| Author |
Message
|
| PeterPotkay |
 Posted: Wed Nov 05, 2003 9:32 am Post subject: MQExplorer - Browse only capabilities |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Can anyone think of a way thru fooling around with setmqaut of allowing a user the ability to connect to MQExplorer, see all the queues / channels along with their properties, but not actually be able to add / change / delete anything?
My SYSTEM.ADMIN.SVRCONN channels on Windows servers have a blank MCAUSER, plus Kolban's Security exit. I feel safe that no one can use MQExplorer to mess with these boxes, since they will be authenticated when they try to log on.
But what about UNIX? With no MCAUSER, any jerk can log onto a Windows box as mqm, and if they have MQExplorer, they can wreak havoc. 
If I tagged these channels with an MCAUSER that could only browse, trusted people could still view MQ thru this tool, but no harm could be done. (I understand I would also not be able to make changes; I have other tools).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| JasonE |
| Posted: Wed Nov 05, 2003 9:41 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
What about generic profiles if your qmgr is a 5.3 qmgr - Will this help? You'll need to work out what authorizations are required (do it to an NT qmgr, and look at the qmgr error log after each security error).
eg. mcauser of testusr, and then setmqaut -m qmgr -n * -t q -p testusr +browse
etc |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Nov 05, 2003 11:38 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
Peter,
as you already found out Neil's exit does not run on UNIX, tagging the MCAUSER with a 'browse user' opens up the QueueManager to anyone!
They don't even need to pretend to be someone else as the MCAUSER already does that for them.
On UNIX without MCAUSER and without exit, you are dead meat as you only need a java client (without userid) and it will become the user of the listener (which is usually started under mqm)...
So in order for the browse to work for the proper people you need to get a UNIX exit on the channel.
Michael |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 06, 2003 5:00 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Michael, that's my goal. I don't care who looks at the QM, as long as they are browse only. But I would prefer an Exit solution like on Windows.
I'll play with the setmqaut options and see what I find.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Dec 06, 2003 8:35 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
MQExplorer is an all or nothing deal. They can do it all, or they have to be restricted completely. No combo of setmqaut commands will work. Oh well. Here's hoping MQ 6.0 considers this.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| HugoB |
| Posted: Fri Dec 12, 2003 5:24 am Post subject: |
|
|
Acolyte
Joined: 26 Jun 2001
Posts: 67
|
Peter,
It is actually possible to use a user that is not a memeber of the mqm group, but with restricted authorisation rights.
So only browse, and/or put etc.
But you need to set a lot of authorisations on system queue´s too.
I was able to make a user on unix, that is not a memeber of the mqm group. And then forcing an MCAUSER on the SYSTEM.ADMIN.SVRCONN channel it worked rather wel with MQEXplorer. I was able to put on a specific queue, i was able to browse on that queue. But i could not delete/get messages.
Look at the following, this might help you I hope !!
setmqaut -m WT44 -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEFAULT.ALIAS.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEFAULT.REMOTE.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEFAULT.INITIATION.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CICS.INITIATION.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.MQSC.REPLY.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEAD.LETTER.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CHANNEL.INITQ -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CHANNEL.SYNCQ -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.ADMIN.QMGR.EVENT -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.ADMIN.PERFM.EVENT -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CLUSTER.TRANSMIT.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CLUSTER.COMMAND.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.CLUSTER.REPOSITORY.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.PENDING.DATA.QUEUE -t queue -p mq +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m WT44 -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -p mq +crt
Ofcoure you need to change the WT44 and the mq user. !!
Sorry for the layout ! |
|
| Back to top |
|
|
| Reconda |
| Posted: Fri Dec 12, 2003 6:33 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2002
Posts: 40
|
Hi,
You can check out our QN-AppWatch for MQ solution. It was designed to address the exact issues you have described.
QN-AppWatch for MQ is a web-based solution specifically designed to allow-cost effective development, testing and troubleshooting of MQ applications. Installed on a single server and accessed via a standard browser, it provides:
- A secure “project” environment for MQ development, testing and support
- Management of MQ objects on any platform including the mainframe and AS/400 through a web-based front end
- Single Server Install, NO clients or agents need to be deployed on the servers running MQ or on users’ desktops
- Decreased administrator support time
- Faster and more cost-efficient roll-out of MQ & WMQI applications into production
- Provides developers with the ability to resolve their own MQ testing problems with secure access to only their queue and channel information
- Compliments current monitoring tools like Candle, BMC and Tivoli
Although not a free solution, it is very reasonably priced and can be up and running in a matter of hours.
More information can be found @ www.reconda.com |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Dec 12, 2003 10:52 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
KlaasBaas,
I'm afraid I don't follow you. You seem to have given the user "mq" all rights that are allowed to all the SYSTEM queues. How does this allow you to only put/browse another queue?
