| Author |
Message
|
| phani_16 |
 Posted: Mon Mar 14, 2011 1:23 am Post subject: OAM Authorization Service in Windows |
 |
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
I have created a queue manager ( QM1 )on a windows machine with an "Administrator" user and created a queue ( QL1) in that queue manager.
Now i have deleted the OAM service configuration for that queue manager from the following path using regedit editor.
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\MQSeries\CurrentVersion\Configuration\QueueManager\QM1\Service\AuthorizationService.
Now i have logged into the Windows machine with a test user ( no Administrator privileges ) and try to access the queue ( QL1) and the queue manager ( QM1) and i'm getting " AMQ7077:Not authorized " exception.
Is it true that when we delete the OAM service for the queue manager,any user can access the queue manager and its objects ? If so,then how come i couldn't able to access the queue manager objects. |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Mar 14, 2011 4:54 am Post subject: Re: OAM Authorization Service in Windows |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| phani_16 wrote: |
...Now i have deleted the OAM service configuration for that queue manager from the following path using regedit editor.
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\MQSeries\CurrentVersion\Configuration\QueueManager\QM1\Service\AuthorizationService. |
Why? What are you trying to prove? Why did you not just log on as the test user after creation of the queue manager and see what happened?
| phani_16 wrote: |
| ...Is it true that when we delete the OAM service for the queue manager,any user can access the queue manager and its objects ? |
Not that I'm aware of, and it wouldn't be a good default if so.
| phani_16 wrote: |
| ...If so,then how come i couldn't able to access the queue manager objects. |
As what user were you trying this weird bit of experimentation?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Mar 14, 2011 5:27 am Post subject: Re: OAM Authorization Service in Windows |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| phani_16 wrote: |
| ... how come i couldn't able to access the queue manager objects. |
You will need to be more specific when you say you couldn't access the queue manager.
Did you run some kind of application? If so, what application?
Did the application give you some kind of indication that there was an error? If so, what error?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 16, 2011 1:49 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
My objective is to know how OAM is functioning as Authorization Service.
When i have created a queue manager with an "Administrator" privileges, and try to access the same queue manager with another user, then i can't access it ( run control commands like strmqm , endmqm etc ) and will get an error "AMQ7077:Not authorized" .
This happens b'coz by default the OAM is enabled for that queue manager. Now if i remove the OAM service for this queue manager,then any user can access the queue manager.
Has anyone tried this one out earlier ? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 16, 2011 1:56 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| phani_16 wrote: |
| ... Now if i remove the OAM service for this queue manager,then any user can access the queue manager... |
Is this a statement, or a question? Having removed the OAM service, were you able to do anything with the queue manager and as any user?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 16, 2011 2:11 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi Jedi,
Do you think i'm trying to make a statement here ???
I'm new to Websphere and trying to clarify my doubts with the help of the forums. If you think my question is stupid,then please ignore my questions.
Thanks for the response anyways. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 16, 2011 2:24 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| phani_16 wrote: |
| ...Do you think i'm trying to make a statement here ??? |
That is what I am trying to determine! You did not answer my previous question, which would have clarified this somewhat, so I'll restate the question: Having removed the OAM service, were you able to do anything with the queue manager and as any user, e.g. could you access it as an Administrator but not a non-administrative user, or could not access it at all?
| phani_16 wrote: |
| ...I'm new to Websphere and trying to clarify my doubts with the help of the forums. |
Then please answer questions when they are presented - help us to help you. As asked earlier: What are you trying to prove? Why did you not just log on as the test user after creation of the queue manager and see what happened?
| phani_16 wrote: |
| ...If you think my question is stupid,then please ignore my questions. |
I'd have done that long before now if I felt that, but please reciprocate - if you want your questions answered you need to answer ours.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 16, 2011 3:26 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
When i have deleted the OAM service for the queue manager,i couldn't able to run the control commands for this queue manager ( even with Administrator user ). I'm getting the following error when trying to start the queue manager using "Administrator" user.
C:\Documents and Settings\ABBXZ>strmqm QM_TEST
There are 55 days left in the trial period for this copy of WebSphere MQ.
WebSphere MQ queue manager 'QM_TEST' starting.
WebSphere MQ was unable to display an error message 7061.
