| Author |
Message
|
| thornga |
 Posted: Tue Dec 04, 2007 5:37 am Post subject: MQ Explorer Security |
 |
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
Hi,
I have successfully managed to use the MQV6 MQ Explorer as a read only viewer to my Solaris SPARC server. Note I am using both the latest version of Server on Solaris and Explorer/client on Doz
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
This is useful for production. However I cannot seem to be able to create new channels and objects via explorer (I can alter them) although I believe I have made all the neccessary setmqaut statements:
setmqaut -m QMGR -t qmgr -g mqadmindev +all
setmqaut -m QMGR -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g mqadmindev +browse +get +inq
setmqaut -m QMGR -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g mqadmindev +browse +get +inq +put
setmqaut -m QMGR -n SYSTEM.MQEXPLORER.** -t queue -g mqadmindev +all
setmqaut -m QMGR -n '**' -t queue -g mqadmindev +all
setmqaut -m QMGR -n '**' -t channel -g mqadmindev +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR -n '**' -t process -g mqadmindev +inq +set +chg +dlt +dsp
setmqaut -m QMGR -n '**' -t listener -g mqadmindev +chg +dlt +dsp +ctrl
setmqaut -m QMGR -n '**' -t clntconn -g mqadmindev +chg +dlt +dsp
setmqaut -m QMGR -n '**' -t service -g mqadmindev +chg +dlt +dsp +ctrl
setmqaut -m QMGR -n '**' -t namelist -g mqadmindev +inq +chg +dlt +dsp
setmqaut -m QMGR -n '**' -t authinfo -g mqadmindev +inq +chg +dlt +dsp
If I have max security to the QMGR and all queues '**' why can I not create new objects? I have read all the other forums and I cannot see any tips.
I know I can user the MSOR security exit to map users to 'mqm' etc
but I would of thought this was achievable. Any help would be appreciated.
thanks Gary |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Tue Dec 04, 2007 6:23 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
What ID is in the MCAUSER of the channel you are using to connect with?
And what permission does that ID have (include the groups)?
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| thornga |
| Posted: Tue Dec 04, 2007 7:22 am Post subject: |
|
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
Hi,
I am setting the user ID to mqadmind in the SVRCONN channel. The principal group of this user is mqadmindev as detailed in the setmqaut commands.
thanks
Gary |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Dec 04, 2007 7:55 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hmmm, I will have to try this to see what, if anything, you are missing.
Did you refresh security?
You know that if you are not restricting the inbound IPs, then this allow anonymous administration. Even so, those IPs allowed in will also have anonymous administration. I hope you trust those machines.
I have tried what you are doing with different permissions for other purposes and it worked well for me.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Dec 04, 2007 2:04 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
First, insufficiant permissions to use MO72 and probably a lot of other tools. SYSTEM.DEFAULT.MODEL.QUEUE.
No dsp on SYSTEM.ADMIN.COMMAND.QUEUE.
No crt on **. Try adding +alladm.
To see what you do have try:
amqoamd -s -m QMGR |grep mqadmindev
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| thornga |
| Posted: Wed Dec 05, 2007 3:02 am Post subject: |
|
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
Hi,
I have it working now. Basically running
setmqaut -m QMGR -n '**' -t queue -g mqadmindev +all
does not give you crt authority to '**'. When I added in
setmqaut -m QMGR -n '**' -t queue -g mqadmindev +crt it creates a new profile called
setmqaut -m QMGR -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g mqadmindev +crt
I can only gather that when you use ** a base generic wildcard you have to grant authority to the default objects otherwise MQ cannot check access. I still dont understand why +all does not cover this. I have proved it does not by removing access to the '**' profile and SYSTEM.DEFAULT.LOCAL.QUEUE and running setmqaut with +all and +alladm.
BTW I will be using the MSOR supportpack filter by user ID and IP
Thanks for your help.
Gary |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Dec 05, 2007 5:44 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
np
MS0R is good but you are still trusting everybody who can log on to that box with the IP you are allowing in. If it is a Windows box, all bets are off as security is always suspect in that platform (imho).
You could make two (for redundancy) Linux machines that only the Admin staff can log on to as the Service machines. Then use an xserver at your machine and Admin the MQ network from there. Then you would only have to maintain a few machines with all the cool tools to make your job easier.
btw, I turned on Admin events and could see the specific failures in the System event console. You can also use MO01 or MS0P for Eclipse.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Dec 05, 2007 7:13 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
You can use the authentication in MS0R version 1.40+ using the small popup, so you actually know iwho is connecting and have the right userid or let MS0R assign a proxy user to ease the administration.... And not just someone tampering your system.
This should also make it possible to distinguish between administrators and users....
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
