| Author |
Message
|
| rcp_mq |
 Posted: Wed Jul 02, 2014 4:20 am Post subject: MCA User does not match to User ID attribute ? |
 |
|
Centurion
Joined: 13 Dec 2011
Posts: 133
|
I have SVRCONN channel in an MQ6 installation on a remote unix machine. It has an MCAUSER "xyz". From my local windows desktop with MQ7.5 explorer, I'm able to connect to the remote Queue manager with User ID attribute set to "abc". I was expecting a 2035.
Could anyone suggest what I'm missing? |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Wed Jul 02, 2014 5:05 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Why were you expecting a 2035?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| rcp_mq |
| Posted: Wed Jul 02, 2014 10:22 pm Post subject: |
|
|
Centurion
Joined: 13 Dec 2011
Posts: 133
|
If connecting to an untrusted domain, shouldn't there be an access denied error?
Perhaps, i'm too dumb to understand the info center definitions.
Could you tell me why it should not cause a 2035? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jul 03, 2014 4:05 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I didn't say whether it should or should not cause a 2035. Without knowing what authority abc and xyz have to the Queue Manager its impossible to say.
But with xyz in the MCAUSER field of the SVRCONN channel, and assuming there is no Security Exit in play, it doesn't matter what abc, def or 123 has - all connections over that channel will be authorized as xyz.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jul 03, 2014 4:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
So, what authority do abc and xyz have? Are they in the mqm group?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Jul 03, 2014 5:06 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
And you realize IBM MQ V6.?.?.? is beyond "End of Support" (EOS) for a long time, right?
You need to upgrade and before you do that, research all the requirements of equipment, OS and other software. |
|
| Back to top |
|
|
| rcp_mq |
| Posted: Sun Jul 06, 2014 10:49 pm Post subject: |
|
|
Centurion
Joined: 13 Dec 2011
Posts: 133
|
@bruce xyz and abc are random and not part of mqm.
Thanks for the advice Joseph. We do use 7.5, this is an old test machine. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sun Jul 06, 2014 11:02 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| rcp_mq wrote: |
@bruce xyz and abc are random and not part of mqm.
Thanks for the advice Joseph. We do use 7.5, this is an old test machine. |
so why don't you install V7.5 or even V8 on it instead of faffing around with an obsolete version of the product?
The WMQ (sorry IBM MQ) security model changed a lot with V7.1. There are more changes in V8. It is a lot easier to resolve this type of problem with V7.1 onwards.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jul 07, 2014 5:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Look, aside from all the blather about what version you're running - and it does make a difference and it is important, but it's still mostly blather.
It's not clear that you understand MCAUSER.
IF there is an MCAUSER in effect, and none of the other rules introduced in v7.1 and v8 apply, then the only ID that makes any difference to MQ security is the MCAUSER.
That's the whole point of the MCAUSER. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Jul 08, 2014 4:45 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
To get a better idea of the permission, dump what has been granted in the OAM.
| Code: |
| amqoamd -s -m <QmgrName>|grep -v 'g mqm' |
First part dumps all permissions and the second part filters out the group mqm's permission (which are full permissions).
You might choose to view only specific groups and I'm only mentioning groups because you indicated this is Unix, which only uses groups (if you specify a principle, the grant goes to the primary group of that principle). |
|
| Back to top |
|
|
|
|
