| Author |
Message
|
| Boyd |
 Posted: Mon Apr 07, 2014 6:04 am Post subject: AMS and amqsput example (2035 auth err) |
 |
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
I am trying to complete the AMS quick start in the infocenter
I complete almost all of the assignment, but I can not get the amqsput to work properly.
It is returning a 2035 (user not auth)
Previously I had performed the following commands from mqm inside a script:
| Code: |
++ setmqaut -m QM_VERIFY_AMS -t qmgr -p alice -p bob +connect +inq
The setmqaut command completed successfully.
++ setmqaut -m QM_VERIFY_AMS -n TEST.Q -t queue -p alice +put
The setmqaut command completed successfully.
++ setmqaut -m QM_VERIFY_AMS -n TEST.Q -t queue -p bob +get
The setmqaut command completed successfully.
++ setmqaut -m QM_VERIFY_AMS -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p alice -p bob +browse
The setmqaut command completed successfully.
++ setmqaut -m QM_VERIFY_AMS -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p alice -p bob +put
The setmqaut command completed successfully. |
After all the certificate objects had been created, I move to the test
part at the end of the exercise, and I get the following result:
(note: the commands below conform to the exercise)
| Code: |
[root@mmclnt1 test]# whoami
root
[root@mmclnt1 test]# cd /opt/mqm/samp/bin
[root@mmclnt1 bin]# su alice
[alice@mmclnt1 bin]$ ./amqsput TEST.Q QM_VERIFY_AMS
Sample AMQSPUT0 start
target queue is TEST.Q
MQOPEN ended with reason code 2035
unable to open queue for output
Sample AMQSPUT0 end
[alice@mmclnt1 bin]$ |
The qmgr and q exist,
| Code: |
-bash-4.1$ runmqsc QM_VERIFY_AMS
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QM_VERIFY_AMS.
display ql(TEST.Q)
1 : display ql(TEST.Q)
AMQ8409: Display Queue details.
QUEUE(TEST.Q) TYPE(QLOCAL)
ACCTQ(QMGR) ALTDATE(2014-04-06) |
The dspmqaut appears to be correct:
| Code: |
-bash-4.1$ dspmqaut -m QM_VERIFY_AMS -t q -n TEST.Q -p alice
Entity alice has the following authorizations for object TEST.Q:
get
browse
put
inq |
The reason the get and browse are there is that I was experimenting to try to get it to work.
How can I get the amqsput to work ? |
|
| Back to top |
|
 |
| Boyd |
| Posted: Mon Apr 07, 2014 6:11 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 07, 2014 6:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
On Unix you can't assign permissions to an individual user with the -p parameter; permissions are at a group level. This is an OS gotcha.
So (despite what the dspmqaut is telling you) those permissions are probably wrong.
Enable security events on the queue manager to obtain more detail on why the 2035 is being thrown, and remediate.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 07, 2014 7:38 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I'd say by default add +inq +dsp to whatever put, get, browse you want to allocate... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Boyd |
| Posted: Mon Apr 07, 2014 10:06 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
I got it to work with
| Code: |
setmqaut -m QM_VERIFY_AMS -t qmgr -g mqusers +connect +inq
setmqaut -m QM_VERIFY_AMS -n TEST.Q -t queue -g mqusers +allmqi +alladm |
I know thats overkill, but it does work. Thanks for your help |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 07, 2014 10:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Boyd wrote: |
| I know thats overkill, but it does work. |
Well yes, that solves your security issue by giving everybody authority to do everything. That's like solving the issue of your key sometimes getting stuck in the lock by removing the door. It's an effective way of ensuring you can get into your house but is not all that secure..... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Boyd |
| Posted: Tue Apr 08, 2014 8:53 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
Vitor
You are correct, I plan to lower permissions once everything is stable
All:
I was able to work through the exercise successfully, and then
I started a listener, and connected remotely with the MQ Explorer
From the Explore I can browse any queue, other than TEST.Q.
But, when I try to browse the TEST.Q I get the following error
from the explorer
| Code: |
| Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access this object |
So I checked my groups
| Code: |
groups alice
alice : alice mqusers
groups bob
bob : bob mqusers
groups mqexp
mqexp : mqexp mqusers |
(Note: mqexp is the windows ID I am running the explorer from)
I checked the authority for mqexp
| Code: |
dspmqaut -m QM_VERIFY_AMS -t q -n TEST.Q -p mqexp
Entity mqexp has the following authorizations for object TEST.Q:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr |
My original auth commands were
| Code: |
setmqaut -m QM_VERIFY_AMS -t qmgr -g mqusers +connect +inq +dsp +all
setmqaut -m QM_VERIFY_AMS -n TEST.Q -t queue -g mqusers +allmqi +alladm |
.. and I restarted the qmgr before attempting to browse the queue.
How should I proceed to fix this issue ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 08, 2014 9:11 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Boyd wrote: |
| How should I proceed to fix this issue ? |
| Vitor wrote: |
| Enable security events on the queue manager to obtain more detail on why the 2035 is being thrown, and remediate. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Boyd |
| Posted: Tue Apr 08, 2014 9:40 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
I enabled "authroity Events" on the Events page of the QM
I hit the Apply button, and from the server I restart the QM
I attempt to browse the queue again,, and I get the same error, and there is no corresponding entry in the errors/AMQ.....LOG
Only the explorer message
| Code: |
| Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access this object |
|
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 08, 2014 9:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Boyd wrote: |
I enabled "authroity Events" on the Events page of the QM
I hit the Apply button, and from the server I restart the QM
I attempt to browse the queue again,, and I get the same error, and there is no corresponding entry in the errors/AMQ.....LOG
Only the explorer message
| Code: |
| Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access this object |
|
And what event messages did you get........?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 08, 2014 11:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| Boyd |
| Posted: Tue Apr 08, 2014 1:02 pm Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
fjb_saper:
I had previously disabled CHLAUTH, as displayed below
| Code: |
DISPLAY CHLAUTH('SYSTEM.ADMIN.SVRCONN') MATCH(RUNCHECK) ALL ADDRESS('127.0.0.1') CLNTUSER('benchmarking')
9 : DISPLAY CHLAUTH('SYSTEM.ADMIN.SVRCONN') MATCH(RUNCHECK) ALL ADDRESS('127.0.0.1') CLNTUSER('mqexp')
AMQ8898: Display channel authentication record details - currently disabled.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(CHANNEL) ALTDATE(2014-04-07)
ALTTIME(10.53.26) |
|
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Apr 09, 2014 4:36 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| Block rules get applied last and are overriding your specific rule. Add a more specific block rule to block some ID other than yours. Don't use SYSTEM.* channels (nor any other object that starts with SYSTEM.*). |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 09, 2014 5:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Boyd wrote: |
fjb_saper:
I had previously disabled CHLAUTH, as displayed below
|
CHLAUTH being disabled, obviously you did not assign the right authorities to the user you do use. The record in the SYSTEM.ADMIN.EVENT.QUEUE should tell you what the problem is, after having turned on authority events...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 09, 2014 5:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| The record in the SYSTEM.ADMIN.EVENT.QUEUE should tell you what the problem is, after having turned on authority events... |
I already mentioned that.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
