| Author |
Message
|
| zpat |
 Posted: Thu Jul 08, 2010 5:15 am Post subject: |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
If they are not listed as having access, then they don't have access unless they are a member of one of the groups that does have access.
MQ explorer (latest v7) allows you to test access to a queue by a group or user and it will report what authority they have (if any). |
|
| Back to top |
|
 |
| rjlfc |
| Posted: Fri Jul 16, 2010 6:41 am Post subject: |
|
|
Apprentice
Joined: 04 Apr 2008
Posts: 31
|
Just thought I would provide and update to you all based on what I have achieved so far as well as some of my findings.....
For background, we are running MQv7 on Windows 2003, in a MS cluster environment, so a QM runs on one of the servers in the cluster at any one time, but can fail over to the other node in the MS cluster.....
So, following all the useful advice, I added a local user and group and added the user to the group (did this on each server in the MS cluster). I then gave the group MQI access to the queues required. NB - in MQv7 you can do this via MQ explorer. I placed the user in the MCAUser of the client channel used by the app to access these queues. This worked fine and I could see the connections to the QM by the app showing as the MCAUser.
However, I then realised that when adding the group (same occurs with a user) to the MQ oject, when MQ checks it is a valid group (or user) it suffixes the name with the server name. So I realised that if MQ failed over onto the 2nd node in the cluster the app connections to the channel/queues in question would fail as only group@server1 had access to the queues. Adding a second group to the queues and manually asdding the suffix of the 2nd server didn't work as MQ could not verify it as a valid group.
So, rather than fail over MQ just to add the permission again on the 2nd server, I set up a domain group and user (MQ runs under the domain), added user to group, added group to queues (group@domain) and added user@domain to the MCAUser (according to MQ docs doing this in the MCAUser was fine). Alas it didn't work as the app failed to connet to QM over the channel as MQ could not authiorise the user. In other words it couldn't seem to correlate the domain user with the domain group which had the queue priveleges (remember the principle worked fine when the user and group were local).
When I changed the queue priveleges so that they were against the domain user instead of the domain group, it worked.
So using :
1. Group priveleges against MQ objects worked fine when they were local users and groups.
2. Using user priveleges when it was a domain user was also fine.
3. Using group privelges when the group and user were domain based didn't work.
Option 2. was fine for me to proceed with, but thought I'd share my findings with you.....
Cheers
Rich |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 16, 2010 6:47 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As expected. You can authorize a group but you cannot put a group into the MCAUser of a channel as windows does not authorize a user with the same name as the group. Just put a user from that group into the mcauser field of the channel 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rjlfc |
| Posted: Fri Jul 16, 2010 6:55 am Post subject: |
|
|
Apprentice
Joined: 04 Apr 2008
Posts: 31
|
Thats what I did. For no. 3 that didn't work, the set up was as follow:
MCAUSER = user1@domainx
Queue (and QM) authority (MQI access only) = group1@domainx
In AD for domainx, user1 was added to group1 |
|
| Back to top |
|
|
| mqjava |
| Posted: Tue Aug 10, 2010 7:29 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
| zpat wrote: |
Java programs have a bad habit of passing blank connection ids, this can be solved in a variety of ways (ask if interested). |
Can you please explain how it can be done? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Aug 16, 2010 2:33 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mqjava wrote: |
| zpat wrote: |
Java programs have a bad habit of passing blank connection ids, this can be solved in a variety of ways (ask if interested). |
Can you please explain how it can be done? |
You can deploy an MQ security product (i.e. MQAUSX or MQSSX) that will make sure all connections have a non-blank UserID.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| may1985 |
| Posted: Tue Mar 01, 2011 5:24 am Post subject: |
|
|
Newbie
Joined: 01 Mar 2011
Posts: 5
|
Hello,
I am explaining whatever I know. Please create an user ID (Say mqm1)and add that user ID to a group(Say mqgroup). In the server connection channel just mention the ID mqm1 in the MCAUSER field that you have created. And please provide the necessary access to whichever the queues the application has to access to the group mqgroup. This will allow those users who are logging in as mqm1 to access those queues. You can restrict their access using the setmqaut command.
Regards,
MDS |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 01, 2011 5:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The question was asked in 2010....!
I would also add - don't forget to refresh security in MQ as well. |
|
| Back to top |
|
|
|
|
