| Author |
Message
|
| dzifchock |
 Posted: Fri May 16, 2008 9:34 am Post subject: Authorization Question |
 |
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
What kind of authorizations are needed when using remote queueing?
I have two qmgrs QM1 and QM2, QM1 is w2k3 and QM2 is HPUX both are v6.0.2.2.
Group cms is setup on QM2 with authority to put/inq/browse/setall on a local queue and has connect authority to the qmgr. The receiver channel on QM2 has an mcauserid set to cms.
QM1 has a remote definition of the local queue on QM2 and xmitq to that of the name of QM2. I can startup the channels just fine but as soon as I put a message to the remote definition the channel goes into a retry state and I see the following error on QM2:
05/16/08 13:18:09 - Process(3781.77) User(mqm) Program(amqrmppa_nd)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
Does the authorization need to be setup on the remote definition on QM1 rather than on local queue QM2? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri May 16, 2008 2:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
if you set mcauser 'cms' on the receiver chl the system hosting the qmgr needs to have a user cms defined...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dzifchock |
| Posted: Fri May 16, 2008 2:59 pm Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
| The user cms is defined at the OS level and its primary group is cms. All the user should need is connect/inq/setall/set to connect to the qmgr and put authority to the local queue. I don't get what I'm missing. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri May 16, 2008 9:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dzifchock wrote: |
| The user cms is defined at the OS level and its primary group is cms. All the user should need is connect/inq/setall/set to connect to the qmgr and put authority to the local queue. I don't get what I'm missing. |
show us your setmqaut commands...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dzifchock |
| Posted: Mon May 19, 2008 11:04 am Post subject: setmqaut commands |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Here are the commands that I have ran:
setmqaut -m QMGRA -n CMS.IN -t queue -g cms -all +put
setmqaut -m QMGRA -t qmgr -g cms -all +connect +inq +set +setall |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon May 19, 2008 1:18 pm Post subject: Re: setmqaut commands |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dzifchock wrote: |
Here are the commands that I have ran:
setmqaut -m QMGRA -n CMS.IN -t queue -g cms -all +put
setmqaut -m QMGRA -t qmgr -g cms -all +connect +inq +set +setall |
Give it +inq +put and add those to the qmgr's DLQ as well.
If you are using JMS you have to always add inq.
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| standa |
| Posted: Tue May 20, 2008 5:51 am Post subject: export MQS_REPORT_NOAUTH=TRUE |
|
|
Novice
Joined: 08 Sep 2006
Posts: 10
Location: CZECHREP
|
|
| Back to top |
|
|
| David.Partridge |
| Posted: Tue May 20, 2008 11:06 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
granting +setall is not in general a good idea. It allows impersonation of who sent a message.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| standa |
| Posted: Thu May 22, 2008 12:18 am Post subject: security risc |
|
|
Novice
Joined: 08 Sep 2006
Posts: 10
Location: CZECHREP
|
There is one constrain I didn't write: user 'usr1' can not be used for normal application user id while connecting to mq. User 'usr1' is used _solely_ as mcauser for receiver channel.
David.Partridge: If in this situation provided permissions impose security risc, can you please provide what permissions should be used? In my opinion they are not a sec. risc.
_________________
standa. |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu May 22, 2008 5:38 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Thanks for the replies. The cms user is indeed only used for mcauser. However after granting the following authorizations, I still cannot successfully pass a message over a channel. These authorizations are set on the receiver side. With the receiver mcauser set to cms.
setmqaut -m qmgra -n CMS.IN -t queue -g cms -all +put +inq +setall
setmqaut -m qmgra -n SYSTEM.DEAD.LETTER.QUEUE -t queue -g cms -all +put +inq +setall
setmqaut -m gmgra -t qmgr -g cms -all +connect +inq +set +setall
I have set export MQS_REPORT_NOAUTH=TRUE and restarted the queue manager, however it doesn't give me any more information that what I had before. Here is the error that I am receiving on the receiving qmgr:
05/20/08 11:56:05 - Process(20976.4) User(mqm) Program(amqrmppa_nd)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
This is a unix system and the case matches on the username. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 22, 2008 6:08 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dzifchock wrote: |
Thanks for the replies. The cms user is indeed only used for mcauser. However after granting the following authorizations, I still cannot successfully pass a message over a channel. These authorizations are set on the receiver side. With the receiver mcauser set to cms.
