| Author |
Message
|
| stsm |
 Posted: Tue Aug 28, 2007 2:43 am Post subject: TX User |
 |
|
Novice
Joined: 27 Aug 2007
Posts: 10
|
Hi.
I have a java application running under was 6.0 (unix) that uses MQ Bridge (with OTMA headers) to link with IMS. When a message arrives to this IMS , it automatically executes a TX.
This TX in the host was set up to be executed as "XXX" user. If the java application doesn't inform a user, the TX arrives host with "Was" user but this user isn't defined in the TX at Host and I recibe a security error.
Otherwise, If I indicate the user, the following QManager error appears in Java :
| Code: |
// Create a queue connection.
QueueConnection conn = qcf.createQueueConnection(userID,password);
<exception>
javax.jms.JMSSecurityException: MQJMS2013: invalid security authentication
supplied for MQQueueManager
at
com.ibm.mq.jms.MQXAQueueConnectionFactory.createXAQueueConnection(MQXAQueueConnectionFactory.java:158)
at
com.ibm.ejs.jms.JMSManagedQueueConnection.createConnection(JMSManagedQueueConnection.java:183)
at
com.ibm.ejs.jms.JMSManagedConnection.<init>(JMSManagedConnection.java:283)
at
com.ibm.ejs.jms.JMSManagedQueueConnection.<init>(JMSManagedQueueConnection.java:71)
[...] |
My question is: how could we use an "XXX" user from a Java application under WAS 6.0, distinct from the user "was" whom the QManager returns us the security exceptions? |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Tue Aug 28, 2007 9:59 am Post subject: Re: TX User |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| stsm wrote: |
| My question is: how could we use an "XXX" user from a Java application under WAS 6.0, distinct from the user "was" whom the QManager returns us the security exceptions? |
Hi,
You define UserId "XXX" at the host where the queue manager is located and then use setmqaut to apply the appropriate rules.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| stsm |
| Posted: Wed Aug 29, 2007 7:29 am Post subject: |
|
|
Novice
Joined: 27 Aug 2007
Posts: 10
|
Roger
We have revised the QManager configuration and we find it correct.
| Code: |
dspmqaut -m QManager -t qmgr -p XXX
Entity XXX has the following authorizations for object QManager:
inq
connect
dspmqaut -m QManager -n QUEUE -t q -p XXX
Entity XXX has the following authorizations for object QUEUE:
put |
The problem is that it uses the queue from a java application / jms in a was 6.0 environment under AIX.
If we user the following code:
| Code: |
QueueConnection conn = qcf.createQueueConnection(userID,password);
javax.jms.JMSSecurityException: MQJMS2013: invalid security authentication
supplied for MQQueueManager
at
com.ibm.mq.jms.MQXAQueueConnectionFactory.createXAQueueConnection(MQXAQueueConnectionFactory.java:158)
at
com.ibm.ejs.jms.JMSManagedQueueConnection.createConnection(JMSManagedQueueConnection.java:183)
at
com.ibm.ejs.jms.JMSManagedConnection.<init>(JMSManagedConnection.java:283)
at
com.ibm.ejs.jms.JMSManagedQueueConnection.<init>(JMSManagedQueueConnection.java:71)
[...] |
If we use:
| Code: |
| QueueConnection conn = qcf.createQueueConnection(); |
works fine because the invocation arrives to QManager from the user Was in the JVM in Java/JMS
But then, the TX at Host can't be executed because the user Was hasn't got execution permissions for the TX
The user that executes this TX must always be "XXX", never the user Was.
Currently, temporally, the user was has been set up to execute the TX at Host but that's not the final solution, te correct user should be XXX.
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 29, 2007 7:47 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can use a JAAS alias.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Aug 29, 2007 11:07 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
If the SVCONN channel has a blank MCAUSER field and you do the following:
| Code: |
| QueueConnection conn = qcf.createQueueConnection(); |
Then you are actually (unknowingly) exploiting a security hole in MQ. As described here:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
Hence, you need to define UserId "XXX" as an AIX UserId (service account) then use the setmqaut to apply the appropriate rules.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 29, 2007 2:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
DO not setup security for the user. Create a group.
In Unix the security gets stored at group level anyway.
So if you set the security for user XXX you're giving user XXX's primary group access.
Did you try?:
| Code: |
| qcf.createQueueConnection("XXX",""); |
And remember this means you have to use a client connection.
A bindings connection will only allow the user running the process.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| stsm |
| Posted: Mon Feb 25, 2008 7:51 am Post subject: Finally it works. |
|
|
Novice
Joined: 27 Aug 2007
Posts: 10
|
Hi guys.
Finally it works. I've create a new group in the Unix and configure the security of this group.
Tanks to everyone |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 25, 2008 2:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| We have revised the QManager configuration and we find it correct. |
Just remember that JMS requires more than just put. Usually with JMS you have to add inq at the qlevel as well...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
