| Author |
Message
|
| askeggs |
 Posted: Thu Aug 11, 2011 10:24 pm Post subject: ACL deletion problem |
 |
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
Hi,
We're on V6.0.0.11 of Broker on AIX. I know it's out of support; don't have the option to upgrade.
A security requirement has arrived "all ACLs must be qualified with the machine name". I can do this for all entries except the orgiginal one that was created on broker creation which is the first one listed here. Broker is running as mqsi.
$ mqsilistaclentry CMGR01
BIP1778I: mqsi - USER - F - ConfigManagerProxy - ConfigMa nagerProxy
BIP1778I: hostx\bill - USER - F - ConfigManagerProxy - ConfigMa nagerProxy
BIP1778I: hostx\mqsi - USER - F - ConfigManagerProxy - ConfigMa nagerProxy
Even though I have other working entries that I can administer with e.g. bill, it won't let me delete the first row. I would like to delete the 1st row which would leave me with row 3 for mqsi.
It says it works:
$ mqsideleteaclentry CMGR01 -u mqsi -m "" -p
BIP8071I: Successful command completion.
but it doesn't. The entry remains.
So the question is, what's the trick to removing that entry? Or is it impossible?
I have tried deleting it while logged in as bill. This also reports success but doesn't work.
Thanks.
_________________
Adam. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Aug 11, 2011 11:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried deleting with -a (like for all machines) ? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| askeggs |
| Posted: Fri Aug 12, 2011 7:02 am Post subject: |
|
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
$ mqsideleteaclentry CMGR01 -u mqsi -a -p
BIP8071I: Successful command completion.
didn't delete anything.
_________________
Adam. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 12, 2011 7:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well I guess it says somewhere that you cannot delete the acl entry created when you created the configmgr...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| askeggs |
| Posted: Fri Aug 12, 2011 9:00 am Post subject: |
|
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
I actually just want to modify it to include the hostname but there is no modify command. I haven't found the undeletability of the default entry documented yet. Think I will try vendor support.
_________________
Adam. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Mon Aug 15, 2011 6:49 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
It's been a while since I ventured anywhere near V6, but the ConfigMgr's serviceid must always have complete access to the ConfigMgr, and the ConfigMgr will ensure that an ACL always exists to allow this.
Is 'mqsi' also the serviceid? If so, you might want to try changing the serviceid to something else using mqsichangeconfigmgr -i. |
|
| Back to top |
|
|
| askeggs |
| Posted: Mon Aug 15, 2011 6:17 pm Post subject: |
|
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
Thanks for the replies. This worked:
mqsistop CMGR01
mqsichangeconfigmgr CMGR01 -i adamskeg -a ****
as alternate user adamskeg
mqsideleteaclentry CMGR01 -u mqsi -m "" -p
mqsistart CMGR01
mqsicreateaclentry CMGR01 -u mqsi -m wme53aix01 -x F -p
BIP1778I: wme53aix01\mqsi - USER - F - ConfigManagerProxy - ConfigManagerProxy
mqsichangeconfigmgr CMGR01 -i mqsi -a ****
as original user mqsi
mqsistart CMGR01
_________________
Adam. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 16, 2011 4:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| That's an interesting trick... and it's nice that it works. Otherwise anyone could create a user named "mqsi" on their machine and have full access to the configmgr. |
|
| Back to top |
|
|
|
|
