| Author |
Message
|
| PeterPotkay |
 Posted: Wed Oct 23, 2013 6:07 am Post subject: SET AUTHREC versus setmqaut |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Is there any reason to take the time and effort of rewriting my setmqaut scripts into SET AUTHREC commands?
So far the only reason I came up with is that then my standard runmqsc script I use for new QMs could also take care of the security stuff, versus having to run a second script specific to setmqaut.
Are AUTHREC just another way of doing the same thing?
Is setmqaut on the Endangered Species List, so sooner or later I’m gonna have to switch anyway?
Does AUTHREC provide or remove capability compared to setmqaut?
Google doesn’t know…..
The new AUTHREC isn’t addressed in the Info Center in the “Changed behavior between v6.0 and V7.5” section.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Wed Oct 23, 2013 11:25 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
For what it is worth, I would not rewrite the setmqaut scripts but just use them at least once on the new Qmgr. Then the dmpmqcfg command will give them back to you in the MQSC script as SET AUTHREC statements. This will keep you from making a typo.
Other than that, I agree with one script is better than two to keep track of what I'm doing. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Oct 23, 2013 12:16 pm Post subject: Re: SET AUTHREC versus setmqaut |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| PeterPotkay wrote: |
Does AUTHREC provide or remove capability compared to setmqaut?
|
AUTHREC can also be used from a remote machine where you use MQSC Client or for example MO71 MQSC window.
| PeterPotkay wrote: |
Google doesn’t know…..
The new AUTHREC isn’t addressed in the Info Center in the “Changed behavior between v6.0 and V7.5” section. |
AUTHREC was added in 7.1, so ought to be in the 6.0 -> 7.1 or 7.0.1 -> 7.1 what has changed, but could not find it either...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Oct 23, 2013 3:53 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| JosephGramig wrote: |
For what it is worth, I would not rewrite the setmqaut scripts but just use them at least once on the new Qmgr. Then the dmpmqcfg command will give them back to you in the MQSC script as SET AUTHREC statements. This will keep you from making a typo.
|
Good idea.
| Michael Dag wrote: |
| AUTHREC can also be used from a remote machine where you use MQSC Client or for example MO71 MQSC window. |
OK, that's one benefit, however minor, in converting. I don't see myself taking advantage of it though.
I wish we had more insight into why IBM created AUTHREC. After 10 years of using setmqaut I'm familiar with that syntax so I'd like a good reason to switch.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Oct 23, 2013 10:16 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Peter,
One reason for AUTHREC might be to put all the defs in one place. I have lost count where clients have said 'I saved all the definitions with saveqmgr but the new QM does not work'.
The forgot to save the authorisations. the old unsupported way to get a scripted output was not obvious and missed by many people.
Now it is all in one place.
Then they took advantage of that to then improve the whole security envelope.
Then again, it could be the other way round. They needed to improve Security and the most logical way was to extend the object definitions.
IMHO, the only person who might know is Morag.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Oct 24, 2013 1:05 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| PeterPotkay wrote: |
| Michael Dag wrote: |
| AUTHREC can also be used from a remote machine where you use MQSC Client or for example MO71 MQSC window. |
OK, that's one benefit, however minor, in converting. I don't see myself taking advantage of it though.
|
setmqaut scripts are different across platfom too (Win vs Unix vs IBM i), SET AUTHREC seems to work the same across all those platforms.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 24, 2013 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You should also play a little around with user permissions and set auth commands being submitted remotely (pcf, mo72,...). See if any comes back with RC 2035... Otherwise we may well have another security problem... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Oct 24, 2013 8:53 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I noticed some random things missing from my dmpmqcfg that I explicitly set in my setmqaut. I think I should have seen everything because I used this command:
“Command issued: dmpmqcfg -m PETERQM -x authrec -a -o mqsc”
So I did a little test:
| Code: |
setmqaut -m PETERQM -n MY.QUEUE*.** -t queue -g mygrp01 -all +get +browse +put +inq
The setmqaut command completed successfully. |
| Code: |
dspmqaut -m PETERQM -n MY.QUEUE*.** -t queue -g mygrp01
Entity mygrp01 has the following authorizations for object MY.QUEUE*.**:
get
browse
put
inq |
| Code: |
dmpmqaut -m PETERQM -t queue -n MY.QUEUE*.**
profile: MY.QUEUE*.**
object type: queue
entity: mygrp01
entity type: group
authority: get browse put inq |
Old school methods are consistent. Now let’s see what dmpmqcfg shows.