By the way, you could have accomplished all your listed commands with just the below:
| Code: |
setmqaut -m WT44 -n SYSTEM.*.*.* -t queue -p mq +all
setmqaut -m WT44 -n SYSTEM.*.* -t queue -p mq +all
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| HugoB |
| Posted: Wed Dec 17, 2003 6:16 am Post subject: |
|
|
Acolyte
Joined: 26 Jun 2001
Posts: 67
|
Peter,
Yes, the wildcards will only work from 5.3.
And yes the +all will probably replace all my redundant flags.
But the reason you need to give all these authorisations to those system queues is that it is needed if you want to use MQExplorer for a user that is not member of mqm but given just a few authorisation flags for a specific queue. In combination ofcourse with remote management.
For instance only browse and get authorities.
I did some tests with the trace mode on, and then in the trace you see that
the MQExplorer needs most if not all those system queue´s.
For instance, you have a user PETER, that is not a memeber of mqm.
And you want to give him the rights to create a queue on a remote queuemanager. Then you need to give this user apart from the proper rights also the right of +dsp on the SYSTEM.DEFAULT.MODEL.QUEUE.
In other words next to giving al those rights to the SYSTEM.* queues, you need to set the proper flags too for the specific queue you want the, non mqm member, user to put/get from.
It may sound like bollox, it may need some tuning even, but it appears to
work in my case. Not that i´m too happy and convident with this solution though. |
|
| Back to top |
|
|
| lanny boy |
| Posted: Thu Apr 07, 2005 2:31 am Post subject: |
|
|
Voyager
Joined: 24 Nov 2003
Posts: 79
Location: UK
|
Sorry to reopen such an old thread!
I am having a problem adding a remote user who is not in the mqm group. I can add the user and the following privleges for queues by running the commands below
C:\>setmqaut -m MQ1 -n ** -t q +all -p person
@domain
The setmqaut command completed successfully.
C:\>runmqsc MQ1
refresh security
1 : refresh security
AMQ8560: WebSphere MQ security cache refreshed.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
C:\>dspmqaut -m MQ1 -n ** -t q -p person@domain
Entity person@domain has the following authorizations for object **:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
However I need this person to have crt authority as well but i can't get it.
I have also tried as suggested in this thread:
putting +all after the -p person@domain
setmqaut -m WT44 -n SYSTEM.*.*.* -t queue -p mq +all
setmqaut -m WT44 -n SYSTEM.*.* -t queue -p mq +all
setmqaut -m MQ1 -n ** -t q +crt -p person@domain
I still can't get the crt permission to show when i display mqaut.
Any ideas?
Lanny boy |
|
| Back to top |
|
|
| lanny boy |
| Posted: Thu Apr 07, 2005 2:36 am Post subject: |
|
|
Voyager
Joined: 24 Nov 2003
Posts: 79
Location: UK
|
| BTW I am on MQ 5.3 CSD 9 for Windows |
|
| Back to top |
|
|
| Carla Viragh |
| Posted: Thu May 17, 2007 12:47 pm Post subject: |
|
|
Voyager
Joined: 31 Oct 2003
Posts: 92
Location: São Paulo - Brasil
|
Hello everybody,
Sorry to bring up an old post 
This was the closer I found to my question.
Here everybody talks about MQExplorer to admin remote QMs. I'm reading the Kolban's doc right now...
I'm trying to set permission on a QM (windows box), so a user can just view the queues and channels (this is not remote admin) but when user logs on windows, he is not able to open the queue manager, even if I give all permission (+all, +alladm, +crt). I could see that these permissions are the same when we insert the user on mqm group but if I do that, user has full access.
Is there a way to set permission to a user just as a viewer? Once again... I'm trying to set up local administration, remote admin is a second step.
Thank you! (And if there is a post that I didn't found, please, let me know)
_________________
Carla Viragh |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 17, 2007 1:06 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
|
| Back to top |
|
|
| Carla Viragh |
| Posted: Fri May 18, 2007 4:50 am Post subject: |
|
|
Voyager
Joined: 31 Oct 2003
Posts: 92
Location: São Paulo - Brasil
|
Thank you very much for your reply but this doc is to WMQ Explorer V6 and mine is V5.3
I'll try it and come back later to tell you if it's working 
_________________
Carla Viragh |
|
| Back to top |
|
|
| zpat |
| Posted: Fri May 18, 2007 5:46 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MQ v6 explorer works fine against v5.3 queue managers (non z/OS).
I would suggest using it on your desktop as it is much better at working over client connections than previous incarnations. Also it is much more suited to the "read only" purpose as described here. |
|
| Back to top |
|
|
|
|
