| Author |
Message
|
| tgow |
 Posted: Thu Mar 25, 2010 7:44 am Post subject: Disable REFRESH SSL option in MQ Explorer? |
 |
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
Hi All,
I am using WMQ 6.0.2.1 on Solaris 10 and Explorer 7.0 on Windows (XP)
I have read an article available online (Hursley's) about making Explorer (7.0 / for windows / exclipse) read-only and have been working on making this the case. I have had mostly great success in doing so. I have, however, discovered what seems to be a flaw (for me, anyway).
Even though I have limited myself (and my group!) from seeing objects that shouldn't be seen (I am in the process of testing for read-only use by an application support team) I can still do a Refresh SSL through the security menu on the queue manager (WMQ 6). This might be a deal-killer for me because resetting SSL would affect many other users and applications on this queue manager. 
I have checked (just to see) and I cannot refresh authorizations... only SSL)
I have attempted to find this solution by using both Google and search here at mqseries.net (and on ibm / developerworks...) Any thoughts / ideas / comments regarding this dilemma are welcome! (Please!) 
-Seth |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Mar 25, 2010 9:23 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
What permissions did give on the qmgr object? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tgow |
| Posted: Thu Mar 25, 2010 10:24 am Post subject: |
|
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
all of these settings are as per the aforementioned article on read-only access....
qmgr = +connect, +inq, and +dis
SYSTEM.DEFAULT.MODEL.QUEUE +browse +get +inq
SYSTEM.ADMIN.COMMAND.QUEUE +browse +get +inq +put
SYSTEM.MQEXPLORER.REPLY.MODEL +browse +dsp +get +inq |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Mar 25, 2010 10:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
Are you doing this testing with a userid in the MQ admin group?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tgow |
| Posted: Thu Mar 25, 2010 11:08 am Post subject: |
|
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
No. I am only in the usergroup "fisg" which has only the permissions listed above.
I have no access to look at, delete, or create any queue, channel, or process / namelist. I also just checked and I cannot refresh security, only SSL refresh. I cannot modify any authorizations through explorer, either.
This is a standard MQ install as well. |
|
| Back to top |
|
|
| tgow |
| Posted: Thu Mar 25, 2010 11:10 am Post subject: |
|
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
| Also, my connectivity is through a TAB file for this QMGR and SSL is enabled and working fine, so it's not like I can even have a mqm MCAUSER from explorer (and the channel has blank MCAUSER() |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Mar 25, 2010 11:23 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| No. I am only in the usergroup "fisg" which has only the permissions listed above. |
Can you successfully issue the equivalent MQSC command locally (not with the Explorer) on the qmgr? Do you get a security violation on the local qmgr?
Is the userid you are using also in the admin group? Was it ever in the admin group?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tgow |
| Posted: Thu Mar 25, 2010 11:33 am Post subject: |
|
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
I can't locally get in to runmqsc on our system without mqm access (which can only be gained temporarily via sudo). From my windows box the MCA being populated is a system wide LDAP / active-directory userid (Same id on all of our Linux / UNIX boxes)
My userid is new and has never belonged to an admin group (except incases where I have sudoed in the past) which is a temporary add to a sudoers group for a 6 hour time window, after which point my id is removed from the group and the cache (LDAP) is reset.
$ runmqsc QM.EXPLORER
/usr/bin/runmqsc: Permission denied |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 25, 2010 12:06 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| tgow |
| Posted: Thu Mar 25, 2010 1:08 pm Post subject: |
|
|
Novice
Joined: 02 Dec 2004
Posts: 15
Location: Reston, VA
|
I guess it's time to reconsider my options.
I see that MA96 (MQ Browser) covers what i mostly need, perhaps I will check this out... |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Mar 25, 2010 1:56 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| REFRESH SECURITY does not appear to be a PCF command for which authority checking is performed. |
You can imagine how far my jaw dropped with this. REFRESH SECURITY SSL is quite intrusive to running SSL channels.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Mar 25, 2010 3:59 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| tgow wrote: |
all of these settings are as per the aforementioned article on read-only access....
qmgr = +connect, +inq, and +dis |
Are you sure it doesn't have +chg on the qmgr?
Please check the user your PCF is being put by, and check the output from dspmqaut for that user. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 25, 2010 4:02 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mvic wrote: |
| tgow wrote: |
all of these settings are as per the aforementioned article on read-only access....
qmgr = +connect, +inq, and +dis |
Are you sure it doesn't have +chg on the qmgr?
Please check the user your PCF is being put by, and check the output from dspmqaut for that user. |
Are you suggesting that REFRESH SECURITY might have authority checking performed by the Command Server? |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Mar 25, 2010 4:36 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| mqjeff wrote: |
| Are you suggesting that REFRESH SECURITY might have authority checking performed by the Command Server? |
It doesn't seem likely to me that there is no checking. |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 26, 2010 3:19 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Try 7.0.1.* and you should find there is appropriate checking on the user requesting the command.
5.3, 6.0 (and 7.0.0.*) did not do any checking (I presume, and its a guess, because readonly explorer wasnt considered since the product didnt easily provide it and hence users already had to have write access to the command queue) - the solution to this was therefore designed and implemented for 7.0.1. |
|
| Back to top |
|
|
|
|
