| Author |
Message
|
| garasan |
 Posted: Mon Aug 06, 2012 1:40 am Post subject: Security issue |
 |
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
Hi All,
We just moved from MQ v6 to v7 and we meet an annoying problem.
Although people have the correct security set on our MQ server they still get an "MQRC_NOT_AUTHORIZED" error.
After performing a 'refresh security' on that qmgr they are able to access the qmgr again. But, after the refresh other people then get the same error. And this goes on and on.
Our qmgr is started with the MQS_GETGROUPLIST_API=1 option but this hasn't solved the issue.
We have 3 groups that have access set, one has many members (>500), but the other two (group mqm included) contain at most 20 users.
(Number of members is something we cannot change for the moment)
I already searched the web and docs for a solution that would solve this issue, but haven't found a working one yet.
Anybody any ideas?
Some extra info:
MQ server version 7.1.0-0
OS: Sles11 sp 1
Unix authentication via ldap. (groups get pulled from the AD server properly) |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Aug 06, 2012 1:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So, the queue manager is running on a host that is using something like PAM to pull userids from an LDAP repository somewhere, rather than using a locally defined store of users.
Are there any errors logged to the system wide AMQERR files between the time of security refresh and the first authentication failure?
Are there any errors logged to the queue manager's AMQERR files?
Also, enable authorization events and see what permissions are missing when the users receive the MQRC 2035s. |
|
| Back to top |
|
|
| garasan |
| Posted: Mon Aug 06, 2012 2:26 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
Hi MQjeff,
thanks for your reply.
We are indead using pam to pull userids from our ldap repository.
I see following error:
<
08/06/2012 10:19:18 AM - Process(15766.59475) User(mqm) Program(amqzlaa0)
Host(vl240) Installation(Installation1)
VRMF(7.1.0.0) QMgr(QMTST003)
AMQ8077: Entity 'user X ' has insufficient authority to access object
'QMTST003'.
>
Although user X does has correct connect permission.
After a "refresh security" the problem is gone for user X. (untill a next refrest security, then the problem can reoccur)
No FDC files are generated.
Will enable authorization events
_________________
Regards |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 06, 2012 2:27 am Post subject: Re: Security issue |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| garasan wrote: |
| We just moved from MQ v6 to v7... |
Migrated queue manager or fresh install of WMQ and 'rebuild' of queue manager? Bindings connections or client?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garasan |
| Posted: Mon Aug 06, 2012 4:20 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
Fresh install with import and export from all non system objects.
(with MS03 tool)
And Client connections.
_________________
Regards |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 06, 2012 4:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| garasan |
| Posted: Mon Aug 06, 2012 4:25 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
| bruce2359 wrote: |
| Moved to Security forum |
thanks.
_________________
Regards |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 06, 2012 4:26 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| garasan wrote: |
Fresh install with import and export from all non system objects.
(with MS03 tool)
And Client connections. |
Then you might want to consider Channel Authentication Records...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garasan |
| Posted: Mon Aug 06, 2012 4:40 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
I just checked the docs on Channel authentication records but don't know if it is suited for our situation.
We only have one active channel on that qmgr. (Inherited it from a former colleague) and it is used by almost all internal apps (> 40).
It is the intention to give every app it's own channel like on our other qmgrs, but it hasn't been implemented yet.
_________________
Regards |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 06, 2012 4:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It's a new queue V7.1 queue manager and you have client apps trying to connect - what does the Info Centre have to say about NEW V7.1 queue managers in relation to Channel Authentication Records?
And (in my opinion) it's always a good idea to give each client connection its own channel. That way, if an app goes totally tonto and initiates a message flood, the connection can be cut without affecting the other connected applications.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Aug 06, 2012 5:49 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| exerk wrote: |
And (in my opinion) it's always a good idea to give each client connection its own channel. That way, if an app goes totally tonto and initiates a message flood, the connection can be cut without affecting the other connected applications. |
What happens if you have 2,000 client connections then? Rather a lot of channels to maintain! Also a pain with CCDT maintenance. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 06, 2012 5:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| exerk wrote: |
And (in my opinion) it's always a good idea to give each client connection its own channel. That way, if an app goes totally tonto and initiates a message flood, the connection can be cut without affecting the other connected applications. |
What happens if you have 2,000 client connections then? Rather a lot of channels to maintain! Also a pain with CCDT maintenance. |
I've just finished at an installation that used a single channel for all their clients - they don't any more! So what if there are 2,000-odd connections? There should be a documented client management process in place, and with the MO72 SupportPac CCDT maintenance is but a batch file away.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garasan |
| Posted: Mon Aug 06, 2012 6:27 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
Is there a way I could view the cache it builds when performing a security refresh?
_________________
Regards |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 06, 2012 6:29 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| garasan wrote: |
| Is there a way I could view the cache it builds when performing a security refresh? |
Have you eliminated Channel Authentication Records as the problem?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garasan |
| Posted: Thu Aug 09, 2012 5:23 am Post subject: |
|
|
Apprentice
Joined: 22 Jul 2008
Posts: 42
Location: Antwerp, Belgium
|
Hi Exerk,
I have investigated some more and I indead think I can exclude CAR.
This is what I see:
mqm@host:/var/mqm> dspmqaut -m QMGR1 -t qmgr -p userX
Entity userX has the following authorizations for object QMGR1:
mqm@host:/var/mqm>
mqm@host:/var/mqm/errors> runmqsc QMGR1
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QMGR1.
refresh security
1 : refresh security
AMQ8560: WebSphere MQ security cache refreshed.
.....
mqm@host:/var/mqm/errors> dspmqaut -m QMGR1 -t qmgr -p userX
Entity userX has the following authorizations for object QMGR1:
inq
set
connect
altusr
dsp
setid
setall
I have change the names of the host, user and qmgr just for this thread. ;-)
Or I'm I wrong there?
_________________
Regards
Last edited by garasan on Mon Aug 20, 2012 1:52 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
