| Author |
Message
|
| pandeg |
 Posted: Thu May 21, 2015 9:26 am Post subject: Read Only Access to QMGR and its objects in MQ 8.0.0.2 |
 |
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| Hi, I am using MQ version 8.0.0.2 in linux and want to provide read only access to Queue Manager and its objects to developers for monitoring purpose. Please let me know what are the different options. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu May 21, 2015 9:34 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Go to google. Search for 'mq v8 security'
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri May 22, 2015 2:10 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
You might be interested in using the wizard that can quickly grant read-only access to a user or group. It is illustrated in an MQDev blog post, A non-privileged MQ administrator. The blog post example uses the full access radio button, but you can use it the same way as documented there, and instead just choose the read only radio button.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| pandeg |
| Posted: Tue May 26, 2015 12:25 pm Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
Thanks Morag !
I went through the link and could able to setup Read Only access for non-privileged MQ Administrator. I connected to queue manager from MQ explorer installed in remote machine using remote queue manager add option and used wizard to add role based authorities for Read only access. Wanted to check if this is correct or this configuration should be done using MQ explorer installed on MQ server. Also, please let me know if i need to apply CHLAUTH rule , as we already have MQ installed in trusted zone and we have disabled the security feature in MQ 8.0.0.2 |
|
| Back to top |
|
|
| pandeg |
| Posted: Tue May 26, 2015 1:02 pm Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| As of now Channel Authentication Record is disabled in MQ ver 8.0.0.2. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed May 27, 2015 4:45 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I'm not sure I understand the point for setting up read only access without also making sure people who are meant to, actually use it.
You say you have a trusted zone. What does this mean? Does it mean that everyone with access is allowed to do anything? If yes, why the read only setup.
Does it mean that everyone who has access can only use this read only channel you have set up, and that there are no other channels that can be used by anyone at all? If so, then that is the only case where I can understand not using some form of authentication, because the trusted zone is providing your authentication.
Anything else, and I'd expect you'd need some kind of authentication in MQ.
Perhaps you can tell us more about what the trusted zone means to you.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| pandeg |
| Posted: Thu May 28, 2015 6:14 am Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| Hi Morag, as of now anyone can connect to the queue manager without any authentication using MQ explorer from remote. I want to apply OAM rules so that only required privileges can be granted. Please let me know for applying OAM , does the user id needs to be created in MQ server machine and whether it should be part of mqm group as well. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 28, 2015 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| pandeg wrote: |
| Hi Morag, as of now anyone can connect to the queue manager without any authentication using MQ explorer from remote. I want to apply OAM rules so that only required privileges can be granted. Please let me know for applying OAM , does the user id needs to be created in MQ server machine and whether it should be part of mqm group as well. |
Having the user as a member of the mqm group defeats the purpose as he/she will have access to all mq objects. So don't do that!.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Thu May 28, 2015 6:27 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
In order to apply authorisations to a user with the OAM, the user needs to defined in the O/S of the MQ server machine (or in an LDAP server if you are using V8.0.0.2 on Unix).
If you want to grant only certain required privileges then do not add the user to the mqm group.
From what you describe, you need authentication too.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
