| Author |
Message
|
| JKulcyk |
 Posted: Mon Apr 27, 2009 5:38 am Post subject: Is there a way to pass an alternate ID to saveqmgr? |
 |
|
Novice
Joined: 24 Apr 2009
Posts: 16
|
| I am trying to get queue data using saveqmgr on remote systems where my id does not exist or does not have the correct authority. Is there a way to pass it a different ID to use on the remote system. This is especially true trying to go to a zOS system where my user ID is different than my Windows/Linux one. Thanks! |
|
| Back to top |
|
 |
| meaton78 |
| Posted: Mon Apr 27, 2009 5:59 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| Could you create a local user on your workstation with the same name as your other account and do a "contact admin" with that account? I've never had a need to try and it might be passed as workstation/user which would not work. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Apr 27, 2009 6:18 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The typical way to do this is to use MCAUSER() on the channel you're using to talk to the remote qmgr.
This is one reason that the client version supports SSL, so that a channel with MCAUSER(mqm) can be secured using SSLPEER to prevent anyone who is not allowed to become mqm can be locked out of this channel.
Otherwise, no, there's no way to control the user from within saveqmgr or with options provided to saveqmgr. Saveqmgr is a C program (you can tell this from the source that's included) and C programs always present the OS level user id running them to the qmgr they are connecting to. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Apr 27, 2009 7:22 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
saveqmgrc also supports Security Exits. That's how we insure only our instance of MS03 can connect to the MS03 specific SVRCONN channel I have on each QM. That channel then has an MCAUSER that allows it the access it needs.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Apr 28, 2009 4:25 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| It is true that SSL will only limit the hackers to a known pool of users. The ones that have the credentials. Those folks can still impersonate the service ID that runs MQ. SSL is session level, not application level. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Apr 28, 2009 6:22 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| It is true that SSL will only limit the hackers to a known pool of users. |
This depends. If some inbound channels are not SSL, then you have a back door unlocked. Hackers can entter your system through non-secured channels, then send messages across SSL channels.
SSL only ensures that the two channel ends know each other.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 28, 2009 7:06 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Or put another way, SSL determines WHO can connect, but not WHAT they can do.
The MCAUSER attribute on the channel solves the WHAT problem. Tag the channel with an ID that has the minimum rights you need, SSL or Exit the channel to control who can access the channel. Repeat for every incoming channel on your QM. If you don't lock them all down, there is (almost) no point in locking any down, just like it doesn't make sense to buy a big lock for your front door if the windows on the side of the house is always wide open.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Apr 28, 2009 7:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| The MCAUSER attribute on the channel solves the WHAT problem. ... If you don't lock them all down... |
For clarity: MCAUSER plus appropriate authorities /restrictions (OAM, RACF) solves the WHAT.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
