| Author |
Message
|
| queuetip |
 Posted: Tue Feb 13, 2007 1:26 pm Post subject: Channel security restriction problem |
 |
|
Acolyte
Joined: 03 Feb 2005
Posts: 67
|
ENVIRONMENT:
I am running MQ V5.3 on a Windows server using a MQM Domain group under the MQM group on the local machine. I belong to the MQM Domain group.
PROBLEM:
It looks like I can do all maintenace via the MMC console except change properties on a channel object. I also can't issue commands on the channel.
Any ideas why not? I saw that security for the channels is not managed by the OAM - so I can't figure out where to look.
Thanks!
Mike
 |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Sat Feb 17, 2007 8:35 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Can you re-phrase the question because I don't know if your question is about 'channel security' or 'protecting a QMgr (via OAM) from bogus Admin commands'.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| queuetip |
| Posted: Mon Feb 19, 2007 7:30 am Post subject: |
|
|
Acolyte
Joined: 03 Feb 2005
Posts: 67
|
The original question is all about channel security - sorry for any confusion.
Any help or insight would be greatly appreciated. Thanks! |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Feb 19, 2007 10:50 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
It would have been nice if you re-phased your question (because it is clear as mud), so all I can do is guess. 
OAM is not involved in channel security per say. Think of MQ security as 2 guys/gals standing at a door. One is outside of the door and the other is inside of the door.
Out of the box, there is no security per say on the channel (the guy standing outside the door). Now you can beef up the person standing outside the door by using SSL or a server-side security exit and this can be a reasonable facsimile of security.
If you want true end-to-end security then you need a security solution that has implemented both a server-side and client-side security exits.
Finally, where does OAM fit in? This is the person standing on the inside of the door but it does NOT do authentication, it only checks if you have permission to do what you are trying to do.
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| queuetip |
| Posted: Mon Feb 19, 2007 12:12 pm Post subject: |
|
|
Acolyte
Joined: 03 Feb 2005
Posts: 67
|
Based upon my ENVIRONMENT described above, why do I fail an edit when trying to update the connection name property of the sender channel object via MQ Explorer?
Also, why do I fail edits when trying to start and stop the channels? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Feb 19, 2007 4:10 pm Post subject: |
|
|
Guest
|
Why did I fail...? What reason code(s) did you receive? The reason code and error logs will tell you exactly why.
Access to the MQ object definition (all of them, including channel definitions) is secured. You must be (logged on as) a member of the MQM group.
Channel security is not done at the object definition, as it is with a queue. You can associate a userid (DEFAULT, MCAUSER or CTX...) that will cause the operation of the channel to take on a user identity. You can add SSL to further enhance security use (operation) of the channel. |
|
| Back to top |
|
|
| queuetip |
| Posted: Tue Feb 20, 2007 9:01 am Post subject: |
|
|
Acolyte
Joined: 03 Feb 2005
Posts: 67
|
| Quote: |
| Why did I fail...? What reason code(s) did you receive? The reason code and error logs will tell you exactly why. |
All it says is "Access not authorized. You are not allowed to perform this operation." (AMQ4036)
Here's the log...
| Quote: |
Event Type: Warning
Event Source: WebSphere MQ
Event Category: None
Event ID: 8072
Date: 2/20/2007
Time: 10:41:51 AM
User: N/A
Computer: USPLSWEBH54B
Description:
Not authorized to administer channels.
The command server for queue manager 'TST1' received an administration command for channels. The user 'mikeid' is not authorized to administer WebSphere MQ channels. The command server has not processed the command.
Add the user to the local 'mqm' security group, and ensure that the security policy is set as required. |
...so unfortuantely it really tells me too much. Based on the MQ environment (as I mentioned in original post), 'mikeid' is a member of a domain group that is listed under the local mqm group. So I would expect MQ to figure out indirectly that 'mikeid' has access.
How can I set up security so I can edit, stop, start channels?
Thanks for your patience!
Mike
|
|
| Back to top |
|
|
| exerk |
| Posted: Tue Feb 20, 2007 9:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I'm not sure whether you are hitting a problem of nested groups and being unable to drill down through, i.e. the domain group containing 'mikeid' is not declared within domain/mqm.
Try putting the domain group in domain/mqm and see what happens.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mnance |
| Posted: Tue Feb 20, 2007 6:02 pm Post subject: |
|
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
Also, try just adding the MikeID account to the local MQM group. This will eliminate nested group issues.
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
|
| queuemanager |
| Posted: Sun Feb 25, 2007 11:36 pm Post subject: |
|
|
Apprentice
Joined: 28 Nov 2006
Posts: 43
Location: Bangalore
|
Hi,
Try to alter the channel through the runmqsc prompt. Also please provide us with the error logs from AMQERR01.log present in qmgrs error directory (C:\Program Files\IBM\WebSphere MQ\Qmgrs\<Qmanager name>\errors). |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 27, 2007 12:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| queuetip wrote: |
Based upon my ENVIRONMENT described above, why do I fail an edit when trying to update the connection name property of the sender channel object via MQ Explorer?
Also, why do I fail edits when trying to start and stop the channels? |
Did you read the part in the security manual where it specifies that MQ on windows does not like embedded groups.??
Use separate groups and allow each of them via setmqaut....
And lookup the additional authorizations of dsp and ctrl for channels in V6
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
