| Author |
Message
|
| vicks_mq |
 Posted: Tue Jan 15, 2019 10:36 am Post subject: MQ Appliance MQMD.UserIdentifier |
 |
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
Hi , is there a way in MQ appliance to dynamically change the MQMD.UserIdentifier parameter from the payload of the message?
we have a requirement where we need to update dynamically the MQMD.UserIdentifier in the message before sending the message to 3rd party application.
In our previous MQ infra, we had Channel exits defined to do that, as MQ appliance can not have channel exits, we need to find another way to do that.
Is there a way in MQ to do that? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jan 15, 2019 11:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You'll have to write a program to do that.
Get the message, change the user identifier and use set identity context... before the put...  
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| vicks_mq |
| Posted: Tue Jan 15, 2019 12:23 pm Post subject: |
|
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
| fjb_saper wrote: |
You'll have to write a program to do that.
Get the message, change the user identifier and use set identity context... before the put... |
Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.
We don't want to leave MCAuser ID field blank due to security reason. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 15, 2019 12:39 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| vicks_mq wrote: |
| Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID. |
Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?
| vicks_mq wrote: |
| We don't want to leave MCAuser ID field blank due to security reason. |
Why not? It was a problem before Channel Authority records, but why is it a problem for you now?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jan 15, 2019 1:12 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.
You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.
If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| vicks_mq |
| Posted: Wed Jan 16, 2019 6:21 am Post subject: |
|
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
| Vitor wrote: |
| vicks_mq wrote: |
| Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID. |
Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?
Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.
| vicks_mq wrote: |
| We don't want to leave MCAuser ID field blank due to security reason. |
Why not? It was a problem before Channel Authority records, but why is it a problem for you now? |
Last edited by vicks_mq on Wed Jan 16, 2019 6:35 am; edited 1 time in total |
|
| Back to top |
|
|
| vicks_mq |
| Posted: Wed Jan 16, 2019 6:23 am Post subject: |
|
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
| PeterPotkay wrote: |
You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.
You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.
If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER. |
Hi Peter, what does it mean that I need authority at the Queue level and the Queue Manager level (does you mean that the Java program application user ID?)
or do you mean a MQ admin? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 16, 2019 7:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| vicks_mq wrote: |
| Vitor wrote: |
| vicks_mq wrote: |
| Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID. |
Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?
Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.
| vicks_mq wrote: |
| We don't want to leave MCAuser ID field blank due to security reason. |
Why not? It was a problem before Channel Authority records, but why is it a problem for you now? |
|
Want to answer the 2nd question now? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jan 16, 2019 8:25 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| vicks_mq wrote: |
| PeterPotkay wrote: |
You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.
You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.
If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER. |
Hi Peter, what does it mean that I need authority at the Queue level and the Queue Manager level (does you mean that the Java program application user ID?)
or do you mean a MQ admin? |
You can hard code the MCAUSER of the channel to an ID in a group that has the +setid permissions just for the queues that this channel is meant to serve. Also +setid for the Queue Manager. Then use a Security Exit and/or TLS and/or CHLAUTH to control what application can use that channel. At that point that app can set the MQMD User Identifier if they want, or let it default to the MCAUSER value.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| vicks_mq |
| Posted: Wed Jan 16, 2019 9:51 am Post subject: |
|
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
| Vitor wrote: |
| vicks_mq wrote: |
| Vitor wrote: |
| vicks_mq wrote: |
| Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID. |
Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?
Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.
| vicks_mq wrote: |
| We don't want to leave MCAuser ID field blank due to security reason. |
Why not? It was a problem before Channel Authority records, but why is it a problem for you now? |
|
Want to answer the 2nd question now? |
Hi Vitor, "channel authority records" is something I have heard 1st time, need to explore it and then only I will be able to answer ur question. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 16, 2019 11:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| vicks_mq wrote: |
| Hi Vitor, "channel authority records" is something I have heard 1st time, need to explore it and then only I will be able to answer ur question. |
I recommend to you read the posts made on this forum by Morag, the Queen Empress of Channel Authority Records. These contain not only useful information but links to her very excellent blog posts.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jan 16, 2019 2:56 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 17, 2019 5:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hughson wrote: |
| I think Vitor means "Channel Authentication Records" aka CHLAUTH. |
I have an accent 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 17, 2019 5:43 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| hughson wrote: |
| I think Vitor means "Channel Authentication Records" aka CHLAUTH. |
I have an accent |
One that is becoming increasingly mid-Atlantic as time moves on... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 17, 2019 5:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Vitor wrote: |
| hughson wrote: |
| I think Vitor means "Channel Authentication Records" aka CHLAUTH. |
I have an accent |
One that is becoming increasingly mid-Atlantic as time moves on... |
One more comment like that and I'll dock your pay. I'll start paying you, then dock it.
Now go clean that torture chamber - I've got a project manager meeting later.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