C:\Documents and Settings\ABBXZ>mqrc AMQ7061
28769 0x00007061 lpiRC_KEY_NOT_FOUND
536899681 0x20007061 lrcW_KEY_NOT_FOUND
MESSAGE:
An expected stanza in the configuration data is missing or contains errors.
EXPLANATION:
An expected stanza is missing from the configuration data or the stanza
contains errors.
ACTION:
If you have changed the configuration data, check and correct the change.
I have a trial version of MQ 7 installed on my machine and so couldn't able to find the mqs.ini and qm.ini files.
So can you please confirm that we can access the queue manager only when the OAM is running/enabled for that queue manager?
As i'm new to MQ, one of my friend who is familiar with MQ said that we can access the queue manager from any user if the OAM service is deleted for that queue manager.
No harsh feelings on him, but please clarify.
Thanks in advance. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 16, 2011 3:42 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
OK, thank you for answering the questions.
| phani_16 wrote: |
| When i have deleted the OAM service for the queue manager,i couldn't able to run the control commands for this queue manager ( even with Administrator user ). |
Then it's crystal clear that if the OAM service is deleted, the statement that "...any user can access the queue manager..." is manifestly incorrect.
| phani_16 wrote: |
| I have a trial version of MQ 7 installed on my machine and so couldn't able to find the mqs.ini and qm.ini files. |
Search the Info Centre (hint: use the terms 'WebSphere MQ configuration file' and 'Queue manager configuration file').
| phani_16 wrote: |
| So can you please confirm that we can access the queue manager only when the OAM is running/enabled for that queue manager? |
What do your own observations tell you? Think of what you have done so far, and the effects.
| phani_16 wrote: |
| As i'm new to MQ, one of my friend who is familiar with MQ said that we can access the queue manager from any user if the OAM service is deleted for that queue manager. |
Your friend is perhaps a little misinformed, or may have misinterpreted THIS
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 16, 2011 3:50 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
Thanks very much for the explanation.
I will work on MQSNOAUT environment variable and try to execute some control commands from different users.
Once again, really appreciate your help. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 16, 2011 4:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Be very, very careful with that variable, because while it can be invaluable for a development environment - setting it will allow developers to do the necessary without their userids being put in the mqm group with all the consequent issues that can arise when that set-up gets migrated to higher environments - don't ever use it in 'real' environment.
Test it by creating a queue manager without MQSNOAUT set (implicit NO) then on with MQSNOAUT set, then delete the queue managers, and recreate them in reverse, i.e. create a queue manager with MQSNOAUT set, then another queue manager without MQSNOAUT set. The easiest way to do the aforementioned is from different command windows with the variable set within each window.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 16, 2011 5:18 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
As suggested,i would be very careful not to use in 'real' environments.
I would work on the presrcibed scenario and hopefully will get a clear picture.
Thanks very much. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 16, 2011 5:26 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
Now i have deleted the OAM service configuration for that queue manager from the following path using regedit editor.
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\MQSeries\CurrentVersion\Configuration\QueueManager\QM1\Service\AuthorizationService.
28769 0x00007061 lpiRC_KEY_NOT_FOUND
536899681 0x20007061 lrcW_KEY_NOT_FOUND |
Why did you use regedit to disable OAM?
IMHO, disabling OAM will not yield this failure. Disabling OAM (see URL below) will result in no authorization checks being made.
A quick search of google for 'how to disable wmq authorizationservice' yielded this:
http://www-01.ibm.com/software/integration/library/manuals99/amqzag/amqzag2b.htm
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 16, 2011 5:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I think phani_16 was given a poor piece of advice, i.e. "...one of my friend who is familiar with MQ said that we can access the queue manager from any user if the OAM service is deleted for that queue manager...", followed that advice and subsequently got thoroughly confused.
Read upwards a few posts and you'll see that MQSNOAUT has already been covered 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 16, 2011 5:46 am Post subject: Re: OAM Authorization Service in Windows |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| phani_16 wrote: |
Is it true that when we delete the OAM service for the queue manager,any user can access the queue manager and its objects ? |
Yes, OAM is an installable service - which means it is optional.
| Quote: |
| If so,then how come i couldn't able to access the queue manager objects. |
Because your fiddling with the Windoze registry apparently did not accomplish what you intended - and thus the configuration error.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
