ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityAuthorities not revoked with setmqaut

Post new topicReply to topic Goto page 1, 2  Next
Authorities not revoked with setmqaut View previous topic :: View next topic
Author Message
rickwatsonb
PostPosted: Thu Apr 21, 2011 6:36 am Post subject: Authorities not revoked with setmqaut Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Hi,

We have MQ 6.0.2.6 on a Solaris box. I am working on changing from a MCAUSER (mqm) SVRCONN channel to a non-mqm channel and applying OAM authorities.

I am unable to remove unwanted authorities for the “other” group and have tried (-all +none, -remove, -alladm) for the code shown below. The setmqaut commands run successfully, but nothing is changed.

The original UNIX /etc/group and /etc/passwd files were set up so that a spider web was created. It is complicated to explain, but here is a short version: group mqbrkrs had ‘other’ as its primary group, msbroker belonged to the mqbrkrs group, and msbroker belonged to the mqm group with mqm as its primary group.

This setup granted several authorities that were not wanted. The /etc files have been fixed, but I am unable to remove the authorities granted to ‘other’.

BTW - I have looked on the web/mqseries and read the “Setmqaut returns "authorization specification not valid” post.

setmqaut -m QMGR1-n '**' -t queue -g other -all +none
setmqaut -m QMGR1-g other -n '**' -t namelist -all +none
setmqaut -m QMGR1-g other -n '**' -t process -all +none
setmqaut -m QMGR1-g other -n '**' -t authinfo -all +none
setmqaut -m QMGR1-g other -n '**' -t channel -all +none
setmqaut -m QMGR1-g other -n '**' -t service -all +none
setmqaut -m QMGR1-g other -n '**' -t listener -all +none
setmqaut -m QMGR1-g other -n '**' -t clntconn -all +none
setmqaut -m QMGR1-t qmgr -g other -all +none

(also tried: -remove, -alladm)

Thanks for your help.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Apr 21, 2011 6:44 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

what does dspmqaut return for the 'other' group?
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Thu Apr 21, 2011 7:27 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Thanks for your reply mqjeff.

I know you asked for dmpmqaut output but I have a script that runs amqoamd for groups which will show similar authority output. Shown below is some of output. I grouped all application queues into QUEUE1.

setmqaut -m QMGR1 -n QUEUE1 -t queue -g other +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp

setmqaut -m QMGR1-t qmgr -g other +crt

setmqaut -m QMGR1-n SYSTEM.DEFAULT.NAMELIST -t namelist -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.PROCESS -t process -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEF.REQUESTER -t channel -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.SERVICE -t service -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEF.CLNTCONN -t clntconn -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.NAMELIST -t namelist -g other +inq +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEF.REQUESTER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.RECEIVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.SENDER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.SERVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLNTCONN -t clntconn -g other +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEF.SVRCONN -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLUSSDR -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLUSRCVR -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.AUTO.RECEIVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.AUTO.SVRCONN -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g other +inq +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.PENDING.DATA.QUEUE -t queue -g other +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g other +chg +dlt +dsp +ctrl
setmqaut -m QMGR1-n SYSTEM.DEFAULT.SERVICE -t service -g other +chg +dlt +dsp +ctrl
setmqaut -m QMGR1-n SYSTEM.BROKER -t service -g other +chg +dlt +dsp +ctrl
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Apr 21, 2011 7:35 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Does the same setmqaut command work for a different group, that fails for the other group?
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Thu Apr 21, 2011 7:57 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Thanks for your reply mqjeff.

I am able to set authorities for a different group (e.g. usergrp) with the same setmqaut syntax.

I ran a test with "other" group and was able to change authorities on a queue, but revoking all authorities did not work (crt remains). This is shown below:

dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
dev1:/var/mqm>setmqaut -m QMGR1-n QUEUE.TEST -t queue -g other -all +inq
The setmqaut command completed successfully.
dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
inq
crt
dev1:/var/mqm>setmqaut -m QMGR1-n QUEUE.TEST -t queue -g other -all +none
The setmqaut command completed successfully.
dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
crt
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Apr 21, 2011 8:03 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Is the user running the setmqaut command a member of the other group or a member of a group that's a member of the other group?

Is the mqm user still a member of the other group?
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Thu Apr 21, 2011 8:34 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Thanks mqjeff.

mqm uid is running the setmqaut commands.

mqm uid belongs only to mqm group (past and present).
mqm is the only uid that belongs to the mqm group (now).

Previously there was a tie into the mqm group, I think because msbroker uid belonged to the mqm group (its primary group) and to a group where one of the uids had "other" as its primary group.

Also, two other queue managers exist on this same server and I did not encounter this problem with them.

My job is to rectify this of course. I appreciate your help.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Apr 21, 2011 8:42 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Is there any entity that might be providing other with this +crt authorization - a group that other belongs to or etc... ?

Does dmpmqaut (rather than dspmqaut) show different authorities?

You are close to a PMR, however.
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Thu Apr 21, 2011 8:53 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

I wrote a "display script" that outputs the results to files for all of the dispaly authority commands (dspmqaut, dmpmqaut, amqoamd).

It is shown in all of the outputs that the group "other" has authorities.

Thank you for your help and quick replys mqjeff; I appreciate it.

I will submit a PMR.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Tue Apr 26, 2011 6:16 pm Post subject: Reply with quote

Jedi Knight

Joined: 25 Mar 2003
Posts: 2527
Location: Melbourne, Australia

crt authority is stored in a separate profile named "@CLASS" which exists for each object type, and the authority applies to all objects of that type.

If you do "setmqaut .... -crt" on a queue profile it will remove the authority for the given entity on all queues.
_________________
Glenn
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Tue Apr 26, 2011 8:47 pm Post subject: Reply with quote

Jedi Knight

Joined: 25 Mar 2003
Posts: 2527
Location: Melbourne, Australia

rickwatsonb wrote:
I wrote a "display script" that outputs the results to files for all of the dispaly authority commands (dspmqaut, dmpmqaut, amqoamd). It is shown in all of the outputs that the group "other" has authorities.


Be wary of using amqoamd, it is unsupported, and does not display profiles that have +none authority. Recent versions of saveqmgr with -z option displays these profiles.
_________________
Glenn
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Wed Apr 27, 2011 6:43 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Hi,

Thank you for the information gbaddeley.

The feedback from the PMR suggested that we re-create the queue managers because of IC53545:

http://www-01.ibm.com/support/docview.wss?uid=swg1IC53545

Thanks everyone for your help!
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Apr 27, 2011 6:46 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You said the qmgr was running on Solaris?
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Wed Apr 27, 2011 6:58 am Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West

Yes, queue managers are on a Solaris 10 box.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Apr 27, 2011 7:17 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

The APAR mentioned only applies to Windows, as it has to do with Windows SIDS being retained by the OAM.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexIBM MQ SecurityAuthorities not revoked with setmqaut
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.