| Author |
Message
|
| fernando28 |
 Posted: Fri Jul 19, 2013 6:44 am Post subject: Help with security issue mqjexplorer 2035 |
 |
|
Novice
Joined: 07 May 2013
Posts: 20
|
Hi MQ gurus!!!
I am trying to give read-only access to qmgr objects using mqjexplorer (not MQExplorer). I assume that mqjexplorer uses pcf messages to command server, am I right?
I have a server connection channel with a mcauser, and this user is not in mqm group. I am using this channel at mqjexplorer.
I've used setmqaut to give +allmqi access to qmgr and queues, and it's working fine for mqi commands
Now I want to give +dsp acess to qmgr objects, so I've tried to run setmqaut giving +dsp to profile '*.**' and all object types: qmgr, process, queue, ...
But every time I try to connect to qmgr using mqjexplorer I receive reason code 2035. So, to make a test I gave +alladm authority to this user, but 2035 still occurs.
What am I doing wrong? Thanks in advance!!! Sorry about my poor english... Best regards from Brazil...Fernando |
|
| Back to top |
|
 |
| MQ_Lover |
| Posted: Fri Jul 19, 2013 7:20 am Post subject: |
|
|
Acolyte
Joined: 15 Jul 2013
Posts: 67
|
| Did you give the SYSTEM.ADMIN.COMMAND.QUEUE also the required permissions, could be that is missing for the MCA user you have on the channel |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jul 19, 2013 7:38 am Post subject: Re: Help with security issue |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| fernando28 wrote: |
But every time I try to connect to qmgr using mqjexplorer I receive reason code 2035. |
Look in the error log. Exactly what does the error say? Copy/paste the complete error message here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jul 19, 2013 7:39 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jul 19, 2013 8:05 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
is this a new queue manager created using version 7.1 or 7.5 ?
lookup Channel Authentication!
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| fernando28 |
| Posted: Fri Jul 19, 2013 9:37 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
Thanks for the answers, guys!!! I'm sorry to open this topic in wrong forum section....
I forgot to mention: MQ 6.0.2.9 (back level  ), Linux x86.
Mcauser has authority +allmqi to SYSTEM.ADMIN.COMMAND.QUEUE, it has authority +allmqi to '*.**' queues
I've tried to grant +all to this user, and 2035 again!!!
AMQERR01.LOG have no entries for security issues
refresh security executed!!!
mqjexplorer only shows compcode 2 reason 2035. I'll try with mo71 - mqmon |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jul 19, 2013 9:56 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| fernando28 wrote: |
AMQERR01.LOG have no entries for security issues
|
Which errors directory did you look in? The client? The server? Both?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fernando28 |
| Posted: Fri Jul 19, 2013 10:23 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| bruce2359 wrote: |
| fernando28 wrote: |
AMQERR01.LOG have no entries for security issues
|
Which errors directory did you look in? The client? The server? Both? |
Hi Bruce. Both: client (windows) and server ( /var/mqm/errors and /var/mqm/qmgrs/qm_name/errors ) and no security messages |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jul 19, 2013 10:49 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Turn on Authority Events at the Queue Manager level, recreate the error and then look at the Event Message. It should tell you specifically what is throwing the 2035 error.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fernando28 |
| Posted: Fri Jul 19, 2013 11:33 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| PeterPotkay wrote: |
| Turn on Authority Events at the Queue Manager level, recreate the error and then look at the Event Message. It should tell you specifically what is throwing the 2035 error. |
Thanks Peter!!! I'll try  |
|
| Back to top |
|
|
| fernando28 |
| Posted: Fri Jul 19, 2013 11:57 am Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 20
|
| PeterPotkay wrote: |
| Turn on Authority Events at the Queue Manager level, recreate the error and then look at the Event Message. It should tell you specifically what is throwing the 2035 error. |
Thanks Peter. Problem solved. I don't know why, but userid had no authority to open SYSTEM.DEFAULT.MODEL.QUEUE (event msg showed this)
I've granted authority to queues this way:
setmqaut -m QMLI114 -n '*.**' -t queue -p usrsegmq +allmqi
Command ran ok, but '*.**' did not work. Don't know why!!!
Thanks for all your help, guys!!! |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Jul 22, 2013 7:26 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Jul 22, 2013 3:21 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jul 23, 2013 3:33 pm Post subject: Re: Help with security issue mqjexplorer 2035 |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fernando28 wrote: |
| I have a server connection channel with a mcauser, and this user is not in mqm group. I am using this channel at mqjexplorer. |
I have a question.
MQJExplorer does NOT allow a user to specifies a channel when connecting to a remote queue manager - 1 of the reasons I stopped using it. It only accepts Remote Queue Manager Name and Connection Name. It explicitly uses SYSTEM.ADMIN.SVRCONN channel.
So, why all the security questions around the user using a different SVRCONN channel?
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jul 24, 2013 10:04 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
fernando28,
Why not use MQ Explorer (sPac MS0T)?
It is Java and you can specify an ID and channel for each Qmgr.
If you want security, then use SSL on each channel and CHLAUTH records. |
|
| Back to top |
|
|
|
|
