| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Broker security administration |
« View previous topic :: View next topic » |
| Author |
Message
|
| BinduSree |
 Posted: Wed Jun 12, 2013 12:04 am Post subject: Broker security administration |
 |
|
Newbie
Joined: 26 Feb 2013
Posts: 6
|
Hello
I am in the process of restricting access for the broker for the developers.
MB- 8.0.1
MQ-7.0.1
In the process i have created a seperate server connection channel and a group and changed the MCAUSER for the svrconn to the group that i have created.
then I gave the below permisions for the restricing Broker
setmqaut -m QMName -n 'SYSTEM.BKR.CONFIG' -t channel -g GRoupname +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMName -n 'SYSTEM.BROKER.AUTH' -t queue -g Groupname +browse +clr +dsp +get +put +passall +passid +setall +setid
setmqaut -m QMName -n 'SYSTEM.BROKER.AUTH.*' -t queue -g groupname +browse +clr +dsp +get +passall +passid +set +setall +setid
Currently i am working on accepatnce/test environment. On One node the above commands worked and i was able to restrict the access. But the same commands are not working on the other node of my acceptance/test environment.
what might be the difference????????????????
Any idea?????????? |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Wed Jun 12, 2013 4:24 am Post subject: Re: Broker security administration |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| BinduSree wrote: |
what might be the difference????????????????
Any idea?????????? |
No idea, because you haven't provided any details of the 2 systems for us to compare.
| BinduSree wrote: |
MB- 8.0.1
MQ-7.0.1
|
I guess you mean 8.0.0.1?
What version of MQ - 7.0.1.?
What operating system?
| BinduSree wrote: |
In the process i have created a seperate server connection channel and a group and changed the MCAUSER for the svrconn to the group that i have created.
|
It needs to be a UserID from that group in the MCAUSER, not the group name. And every user will then be seen as that common shared ID by the Broker when coming over this channel. Maybe you want this. Or maybe not.
| BinduSree wrote: |
setmqaut -m QMName -n 'SYSTEM.BKR.CONFIG' -t channel -g GRoupname +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMName -n 'SYSTEM.BROKER.AUTH' -t queue -g Groupname +browse +clr +dsp +get +put +passall +passid +setall +setid
setmqaut -m QMName -n 'SYSTEM.BROKER.AUTH.*' -t queue -g groupname +browse +clr +dsp +get +passall +passid +set +setall +setid
|
There is no reason to give any permissions to the channel.
The permissions you gave to the queue seem random.
You didn't set any permissions against the Queue Manager.
Please post a link to the reference that directed you to use these settings.
Compare it to this one:
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bp43610_.htm
| BinduSree wrote: |
On One node the above commands worked and i was able to restrict the access. But the same commands are not working on the other node of my acceptance/test environment.
|
What do you mean "node"? Is this one Broker and one Queue manager that fails over between 2 servers, and it works on one and not the other? Or is this 2 seperate Brokers on 2 seperate systems?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| BinduSree |
| Posted: Wed Jun 12, 2013 5:33 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2013
Posts: 6
|
|
| Back to top |
|
|
| BinduSree |
| Posted: Wed Jun 12, 2013 5:39 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2013
Posts: 6
|
My Issue got resolved....
The problem was the broker administration security was Inactive on one node. Hence I changed the property ie, I made it active and then it worked....
mqsichangebroker MB7BROKER -s active |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jun 12, 2013 6:48 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You posted the same link 3 times.
There is nothing in that link about setting permissions for a channel, or setting the permissions you did for those queues.
Granting the permissions you did for some random group has nothing to do with restricting or granting access to any particular developer.
You enabled Broker Admin Security and it started restricting the access. Enabling the security restricted access to anyone that you didn't explicitly grant access to, or that wasn't in the mqm group or the mqbrkrs group. That alone is what did it, not those setmqaut commands you ran.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
