Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi Nigelg,
Thanks for Reply.
Off course, I have gone thro the "setmqaut command" .
My problem is somewhat more critical.
We have observed that our Hub QMGR in Solaris (MQ5.3 CSD5) opened in MQExplorer from NT by our support/production team for monitoring etc..,
Some time I have seen that the local Queue or the Remote Queue is deleted, but we don’t know who is the culprit (resulting all msg to Dead letter Queue).
They login as "Uniform" user who is in “mqm” group, so they have all the permission.
I want to have a design a system, where my Support team opens a explorer and
1) Monitor QMGR
2) Stop/start Channel/services etc but should create or delete any MQ Objects (preferably Queue)
I tried approach of removing "Uniform" from "mqm" and giving “–crt” and “- dlt” for Queue from another user "Uniform1" who is in “mqm”.
But using the "Uiform" user I not even able to open the explorer.
Hope MQ Gurus have faced all such issues
The problem is we have one group in MQ Series as “mqm”, but in MQSI we have different group to do different functionality so we can restrict each user capabitlity.
Please comment/suggest for different approach in MQSeries, how to resolve such issues.
|
|
| Back to top |
|
|
| Nigelg |
| Posted: Mon Dec 06, 2004 5:30 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
|
| Back to top |
|
|
| Shalini |
| Posted: Wed Dec 08, 2004 2:56 am Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi Nigelg,
Thanks for the link and detailed reply and steps
| Quote: |
The requirement is for userID MYUSER on a Windows machine to be able to perform remote admin on a qmgr called MYQMGR hosted on a remote UNIX machine called tenpin listening on port 1444.
Actions on tenpin
1. Create the required user on the remote machine
Use the O/S facilities to create the user, e.g. on AIX smit, HPUX sam or useradd, Solaris useradd.
The user name must be in lower case, e.g. for user MYUSER on Windows create user myuser on UNIX.
2. Ensure that the listener is setup and running.
If using inetd, put this entry in /etc/services
MQ_MYQMGR 1444/tcp
and this entry in /etc/inetd.conf
MQ_MYQMGR stream tcp nowait root /usr/lpp/mqm/bin/amqcrsta amqcrsta -m MYQMGR
Request inetd to refresh its cache from the files by finding the PID of inetd and sending a SIGHUP signal to the process.
tenpin:/scratch/nigelg $ su
root's Password:
# ps -ef | grep inetd
root 4450 8010 0 27 Oct - 0:01 /usr/sbin/inetd
root 14706 1 0 27 Oct - 0:00 /etc/inetd.afs /etc/inetd.conf.afs
root 30596 44986 0 09:16:34 pts/0 0:00 grep inetd
# kill -1 4450
If using runmqlsr, start the listener:
runmqlsr -m MYQMGR -t TCP -p 1444
3. Ensure the command server is running
The command server's process name is amqpcsea.
tenpin:/scratch/nigelg $ ps -fe | grep amqpcsea
nigelg 35272 51086 0 09:21:53 pts/0 0:00 grep amqpcsea
tenpin:/scratch/nigelg $ strmqcsv MYQMGR
WebSphere MQ command server started.
tenpin:/scratch/nigelg $ ps -ef | grep amqpcsea
nigelg 29248 1 0 09:22:00 - 0:00 amqpcsea MYQMGR
nigelg 44990 51086 1 09:22:08 pts/0 0:00 grep amqpcsea
4. Create the SVRCONN channel for the command server to use
The channel name is SYSTEM.ADMIN.SRVCONN
tenpin:/scratch/nigelg $ runmqsc MYQMGR
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Starting MQSC for queue manager MYQMGR.
def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
1 : def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
AMQ8014: WebSphere MQ channel created.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
There are several options at this point
1. If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the mqm group on the UNIX machine, again using the O/S facilities to do so. In this case there is no further action required.
2. An alternative method of giving full privileges is to set the MCAUSER attribute on the SVRCONN channel created at step 4 above to mqm. Do this by adding MCAUSER('mqm') to the above runmqsc command. Again, no further action is required.
3. If restricted access to MQ objects is required, further commands are necessary as below
5. Grant specific authority over MQ objects to the required userID
Issue these setmqaut commands to grant minimal authority to the userID:
tenpin:/scratch/nigelg $ setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
tenpin:/scratch/nigelg $ setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get
tenpin:/scratch/nigelg $ setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put
The purpose of these commands is:
1. Grant authority to access the qmgr
2. Grant authority to the client channel to get the command server reply messages
3. Grant authority to put messages onto the command server input queue
Administration setmqaut commands, +chg +clr +dlt +dsp, will be required on each object in the qmgr to be administered remotely.