setmqaut -m qmgra -n CMS.IN -t queue -g cms -all +put +inq +setall
setmqaut -m qmgra -n SYSTEM.DEAD.LETTER.QUEUE -t queue -g cms -all +put +inq +setall
setmqaut -m gmgra -t qmgr -g cms -all +connect +inq +set +setall
I have set export MQS_REPORT_NOAUTH=TRUE and restarted the queue manager, however it doesn't give me any more information that what I had before. Here is the error that I am receiving on the receiving qmgr:
05/20/08 11:56:05 - Process(20976.4) User(mqm) Program(amqrmppa_nd)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
This is a unix system and the case matches on the username. |
Don't use set, don't use setall; unless you know EXACTLY what you are doing...
Try +allmqi and remove what you don't think you need. When it stops working you have removed too much...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri May 23, 2008 3:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| fjb_saper wrote: |
Try +allmqi and remove what you don't think you need. When it stops working you have removed too much...
|
You have tihs backwards... use -allmqi, and add what you think you need. Once it starts working, stop!
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| standa |
| Posted: Fri May 23, 2008 3:26 am Post subject: export MQS_REPORT_NOAUTH=TRUE |
|
|
Novice
Joined: 08 Sep 2006
Posts: 10
Location: CZECHREP
|
I would recommend to check the environment variable. If it's set, it will show what's wrong. (on windows it show auth errors out of the box :-/ )
Here is example of my error log with 'export MQS_REPORT_NOAUTH=TRUE' before strmqm.
QML is my queue manager name.
In this case there is no 'connect' authority. The "unix" system is Linux (SLES).
-------------------------------------------------------------------------------
05/23/08 06:19:25 - Process(3930.4) User(root) Program(amqzlaa0)
AMQ8077: Entity 'usrmqm ' has insufficient authority to access object
'QML'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 530 --------------------------------------------------------
05/23/08 06:19:25 - Process(3926.4) User(root) Program(amqrmppa)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
----- amqrmtra.c : 3706 -------------------------------------------------------
_________________
standa. |
|
| Back to top |
|
|
| T.Rob |
| Posted: Fri May 23, 2008 4:12 am Post subject: Re: Authorization Question |
|
|
Acolyte
Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC
|
The prescribed method here is to create an ID and group. The group has only the one service ID in it. The service ID is a non-login ID and it's primary and only group is the one we just created. So in UNIX terms you have ID:group = cms:cms. So far, so good.
The next thing is to set the permissions for the MCAUSER to connect:
setmqaut -m QM2 -g cms -t qmgr -all +connect +inq +set +setall
In this case whether you use JMS has nothing to do with it because it is the MCA that is doing the inquire. That is how it finds out the name of the DLQ. Again, so far, so good.
Next you need permissions to put the message on the queue:
setmqaut -m QM2 -g cms -n 'CMS.IN' -t queue -all +put +setall
The +setall allows the MCA to set the fields in the MQMD such as the User ID and the time stamp to match the values from QM1. This is what I believe that you are missing.
To address another concern from the thread, as long as the MCAUSER is the *only* thing using the cms service account, we like +setall. It is the only way that the MCA can create the message header to match the values of the message on the originating QMgr. And we know that the MCA will never do anything but connect, inquire and put.
Does that help?
By the way, in my article I gave +allmqi permissions for an MCAUSER and I now regret that. It is almost impossible to get a developerWorks article updated though. In any new articles or presentations I am telling people not to use the generic authorizations at all. Instead, use +connect +inq for the QMgr.
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri May 23, 2008 7:11 am Post subject: Re: Authorization Question |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| T.Rob wrote: |
The next thing is to set the permissions for the MCAUSER to connect:
setmqaut -m QM2 -g cms -t qmgr -all +connect +inq +set +setall
|
I think you'll find that you can omit +set. I don't use it for this scenario and it works fine. You do need the other 3 though.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
