| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Generic Names for Switch Profiles |
« View previous topic :: View next topic » |
| Author |
Message
|
| IEFBR14 |
 Posted: Fri Jan 22, 2010 2:46 am Post subject: Generic Names for Switch Profiles |
 |
|
Newbie
Joined: 22 Jan 2010
Posts: 4
|
Hello,
we have a couple of MQ instances set up and successfully running. There are several so called switch profiles defined within RACF general resource class MQADMIN. The profiles' high level qualifiers are equal to the MQ instance names, e.g. QMA1, QMB1, QMC1, ..., QMA2, QMB2, QMC2 and so on.
All of these instances have equal profiles and authorizations, just the high level qualifier differs. Now I was wondering if I could reduce the number of profiles by replacing them with one or just very few using generic high level qualifiers. For a first start, I tried the switch profiles e.g.
QMA%.NO.CONTEXT.CHECKS
instead of
QMA1.NO.CONTEXT.CHECKS
QMA2.NO.CONTEXT.CHECKS
etc.
However, it was not successful and we gain messages like
"CSQH024I ^QMA1 CSQHINIT CONTEXT security switch set ON, profile 'QMA1.NO.CONTEXT.CHECKS' not found" from the QMA1MSTR ASID. Subsequent start of e.g. channel initiator ASID fails.
Do you have an idea what went wrong? May be MQ calls RACROUTE REQUEST=EXTRACT with MATCHGN=NO?
The manuals, especially the chapter about RACF profiles in the MQ z/OS System Setup Guide, read quite a lot about design of profile names. There is a remark stating that it is not recommended to choose generic queue manager names in profiles. But I did not find a statement about prohibition of generic names.
Thank you,
cheers
Michael |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Sat Jan 23, 2010 4:46 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jan 24, 2010 7:04 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
I agree completely with gbaddeley.
When defined for a given qmgr, security switch profiles disable/bypass/inhibit/ignore security checks.
As a best-practice, start with absolutely all security checks enabled (no switches set); then grant access to MQ resources to users/groups/address spaces, etc., as the business requirement demands.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| IEFBR14 |
| Posted: Thu Jan 28, 2010 10:50 pm Post subject: |
|
|
Newbie
Joined: 22 Jan 2010
Posts: 4
|
Thank you very much for your answers. I must have overseen the small note on table 36.
I will discuss your suggestion about enabling all security checks with our MQ administrators. I think enabling all security checks will be done by purging all generic switch profiles. According to Tom Schneider's document, the subsequently needed profiles are generic eligable. And so we are all happy: MQ has more security and RACF has less profiles.
Cheers
Michael |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jan 29, 2010 9:38 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
QMA2.NO.CONTEXT.CHECKS
However, it was not successful and we gain messages like
"CSQH024I ^QMA1 CSQHINIT CONTEXT security switch set ON, profile 'QMA1.NO.CONTEXT.CHECKS' not found" from the QMA1MSTR ASID. Subsequent start of e.g. channel initiator ASID fails. |
Does the CHIN address space fail - like abend? Post the SYSLOG from the CHIN here.
Or did just a channel fail to start?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| IEFBR14 |
| Posted: Sun Jan 31, 2010 10:47 pm Post subject: |
|
|
Newbie
Joined: 22 Jan 2010
Posts: 4
|
Bruce,
the CHIN STC failed with RC=12 but no ABEND. This obviously was caused by the switch profile. I replaced the discrete profiles with generic ones. According to the small note on table 36 (which I was missing), the STC user then needs access to various queue profiles. These were not defined in our installation.
Cheers
Michael
From JESYSMSG DD:
CSQX141I ^QMA1 CSQXADPI 8 adapter subtasks started, 0 failed
CSQX410I ^QMA1 CSQXREPO Repository manager started
CSQX151I ^QMA1 CSQXSSLI 0 SSL server subtasks started, 0 failed
CSQX036E ^QMA1 CSQXREPO Unable to open SYSTEM.CLUSTER.TRANSMIT.QUEUE,
MQCC=2 MQRC=2035
CSQX015I ^QMA1 CSQXSPRI 5 dispatchers started, 0 failed
CSQX411I ^QMA1 CSQXREPO Repository manager stopped
CSQX036E ^QMA1 CSQXSUPR Unable to open SYSTEM.CHANNEL.SYNCQ, MQCC=2
MQRC=2035
CSQX005E ^QMA1 CSQXJST Channel initiator failed to start
IEF142I QMA1CHIN QMA1 - STEP WAS EXECUTED - COND CODE 0012
Additional messages concerning SAF/RACF are found in hardcopy log:
ICH408I USER(UQME002 ) GROUP(RZSTCPN ) NAME(..MQ-SERIES/CHANNEL.)
QMA1.CONTEXT.SYSTEM.CLUSTER.TRANSMIT.QUEUE CL(MQADMIN )
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE )
ICH408I USER(UQME002 ) GROUP(RZSTCPN ) NAME(..MQ-SERIES/CHANNEL.)
QMA1.CONTEXT.SYSTEM.CHANNEL.SYNCQ CL(MQADMIN )
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE ) |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Feb 01, 2010 6:52 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
CSQX036E ^QMA1 CSQXREPO Unable to open SYSTEM.CLUSTER.TRANSMIT.QUEUE,
MQCC=2 MQRC=2035 |
As with other IBM Products, error messages (like the one above) that end with the letter E are fatal. Your security switches require that there be RACF rules that grant appropriate authority to the address space.
The ICH (RACF) messages tell you what authority is required:
| Quote: |
ICH408I USER(UQME002 ) GROUP(RZSTCPN ) NAME(..MQ-SERIES/CHANNEL.)
QMA1.CONTEXT.SYSTEM.CLUSTER.TRANSMIT.QUEUE CL(MQADMIN )
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE ) |
[edit]
Please read the security chapter in the WMQ for z/OS System Setup Guide.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
