| Author |
Message
|
| veech23 |
 Posted: Tue Jun 23, 2009 4:55 pm Post subject: which MCAuser gets used if CLUSRCVR has PUTAUT is Context |
 |
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
Hi All,
I am just wondering which userID gets used if you have a specific MCAUser in you Cluster RCVR definition and PUTAUT is set to context?
Environment : RHEL 4.6/WMQ6.0.2.5
CHANNEL(TO.CDXVEST1) CHLTYPE(CLUSRCVR)
ALTDATE(2009-06-19) ALTTIME(09.36.20)
BATCHHB(0) BATCHINT(0)
BATCHSZ(50) CLUSNL( )
CLUSTER(CLUSLRDT1) CLWLPRTY(9)
CLWLRANK(9) CLWLWGHT(50)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(XXXX(51115)) CONVERT(NO)
DISCINT(3600) HBINT(300)
KAINT(AUTO) LOCLADDR( )
LONGRTY(999999999) LONGTMR(1200)
MAXMSGL(4194304) MCANAME( )
MCATYPE(THREAD) MCAUSER(userA)
MODENAME( ) MONCHL(QMGR)
MRDATA( ) MREXIT( )
MRRTY(10) MRTMR(1000)
MSGDATA( ) MSGEXIT( )
NETPRTY(9) NPMSPEED(NORMAL)
PROPCTL(COMPAT) PUTAUT(CTX)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SEQWRAP(999999999) SHORTRTY(20)
SHORTTMR(60) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
STATCHL(QMGR) TPNAME( )
TRPTYPE(TCP) |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Jun 24, 2009 5:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9471
Location: US: west coast, almost. Otherwise, enroute.
|
What do the relevant manuals say? In other words, what does CTX mean in a channel definition?
Look in the WMQ Intercommunications manual, for example. There will likely be a reference in the WMQ MQSC manual.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jun 24, 2009 9:35 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
The MCA runs with the authority of 'userA' and does what the manual says CTX does.
So, if 'userA' does not have permission to write to SYSTEM.ADMIN.COMMAND.QUEUE and that was the target queue, then the msg will not be put on the queue. Even if the ID in the MQMD does have permission to do so.
This would be one way to prevent administration of your QMGR from a remote QMGR... |
|
| Back to top |
|
|
| veech23 |
| Posted: Wed Jun 24, 2009 3:38 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
| If PutAut is Def then MCAuser gets used, in my case userA. If putAut is CTx then the user from MQMD gets used to access MQ objects. The manual is not clear on if both the options are used and hence the quesion. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Jun 25, 2009 4:07 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
So you are saying you tried this with an ID for CTX that does not have permission to the queue?
When MCAUser is blank, it is denied.
When MCAUser is an authorized ID and CTX is used with an ID that is not authorized, you have permission to the queue?
This is a receiver channel. The MCAUser controls the level of permissions that this MCA has to the local QMGRs objects. The MCA will receive a batch of msgs and try to put them on the destined queue and will do a setall on the MQMD to preserve the values given to it. CTX says, "and check to see if the ID in the MQMD has permission". |
|
| Back to top |
|
|
| veech23 |
| Posted: Thu Jun 25, 2009 10:15 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
I tried with a ID that has permission to put to the queue and messages gone to Dead letter queue.
If MCAUser is blank and PUTAUT is CTX, userID from MQMD gets used to put to queue.( i havent tried this scenario, will let you know the results)
I have MCAUser as UserA on QmgrA with PutAut CTX
Other qmgr sends message with UserB, UserB has permissions to put,setall,inq and still the message gone to DEADQ. Obviously, UserA also has permissions to put on the queue. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 26, 2009 5:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9471
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| and messages gone to Dead letter queue. |
What was the reason code for the messages in the dead-letter queue?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| veech23 |
| Posted: Sun Jun 28, 2009 3:45 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
| 2035 but the userid has connect,inq,setall on qmgr and put,inq,setall on destination queue |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jun 28, 2009 3:56 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9471
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| 2035 but the userid has connect,inq,setall on qmgr and put,inq,setall on destination queue |
What userid?
If it's the MCA, also grant altuser.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| veech23 |
| Posted: Sun Jun 28, 2009 4:27 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
UserB
I have MCAUser as UserA on QmgrA with PutAut CTX
Other qmgr sends message with UserB, UserB has permissions to put,setall,inq and still the message gone to DEADQ. Obviously, UserA also has permissions to put on the queue. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jun 28, 2009 4:32 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9471
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Obviously, UserA also has permissions to put on the queue. |
Obviously. But it isn't UserB that is attempting to put the message to the queue, is it? Rather, it is the MCA, doing its proxy-type work on behalf of UserB, that is attempting to open and put the message to the queue.
Did you grant the MCAuser(UserB) altuser rights as I'd suggested?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| veech23 |
| Posted: Sun Jun 28, 2009 5:52 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
thanks , that worked
some how i missed the documentation.
context security (CTX)
The alternate user ID is used from the context information associated with the message.
The UserIdentifier in the message descriptor is moved into the AlternateUserId field in the object descriptor. The queue is opened with the open options MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY.
The user ID used to check open authority on the queue for MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY is that of the process or user running the MCA at the receiving end of the message channel. The user ID used to check open authority on the queue for MQOO_OUTPUT is the UserIdentifier in the message descriptor. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jun 29, 2009 2:08 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Now that you got it working, how are you going to prevent the sending system from sending messages with bad User IDs in the MQMD? What if they choose to start sending messages with mqm in the MQMD, and start sending administrative messages to your SYSTEM.ADMIN.COMMAND.QUEUE?
Why do you think you want to use PUTAUT(CTX)?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| veech23 |
| Posted: Mon Jun 29, 2009 3:58 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
dont want to use CTX, just for information purposes only.
planning to use putaut=DEF with low privileged MCAuser ( does not have any put permissions on any system queues other than SYSTEM.CLUSTER.COMMAND.QUEUE
SSL is a thorney subject here. |
|
| Back to top |
|
|
|
|