| Code: |
dmpmqcfg -x authrec -a -n CHANNEL.CHECKER*.** -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-24 at 12.34.42
* Script generated by user 'mqm' on host 'MyServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line -t queue
****************************************************************************************** |
No other output for this command!
I drop the –t queue flag and run it again.
| Code: |
dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line
******************************************************************************************
* Script generated on 2013-10-24 at 12.35.50
* Script generated by user 'mqm' on host 'MyServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line
******************************************************************************************
SET AUTHREC PROFILE('self') GROUP('mqm') OBJTYPE(QMGR) AUTHADD(ALTUSR,CHG,CONNECT,DLT,DSP,INQ,SET,SETALL,SETID,CTRL,SYSTEM)
SET AUTHREC PROFILE('self') GROUP('mygrp01') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
SET AUTHREC PROFILE('@class') GROUP('mqm') OBJTYPE(QMGR) AUTHADD(CRT)
SET AUTHREC PROFILE('@class') GROUP('mygrp01') OBJTYPE(QMGR) AUTHADD(NONE) |
OK, that output is confusing, they don’t match the –n MY.QUEUE*.** that I used in the command, so why do they show up this output
There are no queues yet defined on this QM that begin with the name MY.QUEUE.
I’m concerned that dmpmqcfg is not picking up things I set with setmqaut and can see with dspmqaut and MO71. I don’t trust this as a method to produce a replacement runmqsc script for my setmqaut script. There are multiple examples like this that did not get picked up from my main setmqaut script. Actually, I don’t trust this to backup the authorities of a QM just for backup purposes – it seems I would need to fall back to my setmqaut script to be sure I have everything. 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Oct 24, 2013 11:14 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Single or double quotes didn’t make a diff. But check it out, DISPLAY AUTHREC in a runmqsc session does see it like dspmqaut and dmpmqaut does.
Seems like dmpmqcfg is the only thing that can’t see this profile.
| Code: |
dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-24 at 14.48.04
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line -t queue
******************************************************************************************
dmpmqcfg -x authrec -a -n 'MY.QUEUE*.**' -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-24 at 14.48.17
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line -t queue
******************************************************************************************
dmpmqcfg -x authrec -a -n "MY.QUEUE*.**" -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-24 at 14.49.04
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n MY.QUEUE*.** -m PETERQM -o 1line -t queue
****************************************************************************************** |
| Code: |
runmqsc PETERQM
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager PETERQM.
DISPLAY AUTHREC PROFILE(MY.QUEUE*.**)
1 : DISPLAY AUTHREC PROFILE(MY.QUEUE*.**)
AMQ8864: Display authority record details.
PROFILE(MY.QUEUE*.**) ENTITY(mygrp01)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,GET,INQ,PUT)
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed. |
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Oct 24, 2013 11:54 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| Cool! Please open a PMR and see what they say. I have to agree that dmpmqcfg should have given the same result you get from runmqsc DISPLAY commands... |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 25, 2013 6:00 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I got a similar post going on the MQ List Server where it has been identified that the multiple trailing asterisks are a problem for dmpmqcfg, and that whether an object exists that matches that profile also causes dmpmqcfg to act differently. 
