| Author |
Message
|
| Poornalatha Amirthalingam |
 Posted: Tue May 13, 2008 12:34 am Post subject: Replacement for MQSeries - Put message utility |
 |
|
Newbie
Joined: 13 Feb 2008
Posts: 2
|
Hello,
We require a tool to put messages into specific MQ queues, which also has user authentication.
Currently we are using the tool that IBM provided as free tool, MA0J: MQSeries - Put message (MQPUT) utility for manually putting messages into MQ queues. But this has no user authentication nor is access to queues restricted.
We need user authentication for our audit purpose.
Can anyone suggest any other tool with user authentication to put messages into specific MQ queues?
Thanks & Regards
Latha |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Tue May 13, 2008 12:41 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
Try out RFHUTIL , its having an option to set user ID
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die
Last edited by Gaya3 on Tue May 13, 2008 12:42 am; edited 1 time in total |
|
| Back to top |
|
|
| AkankshA |
| Posted: Tue May 13, 2008 12:41 am Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
IH03 support pack might be of help...
_________________
Cheers |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 13, 2008 3:25 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I don't think this is the answer he is looking for.
You would really need to secure the qmgr.
Use mcauser on the channel and SSL.
This is about the only way that you can ensure that the user is who he says he is... or go for one of the commercial authentication user exits...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue May 13, 2008 7:02 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| But this has no user authentication nor is access to queues restricted. |
Application programs (whether IBM-supplied or locally written) run with the authority of the user/group that causes the program to execute.
You need to set authority for your organization. Read the WMQ Security manual and the WMQ System Administration manual SETMQAUT section.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Poornalatha Amirthalingam |
| Posted: Tue May 13, 2008 11:35 pm Post subject: |
|
|
Newbie
Joined: 13 Feb 2008
Posts: 2
|
Thanks All.
We need the replacement of MQPUT utility. Just to put manual messages into queue. For our requirement, MQPUT utility itself is enough.
From audit point, there is no track on who is putting manual messages using MQPUT utility.
Does RFHUtil help us? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue May 13, 2008 11:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Poornalatha Amirthalingam wrote: |
| Does RFHUtil help us? |
AFAIK none of the support pacs audit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 14, 2008 7:04 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| From audit point, there is no track on who is putting manual messages using MQPUT utility. |
There is no automatic audit-trail capability in WMQ. Prior responses to your post tried to explain this.
This has nothing to do with the MQPUT utility at all. Prior responses to your post also tried to explain that this has all to do with the basic assumption that you/your organization has granted authority (by OAM or whatever o/s-level security) for a user/group to access an application program; and that the user/group has been granted authority to MQCONNect to the queue manager; and that the user/group has been granted authority to MQOPEN the queue.
Are all of your users/groups in the MQM group? In the SYSADMIN (root)group? If so, then all your users/groups have absolute authority to do anything they want.
Please read the WMQ Security manual to get an understanding of what needs to be secured, and how to secure what needs to be secured.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu May 15, 2008 9:17 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
One other comment that may help explain this:
WMQ internal components AND supplied utilities make use of the same 13 native calls (MQCONN, MQCONNX, MQDISC, MQOPEN, MQCLOSE, MQGET, MQPUT, MQPUT1, MQINQ, MQSET, MQGEGIN, MQCMIT, MQBACK).
This means that there is nothing magic that allows an IBM-supplied utility to circumvent o/s-level security. Security will be consistently applied to all applications.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 13, 2010 5:54 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MA0J, like many Java applications, connects to MQ with a Blank Userid.
Anyone know a way to overcome this?
Anyone have the source code? |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu May 13, 2010 6:15 am Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
Is the requirement here to 'authenticate' the user who is trying to put messages on a queue or to provide an 'audit' trail of who's put what on a queue.
The original post suggested authentication was your requirement but a later one suggest its an audit trail you're after.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu May 13, 2010 6:38 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| fatherjack wrote: |
Is the requirement here to 'authenticate' the user who is trying to put messages on a queue or to provide an 'audit' trail of who's put what on a queue.
The original post suggested authentication was your requirement but a later one suggest its an audit trail you're after. |
Note this 2-year old thread was re-started for no obvious reason.
zpat, was it your intention to post on an old thread? |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu May 13, 2010 6:45 am Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| mvic wrote: |
| Note this 2-year old thread was re-started for no obvious reason. |
Oh yeah - didn't spot that. Ignore my question. Just having one of my more senile moments.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 13, 2010 7:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If MA0J doesn't come with source code, it's highly unlikely it still exists anywhere... It hasn't been updated since 2002!
Easiest way to "resolve" the blank id that MA0J produces is to set an MCAUSER on the channel it talks through. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 13, 2010 10:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Why start a new thread when an old one on the same issue will do - I thought people were supposed to use the search facility?
I am now blocking all blank connections to MQ, so MA0J doesn't work and (believe it or not) some department has been using this program for business purposes to inject messages
Setting MCAuser is one option but then anyone who happens to know the channel name can use it. There are too many users for restricting the client by IP address. But I need some form of authentication. |
|
| Back to top |
|
|
|
|
