| Author |
Message
|
| rammer |
 Posted: Wed Jul 30, 2014 9:07 am Post subject: setmqaut on windows |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
I think im going mad!.
Platform - Windows
MQ 7.5
For testing I have disabled chlauth, this is just to rule out mq blocking channel, I will add further security once I can get an understanding on the issue below. I dont have this issue on any of my unix boxes
Ive set up a group called testmq on local windows server
Added the following
setmqaut -m TESTQM -t qmgr -g testmq -all +connect
setmqaut -m TESTQM -g testmq -n TEST.QUEUE_L -t queue -all +all
SVRCONN Channel has mcauser as 'testmq'
I set the environment to allow me to use amqsputc but get 2035 when trying to put.
so I set up a basic windows user called mrtest and replace testmq with this and use -p and all works.
Ive read and read the documentation and developerworks and it says I can use groups on windows which is what i want as I will put various users in there but either im tired, stupid or both I cant get it to work. The error that I get is
MQ9245: Unable to obtain account details for channel MCA user ID.
EXPLANATION:
WebSphere MQ was unable to obtain the account details for MCA user ID
'testmq'. This user ID was the MCA user ID for channel |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Jul 30, 2014 9:19 am Post subject: Re: setmqaut on windows |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| Ive read and read the documentation and developerworks and it says I can use groups on windows |
The setmqaut command on Windows can use groups as well as principles, where on Unix it's only groups.
The clue is:
| rammer wrote: |
| MQ9245: Unable to obtain account details for channel MCA user ID |
That field is a user id (a principle) not a group name. So when you authorized a group called testmq that doesn't create (or authorize) an id called testmq, so you get the message above.
If you do :
| Code: |
setmqaut -m TESTQM -t qmgr -g testmq -all +connect
setmqaut -m TESTQM -g testmq -n TEST.QUEUE_L -t queue -all +all
|
i.e. no authority for mrtest, then add mrtest to the channel MCA field and the testmq group, then it will work.
What you can't do (which if I read between the lines correctly you're trying to do) is allow everyone in the testmq group access to that queue via the channel MCA attribute. Doesn't work, isn't designed to work.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Wed Jul 30, 2014 11:26 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hi Vitor
Thank you for the response.
Your correct in your assumption on what I was trying to do. I was wanting to create a group ie testmq and add say 5 users in there user1 - 5 and then give certain mq permissions for everyone that belongs to the group.
So what I think I could do is create a user on the local server ie mrtest add that to the mcauser and then to the qmgr add the relevant permission to the group it belongs to ?
Any user connecting with the channel that has mcauser mrtest would get the access granted against testmq group?
I can then once I am happy with that tighten who can use that svrconn channel be either creating channelauth or doing similar to what i have on some unix servers use blockip2 which only allows access coming in from certain users and / or certain ip's.
Regards |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 30, 2014 11:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| Your correct in your assumption on what I was trying to do. |
Gosh I'm good. 
| rammer wrote: |
| So what I think I could do is create a user on the local server ie mrtest add that to the mcauser and then to the qmgr add the relevant permission to the group it belongs to ? |
Or (as it's Windows) give the authority to mrtest directly. Depends on how many other local users would want that permission via the group.
| rammer wrote: |
| Any user connecting with the channel that has mcauser mrtest would get the access granted against testmq group? |
Yes, and access to any other queue objects testmq is authorised to use, plus any authorities mrtest has.
| rammer wrote: |
| I can then once I am happy with that tighten who can use that svrconn channel be either creating channelauth or doing similar to what i have on some unix servers use blockip2 which only allows access coming in from certain users and / or certain ip's. |
There's no point using BlockIP2 now the functionality has been built into WMQv7.5 but the principle remains sound.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Wed Jul 30, 2014 11:43 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Vitor,
Thank you for the responses. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jul 30, 2014 1:05 pm Post subject: Re: setmqaut on windows |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Vitor wrote: |
That field is a user id (a principle) not a group name.
|
My principal has principles...
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 30, 2014 2:43 pm Post subject: Re: setmqaut on windows |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
| Vitor wrote: |
That field is a user id (a principle) not a group name.
|
My principal has principles... |
That weary principled principal was sadly lacking in principles...  
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
