| Author |
Message
|
| zpat |
 Posted: Mon Feb 14, 2011 2:48 am Post subject: ACLs for receiver channel MCAUSER |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
There are some old threads on this but they were a bit messy so....
I have a RECEIVER channel from a third-party. I want to ensure that this channel can only put and get from a restricted range of queues (e.g. APPNAME.QUEUE1,2,3 etc)
So I create a generic SETMQAUT profile (APPNAME.**) and permit a group (APPGROUP) to have +allmqi +dsp +clr authorities. I also grant this group access to the system DLQ.
I create a user (APPUSER) in group APPGROUP. I set the receiver channel MCAUSER to APPUSER. I then refresh security.
This should be enough, but when the receiver channel starts, I get errors like this:
AMQ8077: Entity 'APPUSER ' has insufficient authority to access object 'SYSTEM.CHANNEL.SYNCQ'.
AMQ9587: Program cannot open queue manager object.
EXPLANATION: The attempt to open object '%CHLBATCH.10' on queue manager 'XXXXXX' failed wiith reason code 2035.
So the questions:
(1) are these two errors related?
(2) what access to the SYSTEM.CHANNEL.SYNCQ does APPGROUP need (and why does it need it)?
(3) What is '%CHLBATCH.10'?
It's curious that I have something similar working on another QM without any application write access to this system queue.
The APPGROUP access granted to SYSTEM queues is +inq +browse +dsp
Websphere MQ 7.0.1.3 on Linux86-64.
The auth event message says MQRQ_OPEN_NOT_AUTHORIZED, SYSTEM.CHANNEL.SYNCQ |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Mon Feb 14, 2011 4:53 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
The MCA needs to get/put messages on SYSTEM.CHANNEL.SYNCQ and %CHLBATCH.10 to allow synchonization of batches of messages being transmitted over the channel.
_________________
Glenn |
|
| Back to top |
|
|
| santnmq |
| Posted: Mon Feb 14, 2011 9:20 pm Post subject: |
|
|
Centurion
Joined: 11 Jan 2011
Posts: 125
|
| SYSTEM.CHANNEL.SYNCQ is used to maintain sequence numbers and logical units of work identifiers (LUWID) of channels so you need to have the put permission on this queue for your user group. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Feb 15, 2011 7:06 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
This seems...wrong. If you are trying to tag a RCVR channel with an MCAUSER so that the channels runs with low level previelages (you want it to be able to only put to specific app queues and the DLQ), it seems counter intuitive to me to give that channel the ability to put to the SYSTEM.CHANNEL.SYNCQ. The sending partner can then just flood your SYSTEM.CHANNEL.SYNCQ with bogus messages.
I have not done MQ 7 yet for this, but on my MQ 6 systems, put access to the SYSTEM.CHANNEL.SYNCQ was not needed.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Feb 15, 2011 7:14 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
This is what I am running with on MQ 6.0.2.8 for low privelaged RCVR channels:
QM = inq, connect setall
DLQ = put setall
App queue = put inq set all
As of MQ 6 channels are objects in MQ like queues the user ID that the channel runs under needs +ctrlx and +dsp to the channel objects to be able to RESET and RESOLVE the channel.
But maybe there is something new in MQ 7 that requires additional auts.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Feb 15, 2011 8:30 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Something doesn't look right, and it doesn't seem to happen on another V7 queue manger (which is on AIX).
I can feel a PMR coming on. |
|
| Back to top |
|
|
| santnmq |
| Posted: Tue Feb 15, 2011 9:36 pm Post subject: |
|
|
Centurion
Joined: 11 Jan 2011
Posts: 125
|
The +crt authority must be granted to the non-administrative ID
on the queue SYSTEM.CHANNEL.SYNCQ. The +all authority does not
grant +crt authority automatically.
Example usage:
setmqaut -m TEST -g (non_administrative_ID) -n
'SYSTEM.CHANNEL.SYNCQ' -t q -all +put +inq +setall +crt +get
+browse
Below link has the complete details.
https://www-304.ibm.com/support/docview.wss?uid=swg1IZ61338 |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Feb 15, 2011 10:35 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Interesting although my case is not a cluster receiver channel.
Does IBM document the authorities that should be granted to a non-administrative user on a receiver channel? |
|
| Back to top |
|
|
| santnmq |
| Posted: Tue Feb 15, 2011 11:32 pm Post subject: |
|
|
Centurion
Joined: 11 Jan 2011
Posts: 125
|
Yes it is....
If the MCAUSER attribute of a CLUSRCVR/RCVR channel is
configured with a non-administrative user ID (not part of the
mqm group) then during channel startup or when a persistent
message flows through the channel, the CLUSRCVR/RCVR may
report AMQ9587 or AMQ9587 error and AMQ9999 error in the error
log and the channel will fail to start or the running channel
will end abnormally: |
|
| Back to top |
|
|
|
|
