ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authorities not revoked with setmqaut

Post new topic  Reply to topic Goto page Previous  1, 2
 Authorities not revoked with setmqaut « View previous topic :: View next topic » 
Author Message
rickwatsonb
PostPosted: Wed Apr 27, 2011 7:55 am    Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
Good catch mqjeff.

The feedback I got from IBM was IC53545. I also accepted the suggestion to re-create the queue manager; it was actually an idea that I proposed.

I will be implementing this on Sunday in QAT. If there is a better solution out there I am all ears!

Thanks!
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Apr 27, 2011 10:40 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
rickwatsonb wrote:
Good catch mqjeff.

The feedback I got from IBM was IC53545. I also accepted the suggestion to re-create the queue manager; it was actually an idea that I proposed.

I will be implementing this on Sunday in QAT. If there is a better solution out there I am all ears!

Thanks!

Can't remember if it is myth or truth, but I seem to have a vague recollection that you can't remove the crt authority from the userid that originally created the queue. Unless you change that field with a DEF REPLACE?
Anyways it may be worth a try...
As a policy have queues only be created by the mqm user.


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rickwatsonb
PostPosted: Wed Apr 27, 2011 11:11 am    Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
Thank you all for your feedback.

Just to be clear, since this thread is getting long, the group that I have been unable to remove authorities for is the group "other" on Solaris. I tried gbaddeley's idea, but it did not work.

Originally the queue manager and all components were created by uid mqm. The group "other" was granted authorities because another uid belonged to the mqm group, and additional groups such that a "tree" or "spider web" of authorities were generated when the queue manager was created.

The /etc/group file has been edited to contain only one uid in the mqm group; the mqm uid.

To eliminate the un-wanted authorities, it is deemed that the queue manager will need to be created.

Learned a lot - thanks!
Back to top
View user's profile Send private message
rickwatsonb
PostPosted: Wed Apr 27, 2011 11:12 am    Post subject: Reply with quote

Voyager

Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
Correction:

To eliminate the un-wanted authorities, it is deemed that the queue manager will need to be RE-CREATED.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » IBM MQ Security » Authorities not revoked with setmqaut
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.