I do not have any queues that start with NEW.QUEUE at this point.
| Code: |
setmqaut -m PETERQM -t q -n NEW.QUEUE*.** -g mygrp01 +inq
The setmqaut command completed successfully.
dspmqaut -m PETERQM -t q -n NEW.QUEUE*.** -g mygrp01
Entity mygrp01 has the following authorizations for object NEW.QUEUE*.**:
inq
dmpmqaut -m PETERQM -t q -n NEW.QUEUE*.**
profile: NEW.QUEUE*.**
object type: queue
entity: mygrp01
entity type: group
authority: inq |
No problems for dspmqaut or dmpmqaut to recognize this new profile. Now let’s try dmpmqcfg
| Code: |
dmpmqcfg -x authrec -a -n "NEW.QUEUE*.**" -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-25 at 08.34.28
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n NEW.QUEUE*.** -m PETERQM -o 1line -t queue
****************************************************************************************** |
Again with only 1 asterisk:
| Code: |
dmpmqcfg -x authrec -a -n "NEW.QUEUE*" -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-25 at 08.34.45
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n NEW.QUEUE* -m PETERQM -o 1line -t queue
******************************************************************************************
* No matching queue objects |
Notice that while both attempts with dmpmqcfg fail to get a hit, the second command where I use only one asterisk produces one extra line of output.
Now I’ll create one queue that matches this profile name.
| Code: |
runmqsc PETERQM
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager PETERQM.
DEF QL (NEW.QUEUE.ONE)
1 : DEF QL (NEW.QUEUE.ONE)
AMQ8006: WebSphere MQ queue created.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed. |
| Code: |
dmpmqcfg -x authrec -a -n "NEW.QUEUE*.**" -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-25 at 08.37.21
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n NEW.QUEUE*.** -m PETERQM -o 1line -t queue
****************************************************************************************** |
With multiple asterisks still no joy.
| Code: |
dmpmqcfg -x authrec -a -n "NEW.QUEUE*" -m PETERQM -o 1line -t queue
******************************************************************************************
* Script generated on 2013-10-25 at 08.37.25
* Script generated by user 'mqm' on host 'myServer'
* Queue manager name: PETERQM
* Queue manager platform: UNIX
* Queue manager command level: (750/750)
* Command issued: dmpmqcfg -x authrec -a -n NEW.QUEUE* -m PETERQM -o 1line -t queue
******************************************************************************************
SET AUTHREC PROFILE('NEW.QUEUE.ONE') GROUP('mqm') OBJTYPE(QUEUE) AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
SET AUTHREC PROFILE('NEW.QUEUE*.**') GROUP('mygrp01') OBJTYPE(QUEUE) AUTHADD(INQ) |
Hello!
I’ll copy and paste this into a PMR now.
And rely on dmpmqaut or dspmqaut in the meantime to get an accurate list of authority records for a Queue Manager.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Fri Oct 25, 2013 6:39 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Thx Peter!
I guess if we are using dmpmqcfg instead of SAVEQMGR, we need to also use "amqoamd -m <QmgrName> -s" to capture the permissions. I like to strip the lines that are for the group mqm with "grep -v 'g mqm'" and if you are Windows, the FIND command can do the same. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Oct 25, 2013 6:49 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| JosephGramig wrote: |
Thx Peter!
I guess if we are using dmpmqcfg instead of SAVEQMGR, we need to also use "amqoamd -m <QmgrName> -s" to capture the permissions. I like to strip the lines that are for the group mqm with "grep -v 'g mqm'" and if you are Windows, the FIND command can do the same. |
Does that mean that the dmpqmgrcfg -o setmqaut does not dump the same output as amqoamd -m -s ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 25, 2013 11:42 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
PMR 69947 L6Q 000 has been opened.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Oct 30, 2013 8:35 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The PMR concluded that dmpmqcfg is working as designed and that I should open an RFE.
Here is the link to vote for the RFE to update dmpmqcfg to capture authority records for profiles for names of queues that don't exist yet.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=41015
We’ll have to run MS03 and dmpmqcfg in parallel for now. The dmpmqcfg command will capture the MQ 7.1/7.5 specific things like CHLAUTH records that MS03 does not. MS03 will insure we get all authority records.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
