ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » which permission is needed for MQCMD_INQUIRE_Q?

Post new topic  Reply to topic
 which permission is needed for MQCMD_INQUIRE_Q? « View previous topic :: View next topic » 
Author Message
zpat
PostPosted: Mon Aug 21, 2017 5:22 am    Post subject: which permission is needed for MQCMD_INQUIRE_Q? Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

I am seeing this authorisation event message

Quote:
Command :44 (QMgr Event)
Reason :2035 (Not authorized.)
Parameter Id :2015 (QMgr Name)
Value :'XXXXXQM '
Parameter Id :1020 (Reason Qualifier)
Value :4 [0x'4'] MQRQ_CMD_NOT_AUTHORIZED
Parameter Id :1021 (Command)
Value :13 [0x'D'] MQCMD_INQUIRE_Q
Parameter Id :3025 (User Identifier)
Value :'xxxuser '


Can anyone suggest which permission this relates to? The queue name is not shown unfortunately, but if I wanted to grant inquire permission to all queues - what would be the correct command? I have already tried

Code:
setmqaut -m XXXXXQM -n '**' -t queue -g yyyyy +inq +dsp



What's confusing me is the references to a CMD - is this PCF or MQI?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Aug 21, 2017 5:36 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Anything in the log of the queue manager? It normally prints in that too.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Aug 21, 2017 6:42 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Not a sausage. Even though I set that MQS environment variable.

MQ version is 7.1.0.7 on Linux.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Aug 21, 2017 6:49 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

zpat wrote:
Not a sausage. Even though I set that MQS environment variable.

MQ version is 7.1.0.7 on Linux.

Did you restart the queue manager afterwards? I'm trying to remember at which version it became 'automatic'.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Aug 21, 2017 7:01 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Yes, restarted the QM.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Aug 21, 2017 2:54 pm    Post subject: Re: which permission is needed for MQCMD_INQUIRE_Q? Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
What's confusing me is the references to a CMD - is this PCF or MQI?
It could be PCF or MQSC. Is it possible to ask the person owning the user id that is noted in the Not Auth event what they issued?

P.S. You may want to vote on the following RFE

Add object name to Not Auth (Type 4) - Command Not Authorized

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Aug 22, 2017 4:11 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Have you tried the setmqaut command without the single quotes? maybe escaping the *? Sometimes it's a little bit tricky like that.

As for the command requiring inq... it may vary quite a bit. Some adapters (BizTalk being one) will require +inq on the queue. All queues accessed through JMS will require +inq on the queue... etc...

There is no way to be 100% sure until you see the error requiring it...

As to finding out which queue / object is concerned, there should be something in the log telling you that.

Have you granted +inq to the queue manager itself ? (-t qmgr)

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Tue Aug 22, 2017 5:03 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Thanks for ideas. The RFE link does not work for me.

Although whoever decided to leave out the object name on the event message needs to be <insert choice of punishment here> .... Nothing in the log to give me a clue either.

The userid is an application id, not a person and tracking down the person is pointless since they will have no idea how the application works anyway as it's third-party.

I just want to let it do what it's trying to do and not generate errors. I generally allow the group to inquire on anything in the QM (inc the QM itself).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Aug 22, 2017 6:09 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

The RFE link works fine.... once you're logged in to developerworks....

Usually when I have a 2035 I do see something in the queue manager's logs. Unless you suppressed the specific message from the logs?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Tue Aug 22, 2017 3:11 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
MQ version is 7.1.0.7 on Linux.

Do you have a more up-to-date queue manager, say in a test environment, where you could run this application to see what it does? Then you'd get the messages in the AMQERR01.LOG that you need.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Thu Aug 31, 2017 2:48 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

hughson wrote:
zpat wrote:
MQ version is 7.1.0.7 on Linux.

Do you have a more up-to-date queue manager, say in a test environment, where you could run this application to see what it does? Then you'd get the messages in the AMQERR01.LOG that you need.


Is there a emoticon for "hollow laugh"..?

Hopefully we will be moving to MQ v8 at some point.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
vinay.gollapalli
PostPosted: Thu Aug 31, 2017 11:24 am    Post subject: Re: which permission is needed for MQCMD_INQUIRE_Q? Reply with quote

Novice

Joined: 22 Aug 2017
Posts: 22

[quote="zpat"]I am seeing this authorisation event message

Quote:
Command :44 (QMgr Event)
Reason :2035 (Not authorized.)
Parameter Id :2015 (QMgr Name)
Value :'XXXXXQM '
Parameter Id :1020 (Reason Qualifier)
Value :4 [0x'4'] MQRQ_CMD_NOT_AUTHORIZED
Parameter Id :1021 (Command)
Value :13 [0x'D'] MQCMD_INQUIRE_Q
Parameter Id :3025 (User Identifier)
Value :'xxxuser '



Code:
setmqaut -m XXXXXQM -n '**' -t queue -g yyyyy +inq +dsp


So, is 'xxxuser ' in lower-case in group yyyyy also in lower-case? Is there a also a user XXXUSER?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Aug 31, 2017 2:43 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
hughson wrote:
zpat wrote:
MQ version is 7.1.0.7 on Linux.

Do you have a more up-to-date queue manager, say in a test environment, where you could run this application to see what it does? Then you'd get the messages in the AMQERR01.LOG that you need.


Is there a emoticon for "hollow laugh"..?

Hopefully we will be moving to MQ v8 at some point.
I take it you're not allowed to download IBM MQ V8 for developers just to try this out? i.e. the FREE one.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Fri Sep 01, 2017 1:15 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

I have access to MQ v8 from passport advantage.

However I can't easily install this business application elsewhere.

I might be able to multi-install V8 though, and see if I can persuade the application team to switch to using a copy of their usual QM (at v8).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Sep 01, 2017 4:49 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Sometimes it can be both fun and useful to scream test this stuff...
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » which permission is needed for MQCMD_INQUIRE_Q?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.