| Author |
Message
|
| kordi |
 Posted: Mon Apr 01, 2013 3:10 pm Post subject: Fail to connect to MQ with MQ Explorer [v7.5] |
 |
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
Hi,
I've just created new QMGR, definied new SRVCONN channel, set MCAUSER('mqm') on this channel and trying to connect to QMGR using this channel, but I get Access not permited error.
What else need to be done to have Explorer working on my QMGR?
My verion of MQ, client and Explorer is 7.5.
Can anybody help me with this issue?
Thanks in advance! |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Mon Apr 01, 2013 4:25 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
What new svrconn channel did you define?
What errors in the error log?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 02, 2013 12:00 am Post subject: Re: Fail to connect to MQ with MQ Explorer [v7.5] |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| kordi wrote: |
| I've just created new QMGR, definied new SRVCONN channel, set MCAUSER('mqm') on this channel and trying to connect to QMGR using this channel, but I get Access not permited error. |
And by default what does WMQ v7.1 and above do with SVRCONN channels for new (not migrated) queue managers?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| kordi |
| Posted: Tue Apr 02, 2013 3:07 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
OK, so I definied
DEFINE CHANNEL('channel.to.connect') CHLTYPE(SRVCONN) MCAUSER('mqm')
and I use this channel to connect to QMGR from Explorer, but I get this error message about not permitting me access.
I think it is about security, so I need perform some additional actions, but I dont know what to do.
I didnt use MQ from v7.1 and above before, thats why it confuse me. I think, I've found sth:
http://www-01.ibm.com/support/docview.wss?uid=swg21577137
and have to check it when I come back home, to my virtual lab environment  |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 02, 2013 3:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And the Redbook quoted within that link is well worth a read too!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Apr 02, 2013 3:52 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| kordi wrote: |
I think it is about security, so I need perform some additional actions, but I dont know what to do. |
| bruce2359 wrote: |
| What errors in the error log? |
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kordi |
| Posted: Tue Apr 02, 2013 6:05 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
| I'll give it to you as soon as I get home |
|
| Back to top |
|
|
| kordi |
| Posted: Wed Apr 03, 2013 1:33 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
Hi guys,
This is what gave me an access to QMGR from Explorer:
setmqaut -m TEST2 -t qmgr -p username +connect +inq +dsp
setmqaut -m TEST2 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p username +inq +browse +get
setmqaut -m TEST2 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p username +inq +put
setmqaut -m TEST2 -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p username +inq +browse +get +dsp
Have access now, but limited administrative tasks. So if I need full access to QMGR from Explorer, I need add username do mqm group, right?
Cheers |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 03, 2013 6:25 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| kordi wrote: |
| So if I need full access to QMGR from Explorer, I need add username do mqm group, right? |
NO.
NEVER add any users to MQM.
Create a new user. Grant it sufficient privileges to perform the necessary mq administration tasks.
Configure and enable SSL on the queue manager.
Configure and enable SSL on a new SVRCONN channel. Ensure that SSLPEER is set to match certificates that can only belong to appropriate MQ admin certificates. Set the MCAUSER on that svrconn to the new user you created.
Add additional chlauth records to enable only those appropriate IP addresses that belong to machines that can have MQ admin rights.
Create client certificates, on the relevant client machines that will run MQ explorer. Make sure those certificates have DNs that match the SSLPEER.
Configure MQ Explorer to connect using your new channel.
Hire a security expert to review your configuration to ensure you did all necessary steps correctly and properly.
That's how you secure a queue manager. |
|
| Back to top |
|
|
| kordi |
| Posted: Thu Apr 04, 2013 6:35 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
| mqjeff Thank you for that security checklist. I'll keep it in my mind for sure. But since it is my home lab environment, I dont see an issue with adding user to mqm group. It is just for testing and lerning purpose. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 04, 2013 7:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| kordi wrote: |
| mqjeff Thank you for that security checklist. I'll keep it in my mind for sure. But since it is my home lab environment, I dont see an issue with adding user to mqm group. It is just for testing and lerning purpose. |
It teaches you how to make a queue manager really unsecure...
At a minimum, create an additional user that is NOT in mqm, and use that to learn about security. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Apr 04, 2013 8:10 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| kordi wrote: |
| But since it is my home lab environment, I dont see an issue with adding user to mqm group. It is just for testing and lerning purpose. |
Bad habits often begin at home. Mqm-group members have access to everything. You can learn nothing about security with an mqm-group member userid.
Create non-mqm userids for all non-administrative testing.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kordi |
| Posted: Thu Apr 04, 2013 10:31 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
Yes guys, I agree. But I need to test also Explorer a bit, so I want to have full administrative access to all objects. I did like you said and as you can see above. This user has access to QMGR thru Explorer, can browse queues, but when I want to create a gl, I get error, that I dont have access to SYSTEM.DEFAULT.LOCAL.QUEUE. And I suppose, it would be the same with other objects. Thats why I want to have full access.
Imagine, I heard that some comapnies set MCAUSER('mqm') on SRVCONN channel, which gives all mqm rights to all clients who connect QMGR using this channel. Some people do bad things on prod env |
|
| Back to top |
|
|
| rammer |
| Posted: Thu Apr 04, 2013 11:09 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| kordi wrote: |
| Imagine, I heard that some comapnies set MCAUSER('mqm') on SRVCONN channel, which gives all mqm rights to all clients who connect QMGR using this channel. Some people do bad things on prod env |
Not some many! |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Apr 04, 2013 12:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kordi wrote: |
| when I want to create a gl, I get error, that I dont have access to SYSTEM.DEFAULT.LOCAL.QUEUE. |
There are ways round that.
| kordi wrote: |
| And I suppose, it would be the same with other objects. Thats why I want to have full access. |
You suppose wrong.
| kordi wrote: |
| I heard that some comapnies set MCAUSER('mqm') on SRVCONN channel, which gives all mqm rights to all clients who connect QMGR using this channel. |
Whoever you heard that from was a fool, winding you up, is an agent for Anonymous or works for companies who are not interested in staying in business or avoiding jail time.
| kordi wrote: |
| Some people do bad things on prod env |
Only people in the last 2 categories I mentioned. This hideous practice is an open invitation to fraud, theft and the misuse (or theft) of customer data, which in many jurisdictions is an offense all by itself. Some companies have some questionable production practices to be sure; the use of mqm in a Prod SVRCONN is not questionable but suicidal.
Even in lower environments this kind of unrestricted access is road to chaos, bad code, delays & increased development costs.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
