ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » upgrade 7.1 - unable to see queues via explorer

Post new topic  Reply to topic
 upgrade 7.1 - unable to see queues via explorer « View previous topic :: View next topic » 
Author Message
freak
PostPosted: Fri May 18, 2012 1:39 am    Post subject: upgrade 7.1 - unable to see queues via explorer Reply with quote

Novice

Joined: 28 Feb 2010
Posts: 18

I had upgrade the websphere mq from v7.0 to v7.1 in win2008R2 64 bit.

My websphere mq service is run under a service account.
the service account is given the following security policy:
• Log on as a service
• Log on as a batch job
• Act as part of the operating system
• Adjust memory quotas for a process
• Replace a process level token
• Bypass traverse checking

When i start the webpshere mq explorer (just double clicking on the executable) i am unable to view the list of queues that i had created. Queues are created using the crtmqm -a option.

However, i had no problem accessing the queue when i start the websphere mq explorer with administrative rights.

this user is not a member of the local mqm group.
Access rights of this user's domain global group has been granted to individual queue managers.
setmqaut -m QMName -t qmgr -g domain\UserGroup +connect +inq +dsp
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +dsp +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +dsp +ctrl
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g UserGroup +dsp +inq +get
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g UserGroup +dsp +inq +put +get
Had checked using the websphere mq explorer > Queue Managers > QMName > Object Authorities > Manage QM Authority Records, and rights have been granted.

Is there any other required rights that i had missed out?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri May 18, 2012 2:21 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

It's good practice to always add +inq until you know it is not needed.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
freak
PostPosted: Sun May 20, 2012 5:30 pm    Post subject: Reply with quote

Novice

Joined: 28 Feb 2010
Posts: 18

Had tried to place the user account under the local mqm group and changed the permission settings for the user group to the following:

setmqaut -m QMName -t qmgr -g domain\UserGroup +all
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +all +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g domain\UserGroup +all
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g domain\UserGroup +all


Tried to restart ibm mq service and did refresh security on QMName.

However, the user is still unable to view the queue manager.


Edit:
After placing the user in mqm group, i did a logoff and logon again. The mq explorer did display the list of queue managers.

I removed the user from the mqm group, restart ibm mq service, logoff and logon again. User is unable to see the queue managers from the mq explorer.

Is there any other permission i need to grant?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun May 20, 2012 6:55 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

Yes, read up on the new channel security for MQ V7.1 in the infocenter... User / group mqm might have been restricted.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
freak
PostPosted: Sun May 20, 2012 11:43 pm    Post subject: Reply with quote

Novice

Joined: 28 Feb 2010
Posts: 18

from what i had gathered, i had run the following script

- ALTER QMGR CHLAUTH(DISABLED)

- set chlauth(*) type(blockuser) user(*mqadmin) action(remove)

- set chlauth(*) type(addressma) address(*) action(remove)

-refresh security of the queue manager

- restart ibm mq service

but it still does not work.

i believed the first command for the alter QMGR command already disabled all the security check on the queue manager.


possible to strike more light on this? :p


Edit:
- i had tested using a bare minimum queue manager (no channels, no queue, no listener). i am just trying to allow a non-mqm administrator to view a simple queue manager. Everything (ibm mq service and websphere mq explorer) sits on the same server.

I had checked the connection of the MQExplorer.exe connection via websphere mq explorer and it does not uses channel name nor port number.
with this, i dont think the CHLAUTH is affecting the viewing rights.

hmm. still missing something on the security.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon May 21, 2012 3:34 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

You need +dsp +inq for all objects you want to show...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
freak
PostPosted: Mon May 21, 2012 6:35 am    Post subject: Reply with quote

Novice

Joined: 28 Feb 2010
Posts: 18

[quote="fjb_saper"]You need +dsp +inq for all objects you want to show... :innocent:[/quote]

setmqaut -m QMName -t qmgr -g domain\UserGroup +all
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +all +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g domain\UserGroup +all
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g domain\UserGroup +all

does +alladm / +all outwin +dsp +inq?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon May 21, 2012 6:34 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

There's a table of values corresponding to all and alladmin somewhere in the infocenter... look it up. I am not sure that inq is part of alladmin...

anyways are you sure you configured the security right for the channel using the new security model?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
freak
PostPosted: Tue May 22, 2012 11:07 pm    Post subject: Reply with quote

Novice

Joined: 28 Feb 2010
Posts: 18

raise a PMR and was directed to this webpage
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Ffa12740_.htm

what caught my attention was that it states:
"If your userid is in the Administrators group but not the mqm group you must use an elevated command prompt to issue WebSphere MQ admin commands such as crtmqm, otherwise the error "AMQ7077: You are not authorized to perform the requested operation" is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select "Run as administrator".

strange, previously with v7.0, i do not have this problem. Could it be due to the usage of domain global group that causes this problem? :thumbdown:
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » upgrade 7.1 - unable to see queues via explorer
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.