ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SYSTEM.AUTH.DATA.QUEUE

Post new topic  Reply to topic
 SYSTEM.AUTH.DATA.QUEUE « View previous topic :: View next topic » 
Author Message
zpat
PostPosted: Tue Dec 15, 2009 6:20 am    Post subject: SYSTEM.AUTH.DATA.QUEUE Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

This queue holds the OAM authority info, but in explorer this queue does not itself have an authority list viewable.

However some users are getting logged against this queue for display and I don't understand why since they are allowed display against any queue using SYSTEM.** and ** generic profiles.

Any ideas? I think it is explorer itself trying to access the queue.

Quote:
----- amqzfubx.c : 530 --------------------------------------------------------
15/12/09 13:59:10 - Process(278534.9) User(mqm) Program(amqzlaa0_nd)
AMQ8077: Entity 'xxxxxxx ' has insufficient authority to access object
'SYSTEM.AUTH.DATA.QUEUE'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Dec 15, 2009 6:32 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Have you sanitised the output, or did it genuinely display as 'xxxxxxx ' ?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
zonko
PostPosted: Tue Dec 15, 2009 6:40 am    Post subject: Reply with quote

Voyager

Joined: 04 Nov 2009
Posts: 78

Access to the queue is hard coded to mqm only.
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Dec 15, 2009 6:42 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Sanitised it.

It's definitely caused by Explorer - when I access the QM as the user in question, explorer lists all the queues except the SYSTEM.AUTH.DATA.QUEUE queue.

The curious thing is that access to the other system queues are controlled by the same profile (SYSTEM.**) and they are listed OK.

There does not seem to be a specific profile for SYSTEM.AUTH.DATA.QUEUE, which I presume is normal?
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Dec 15, 2009 6:45 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

zonko wrote:
Access to the queue is hard coded to mqm only.


That would explain it, but means that any user using explorer is going to generate authority events or log records (if you have the option set) every 5 mins when it tries and fails to list the queue.

However there is an APAR, fixed in 6.0.2.8

http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IZ52608

Quote:
PROBLEM SUMMARY:
Currently it is impossible to grant users or groups access to
the SYSTEM.AUTH.DATA.QUEUE. The reason behind this is that
this queue contains the authority records for the queue
manager so granting a user put or get authority on this queue
would compromise the security of the queue manager.

However, the inability to set authorities on this queue causes
difficulties for GUI administration tools as typically they
perform a PCF command (MQCMD_INQUIRE_Q) with a wildcard to
return back information about all queues on the system. Any
queue for which the user does not have DISPLAY authority will
a) Return a failure PCF message to the application
b) Generate an authority event message
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Dec 15, 2009 6:52 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

zonko wrote:
Access to the queue is hard coded to mqm only.


zonko, can you justify that statement please, and quote the source?

zpat, what does dsmpqaut show for the entity against that queue?

EDIT: saw zpat's edited(?) response after I posted, and assumed that the 'fixed' level of WMQ was in use.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Dec 15, 2009 7:10 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

My level is 6.0.2.7, I have just seen the APAR.

dspmqaut shows nothing against the queue for the group in question.

I tried adding an explicit profile but I can't see it afterwards. Looks like this won't work until 6.0.2.8.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SYSTEM.AUTH.DATA.QUEUE
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.