For example, to allow dsp authority on a particular queue QL1:
tenpin:/scratch/nigelg $ setmqaut -m MYQMGR -t q -n QL1 -p myuser +dsp
Actions on Windows
1. Show the qmgr in the Explorer window
Right-click the Queue Managers folder and select Show Queue Manager...
Select the Show a remote queue manager radio button
Enter the Queue Manager Name, e.g. MYQMGR
and Connection Name, e.g. tenpin(1444)
Click OK
|
I tried the same setup with my local environment
Having user "Support" in mqm in my Windows and "Support" of Unix in "Support" group (i.e. non mqm), but the problem is there is no auth for channel, I am unable to start or stop the channel using "Support" from MQExplorer.
I know that we cannot set auth for channel.
But I am doing this exercise so that none of our "Support" user delete the MQ Queue by accident, but if I them out of "mqm" group in Solaris then they will not be able to handle the channels.
Is there any other approach?
|
|
| Back to top |
|
|
| Shalini |
| Posted: Wed Dec 08, 2004 11:37 pm Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi All,
Please let me know if some one can help me in the same issue.
|
|
| Back to top |
|
|
| Shalini |
| Posted: Thu Dec 09, 2004 11:47 pm Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi All,
Thanks for the response. We Could give access to a user who is outside the mqm group on a queue using AUTH command. Please let us know how we can give the access on a channel to a non MQM group user.
Thanks in advance,
Shalini. |
|
| Back to top |
|
|
| Nigelg |
| Posted: Fri Dec 10, 2004 1:48 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| Quote: |
Please let us know how we can give the access on a channel to a non MQM group user.
|
You cannot. setmqaut can only be used to grant authority over WMQ objects, and to run admin commands on qmgrs (also WMQ objects).
Channels are not WMQ objects in the same sense, and so auth cannot be granted or denied to admin commands affecting channels.
Perhaps support pack MS0E, WMQ Admin wrapper, might help you. |
|
| Back to top |
|
|
| Shalini |
| Posted: Mon Aug 08, 2005 10:54 pm Post subject: |
|
|
Master
Joined: 30 Apr 2002
Posts: 224
Location: India
|
Hi,
I tried MS0E Support pack..
According to User Guide
| Quote: |
Installing the MQSeries Administration Wrapper (Windows NT)
To install the MQSeries Administration Wrapper:
1. If you have a previous version of the MQSeries Administration Wrapper
installed, remove it. Type runmqsrv -remove to delete the entry in the services
list, then erase the existing runmqsrv and runmqadm executables.
2. Create an installation directory (for example, C:\Program
Files\MQSeries\Wrapper).
3. Copy all files to the installation directory.
The files are:
runmqsrv.exe
The MQSeries Administration Wrapper Service for Windows NT.
runmqadm.exe
The runmqadm command-line interface.
mqadmin.cfg
The MQSeries Administration Wrapper configuration file containing user
IDs and their access levels.
amqumsg.dll
The Windows NT event message log DLL file.
mqadevrg.reg
The Windows NT registry update file for event message logging.
4. From the directory where the files are stored type:
runmqsrv -install
to install the service.
The message MQ Administration Service installed is displayed. |
When I down load the zip file and unzip into folder I did not get "amqumsg.dll " from the zip file
Again I tried to download but the dll was missing...
The follwing files where present in the directory of extract...
1) ipla
2) li
3) MQAdEvRg
4) MQAdmin
5) readme
6) runmqadm
7) runmqsrv
but not the dll file ..... is not there ...
I tried searching in all the directory MQ directory I could not found it...
But when i tried to install using command
| Quote: |
C:\Program Files\MQSeries\Wrapper>runmqsrv -install
Unable to install the MQ Administration Service. |
May be the dll is not present hence not installing
Did you experience the same problem |
|
| Back to top |
|
|
| hilla |
| Posted: Thu Feb 01, 2007 7:11 am Post subject: |
|
|
Novice
Joined: 15 Oct 2006
Posts: 14
|
Hey Shalini and all,
I have the same problem as you described (that you didn't find the amqumsg.dll file after installing MS0E support pack).
Does anyone know what can i do in order to use this supportpack?
Thanks
Hilla |
|
| Back to top |
|
|
|
|
