| Author |
Message
|
| John89011 |
 Posted: Fri Nov 06, 2009 8:53 am Post subject: SYSTEM.ADMIN.COMMAND.QUEUE |
 |
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
Hi,
How would I go about changing Security to allow a an aditional user to put messages into the SYSTEM.ADMIN.COMMAND.QUEUE
Currently the messages are going in my DLQ with reason: MQRC_NOT_AUTHORIZED
I am asusming this change is on a QMGr level?
This is v6.0.2.0 on Solaris
Thanks! |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Nov 06, 2009 8:57 am Post subject: Re: SYSTEM.ADMIN.COMMAND.QUEUE |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| John89011 wrote: |
| How would I go about changing Security to allow a an aditional user to put messages into the SYSTEM.ADMIN.COMMAND.QUEUE |
Why do you want to be doing this? Typically access is restricted to the mqm group and people who need access are added to this group.
Remember whoever you're authorising will have control over your queue manager.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| John89011 |
| Posted: Fri Nov 06, 2009 9:00 am Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
| The mainframe is trying to do a test (this is in testing env) and this security issue is preventing them to get a reply back. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Nov 06, 2009 9:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| John89011 wrote: |
| The mainframe is trying to do a test (this is in testing env) and this security issue is preventing them to get a reply back. |
What kind of test involves them sending commands to your queue manager? 
Add their user id to the mqm group on the Solaris box.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 06, 2009 9:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| John89011 wrote: |
| The mainframe is trying to do a test (this is in testing env) and this security issue is preventing them to get a reply back. |
What kind of test involves them sending commands to your queue manager? |
| Vitor wrote: |
| Add their user id to the mqm group on the Solaris box. |
 
Set an MCAUSER on the channel they're talking over.
Use the "setmqaut" command. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Nov 06, 2009 9:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
Set an MCAUSER on the channel they're talking over.
Use the "setmqaut" command. |
But won't you need to use setmqaut on a lot more than just this queue? Leading to an authority similar to that of mqm but with a lot more effort and much harder to revoke when this rather dubious test is over?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 06, 2009 10:19 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Much easier to revoke by changing the MCAUSER. Doesn't require REFRESH SECURITY/restart of qm..
More work, potentially. But much more auditable and much more repeatable. And not necessarily a lot of extra work, if generic auth profiles are used rather than specific ones. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Fri Nov 06, 2009 11:02 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Vitor wrote: |
| mqjeff wrote: |
Set an MCAUSER on the channel they're talking over.
Use the "setmqaut" command. |
But won't you need to use setmqaut on a lot more than just this queue? Leading to an authority similar to that of mqm but with a lot more effort and much harder to revoke when this rather dubious test is over? |
mostly.. an appl. or its ID is being AUTHORIZED to access the MQ OBJs. as QM and its Queues, not the SYSTEM Qs.
If an ID is not given permissions then it would get 2035 mqrc and/or 2063 mqrc codes as return.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| John89011 |
| Posted: Sat Nov 07, 2009 8:09 am Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
So just create MCA user ID (whatever user id they are comming across as) on the receiver chanel?
Thanks for everyone's input, appreciate it! |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Nov 07, 2009 4:42 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The SYSTEM.ADMIN.COMMAND.QUEUE is used by administrative applications to create, display, alter and delete objects.
It can be used for remote administration from applications running on other qmgrs - as long as they have access to channels of the remote qmgr, and authorization to the queue. Clearly, this is a risky behavior.
Is the mainframe app trying to do remote admin? Or something else? What exactly?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| John89011 |
| Posted: Sat Nov 07, 2009 8:58 pm Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
Hi Bruce,
Mainframe uses TMON to monitor queues between our app and the billing app. So they are tyring to send a message to the admin queue in hopes of getting a response. I was playing with the MCA user id parimiter on the receiver channel and any time I add an ID other then mqm or blank, their sender goes into retry when attemting to do a put.
I've asked the sys admin to add their user id to the mqm group.
Thanks! |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Nov 09, 2009 5:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The MCAUSER *replaces* what they send in.
Create a new id on the windows box. use setmqaut to grant that id the minimum specific authorizations needed. Best bet is NOT to put it in mqm.
Set that ID on the MCAUSER on the receiver channel. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Nov 09, 2009 5:51 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
The MCAUSER *replaces* what they send in.
|
On SVRCONN channels, yes. Not other channel types.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| John89011 |
| Posted: Mon Nov 09, 2009 6:43 am Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
| Yea I tried and any user I put in, channel goes into retry when they attempt to send message across. |
|
| Back to top |
|
|
| John89011 |
| Posted: Mon Nov 09, 2009 2:06 pm Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
added the userid to mqm group and it works fine, no qmgr restart or security refresh necessary.
Thanks guys! |
|
| Back to top |
|
|
|
|
