| Author |
Message
|
| freak |
 Posted: Fri May 18, 2012 1:39 am Post subject: upgrade 7.1 - unable to see queues via explorer |
 |
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
I had upgrade the websphere mq from v7.0 to v7.1 in win2008R2 64 bit.
My websphere mq service is run under a service account.
the service account is given the following security policy:
• Log on as a service
• Log on as a batch job
• Act as part of the operating system
• Adjust memory quotas for a process
• Replace a process level token
• Bypass traverse checking
When i start the webpshere mq explorer (just double clicking on the executable) i am unable to view the list of queues that i had created. Queues are created using the crtmqm -a option.
However, i had no problem accessing the queue when i start the websphere mq explorer with administrative rights.
this user is not a member of the local mqm group.
Access rights of this user's domain global group has been granted to individual queue managers.
setmqaut -m QMName -t qmgr -g domain\UserGroup +connect +inq +dsp
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +dsp +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +dsp +ctrl
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +dsp
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +dsp +ctrl +chg
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g UserGroup +dsp +inq +get
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g UserGroup +dsp +inq +put +get
Had checked using the websphere mq explorer > Queue Managers > QMName > Object Authorities > Manage QM Authority Records, and rights have been granted.
Is there any other required rights that i had missed out? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri May 18, 2012 2:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
It's good practice to always add +inq until you know it is not needed. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| freak |
| Posted: Sun May 20, 2012 5:30 pm Post subject: |
|
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
Had tried to place the user account under the local mqm group and changed the permission settings for the user group to the following:
setmqaut -m QMName -t qmgr -g domain\UserGroup +all
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +all +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g domain\UserGroup +all
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g domain\UserGroup +all
Tried to restart ibm mq service and did refresh security on QMName.
However, the user is still unable to view the queue manager.
Edit:
After placing the user in mqm group, i did a logoff and logon again. The mq explorer did display the list of queue managers.
I removed the user from the mqm group, restart ibm mq service, logoff and logon again. User is unable to see the queue managers from the mq explorer.
Is there any other permission i need to grant? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun May 20, 2012 6:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Yes, read up on the new channel security for MQ V7.1 in the infocenter... User / group mqm might have been restricted.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| freak |
| Posted: Sun May 20, 2012 11:43 pm Post subject: |
|
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
from what i had gathered, i had run the following script
- ALTER QMGR CHLAUTH(DISABLED)
- set chlauth(*) type(blockuser) user(*mqadmin) action(remove)
- set chlauth(*) type(addressma) address(*) action(remove)
-refresh security of the queue manager
- restart ibm mq service
but it still does not work.
i believed the first command for the alter QMGR command already disabled all the security check on the queue manager.
possible to strike more light on this? :p
Edit:
- i had tested using a bare minimum queue manager (no channels, no queue, no listener). i am just trying to allow a non-mqm administrator to view a simple queue manager. Everything (ibm mq service and websphere mq explorer) sits on the same server.
I had checked the connection of the MQExplorer.exe connection via websphere mq explorer and it does not uses channel name nor port number.
with this, i dont think the CHLAUTH is affecting the viewing rights.
hmm. still missing something on the security. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon May 21, 2012 3:34 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need +dsp +inq for all objects you want to show...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| freak |
| Posted: Mon May 21, 2012 6:35 am Post subject: |
|
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
[quote="fjb_saper"]You need +dsp +inq for all objects you want to show... :innocent:[/quote]
setmqaut -m QMName -t qmgr -g domain\UserGroup +all
setmqaut -m QMName -n "**" -t q -g domain\UserGroup +all +browse
setmqaut -m QMName -n "**" -t topic -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t channel -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t process -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t namelist -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t authinfo -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t clntconn -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t listener -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n "**" -t service -g domain\UserGroup +alladm +crt
setmqaut -m QMName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g domain\UserGroup +all
setmqaut -m QMName -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g domain\UserGroup +all
does +alladm / +all outwin +dsp +inq? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon May 21, 2012 6:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
There's a table of values corresponding to all and alladmin somewhere in the infocenter... look it up. I am not sure that inq is part of alladmin...
anyways are you sure you configured the security right for the channel using the new security model?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| freak |
| Posted: Tue May 22, 2012 11:07 pm Post subject: |
|
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
raise a PMR and was directed to this webpage
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Ffa12740_.htm
what caught my attention was that it states:
"If your userid is in the Administrators group but not the mqm group you must use an elevated command prompt to issue WebSphere MQ admin commands such as crtmqm, otherwise the error "AMQ7077: You are not authorized to perform the requested operation" is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select "Run as administrator".
strange, previously with v7.0, i do not have this problem. Could it be due to the usage of domain global group that causes this problem? :thumbdown: |
|
| Back to top |
|
|
|
|
