| Author |
Message
|
| kevinlawlawla |
 Posted: Fri May 29, 2009 3:36 am Post subject: Authorization on using the MQ6 |
 |
|
Newbie
Joined: 29 May 2009
Posts: 7
|
I am using WMQ6 and managing it through IBM Websphere MQ Explorer.
I would like the MQ to do authorization when application connected to server. I am using java mq package to connect my MQ.
How could I configure my MQ and application so that the authorization could be achieved? |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri May 29, 2009 3:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have a good read of the Security manual, which you can find in the Info Centre...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Sun May 31, 2009 7:27 pm Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
I have read through the info center and really can't understand.
I think the channel security and the MCA is somehow what i want.
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy10910_.htm
But I tried the following but still not work.
1. Set the Server-connection MCA as nobody, then no matter with user id I use, the application connect to the channel is reject.
2. Set the Server-connection MCA as a valid account, the application still able to connect if I do not specify the userid and password or I just provide the userid.
3. Set the Server-connection MCA as nothing to use the default, the application still able to connect if I do not specify the userid and password.
Could you please give me some hints on the setting? |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 01, 2009 2:43 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| kevinlawlawla wrote: |
| 1. Set the Server-connection MCA as nobody, then no matter with user id I use, the application connect to the channel is reject. |
Working as it should be.
| kevinlawlawla wrote: |
2. Set the Server-connection MCA as a valid account, the application still able to connect if I do not specify the userid and password or I just provide the userid.
3. Set the Server-connection MCA as nothing to use the default, the application still able to connect if I do not specify the userid and password. |
And when you did this, did you check the statuses of the queue manager and the queue(s) to see which userid was showing?
Try that, and then (maybe) ask the question regarding configuration again.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Mon Jun 01, 2009 3:35 am Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
Thanks for your reply.
I am using the Websphere MQ Explorer to do my administrator. How could I show their userid.
Is it on the Object Authority?
They show the mgm account on the Groups and my user account on the Users.
My MQ is installed in Window. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jun 01, 2009 3:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kevinlawlawla wrote: |
| They show the mgm account on the Groups and my user account on the Users. |
If you have group membership of mqm, then you'll find testing security tricky. You'll find you always seem to be authorised...... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 01, 2009 3:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As you use java, what you need is channel with SSL and mcauser.
The SSL will guarantee that are who you say you are as long as you keep your cert safe. The right mcauser will give you all the authority you need on the qmgr regardless of your userid.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Mon Jun 01, 2009 7:30 am Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
Do you mean that I need to delete the mqm in my group list?
What about my user account. Do I need to delete it and where could I set my authorization user list? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jun 01, 2009 7:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kevinlawlawla wrote: |
| Do you mean that I need to delete the mqm in my group list? |
Not if you're really doing administration.
| kevinlawlawla wrote: |
| What about my user account. Do I need to delete it and where could I set my authorization user list? |
WMQ doesn't have an ACL. Look up setmqauth
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Mon Jun 01, 2009 7:59 pm Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
I try the setmqaut command to remove the connect authority to mqm group. I set the mqm group authorization to none for the server connection.
setmqaut -m Test1 -n Test1.Serv.Conn -t channel -g mqm +none
But I still able to connect the MQ. Then I try the following command to disable the mqm from connect.
setmqaut -m Test1 -t qmgr -g mqm -connect
But after both command issued, my java application still be still able to connect the server channel and write message to queue without specifying the userid and password.
How should I set the authority to only allow specific user to connect the MQ? |
|
| Back to top |
|
|
| AkankshA |
| Posted: Mon Jun 01, 2009 8:24 pm Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
hey, hold on hold on......................
mqm is the default group of MQ which has / should have / must have all authorities of MQ objects....
why are you playing with that...
| Quote: |
| How should I set the authority to only allow specific user to connect the MQ? |
Set that user in MCAUSER of SVRCONN channel and connect
_________________
Cheers |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Mon Jun 01, 2009 8:54 pm Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
I set MCAUSER of SVRCONN channel and connect. I am not able to connect if I use other userid to connect.
However, I am still able to connect in the following cases:
1. I do not specify the userid and password in my Java MQEnvironment
2. I specify the userid without password in my Java MQEnvironment |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jun 01, 2009 11:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kevinlawlawla wrote: |
I try the setmqaut command to remove the connect authority to mqm group. I set the mqm group authorization to none for the server connection.
setmqaut -m Test1 -n Test1.Serv.Conn -t channel -g mqm +none |
I mentioned above mqm is always authorised - this is redundant.
| kevinlawlawla wrote: |
But I still able to connect the MQ. Then I try the following command to disable the mqm from connect.
setmqaut -m Test1 -t qmgr -g mqm -connect |
I also warned you that this wouldn't work. The mqm group/user is always authorised. Do read what we're posting..... 
| kevinlawlawla wrote: |
| How should I set the authority to only allow specific user to connect the MQ? |
The way you're doing it, but with specific groups / users that are not mqm!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kevinlawlawla |
| Posted: Tue Jun 02, 2009 12:54 am Post subject: |
|
|
Newbie
Joined: 29 May 2009
Posts: 7
|
Sorry for my stupid questions, I really don't understand how could the channel security be achieve. It always get connected if I do not specify the userid.
But how could I disable the MQ from anonymous access?
Another problem:
I use the following command to grant access to the qmgr to "usera"
setmqaut -m Test1 -t qmgr -p usera +connect
But do I need to create a window account for "usera" before and where could I find the list of authorized or unauthorized users? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 02, 2009 1:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kevinlawlawla wrote: |
| But how could I disable the MQ from anonymous access? |
See the comment of fjb_saper above.
| kevinlawlawla wrote: |
| But do I need to create a window account for "usera" |
Only if this user logs on (i.e. not simply used as MCAUser)
| kevinlawlawla wrote: |
| where could I find the list of authorized or unauthorized users? |
You'll find the dspmqauth command described in much the same place as the setmqauth command; IIRC there's a link from one to the other in the doc. The list of unauthorised users is everyone who's not on the authorised list; WMQ does not support authorisation by exclusion.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
