| Author |
Message
|
| boplotnik |
 Posted: Tue Aug 21, 2012 6:41 am Post subject: OAM security setup for application access to QM |
 |
|
Newbie
Joined: 21 Aug 2012
Posts: 9
|
We're just getting started with WMQ and we're at the point of setting up security using the out of the box OAM to enforce security. We are using clustering between all our QM's, so we have cluseter rcvr and sdr chl's defined. Our plan was to have our applications run under a group id of APPUSR1. This id would be passed in when the app did the connect to QM with mqconnx. The id then would have access to do *put, *get, *inq, *browse to application specific queues based on what I know at this time.
I can get authority assigned to the QM for *connect OK for this id (APPUSR1), but the developer is having trouble using the mqconnx function to get any access to queues, even though I have given the authority put, get , inq, browse to the queue.
Is there anything from an admin perspective that I need to do further or is this an application issue ?
This is my first time posting, so if I need directed elsewhere, please let me know. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Aug 21, 2012 6:49 am Post subject: Re: OAM security setup for application access to QM |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| boplotnik wrote: |
| Is there anything from an admin perspective that I need to do further or is this an application issue ? |
It's an application issue. The developer should be using MQOPEN to access a queue not MQCONNX.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 21, 2012 6:52 am Post subject: Re: OAM security setup for application access to QM |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| boplotnik wrote: |
| ... but the developer is having trouble using the mqconnx function to get any access to queues, even though I have given the authority put, get , inq, browse to the queue. |
What kind of trouble? During compile? At execution, does the app return a ReasonCode?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| boplotnik |
| Posted: Tue Aug 21, 2012 7:05 am Post subject: Re: OAM security setup for application access to QM |
|
|
Newbie
Joined: 21 Aug 2012
Posts: 9
|
| Vitor wrote: |
| boplotnik wrote: |
| Is there anything from an admin perspective that I need to do further or is this an application issue ? |
It's an application issue. The developer should be using MQOPEN to access a queue not MQCONNX. |
The MQCONNX would just be to connect to QM, so that the userid could be passed in. The MQOPEN would be used for the queues. Sorry, if I didn't clarify that. We were told we had to use the MQCONNX so when the app ran, it would use the id passed in on the MQCONNX to get access to the queues. |
|
| Back to top |
|
|
| boplotnik |
| Posted: Tue Aug 21, 2012 7:09 am Post subject: Re: OAM security setup for application access to QM |
|
|
Newbie
Joined: 21 Aug 2012
Posts: 9
|
| bruce2359 wrote: |
| boplotnik wrote: |
| ... but the developer is having trouble using the mqconnx function to get any access to queues, even though I have given the authority put, get , inq, browse to the queue. |
What kind of trouble? During compile? At execution, does the app return a ReasonCode? |
I'm not sure on the reason code. I'll have to get that from the developer. He said he was basically getting a not authorized message return code, but I don't have the specific return code in front of me right now. He gets this at the execution level. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 21, 2012 7:21 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Look in the qmgrs errors folder/directory for related errors. You might enable auth events at the qmgr, then look in the event queue for related errors.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 21, 2012 7:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Find out exactly which call is returning the MQRC.
And make sure it is actually an MQRC 2035 and not something else. |
|
| Back to top |
|
|
| boplotnik |
| Posted: Tue Aug 21, 2012 7:31 am Post subject: OAM security setup for application access to QM |
|
|
Newbie
Joined: 21 Aug 2012
Posts: 9
|
| Thanks for some direction. I'll do something hunting around in the error logs and talk with the developer. I'll be back, I'm sure. Thanks again for assistance. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Aug 21, 2012 8:05 pm Post subject: Re: OAM security setup for application access to QM |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| Quote: |
| The MQCONNX would just be to connect to QM, so that the userid could be passed in. ... We were told we had to use the MQCONNX so when the app ran, it would use the id passed in on the MQCONNX to get access to the queues. |
Who told you? Where did they get that information from?
Are you using MQ Client? In which case the userid should be asserted by the MCAUSER attribute of the SVRCONN channel being used.
_________________
Glenn |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Aug 30, 2012 2:17 pm Post subject: Re: OAM security setup for application access to QM |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| boplotnik wrote: |
| We were told we had to use the MQCONNX so when the app ran, it would use the id passed in on the MQCONNX to get access to the queues. |
That is ONLY true if you are using a security exit on the channel at the server-side (queue manager), otherwise, the UserID will be the one that the application is running under.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
