ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ Appliance MQMD.UserIdentifier

Post new topic  Reply to topic Goto page 1, 2  Next
 MQ Appliance MQMD.UserIdentifier « View previous topic :: View next topic » 
Author Message
vicks_mq
PostPosted: Tue Jan 15, 2019 10:36 am    Post subject: MQ Appliance MQMD.UserIdentifier Reply with quote

Disciple

Joined: 03 Oct 2017
Posts: 162

Hi , is there a way in MQ appliance to dynamically change the MQMD.UserIdentifier parameter from the payload of the message?
we have a requirement where we need to update dynamically the MQMD.UserIdentifier in the message before sending the message to 3rd party application.
In our previous MQ infra, we had Channel exits defined to do that, as MQ appliance can not have channel exits, we need to find another way to do that.

Is there a way in MQ to do that?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jan 15, 2019 11:30 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You'll have to write a program to do that.
Get the message, change the user identifier and use set identity context... before the put...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
vicks_mq
PostPosted: Tue Jan 15, 2019 12:23 pm    Post subject: Reply with quote

Disciple

Joined: 03 Oct 2017
Posts: 162

fjb_saper wrote:
You'll have to write a program to do that.
Get the message, change the user identifier and use set identity context... before the put...


Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.
We don't want to leave MCAuser ID field blank due to security reason.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jan 15, 2019 12:39 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

vicks_mq wrote:
Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.


Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?

vicks_mq wrote:
We don't want to leave MCAuser ID field blank due to security reason.


Why not? It was a problem before Channel Authority records, but why is it a problem for you now?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Jan 15, 2019 1:12 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.

You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.

If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
vicks_mq
PostPosted: Wed Jan 16, 2019 6:21 am    Post subject: Reply with quote

Disciple

Joined: 03 Oct 2017
Posts: 162

Vitor wrote:
vicks_mq wrote:
Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.


Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?


Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.

vicks_mq wrote:
We don't want to leave MCAuser ID field blank due to security reason.


Why not? It was a problem before Channel Authority records, but why is it a problem for you now?


Last edited by vicks_mq on Wed Jan 16, 2019 6:35 am; edited 1 time in total
Back to top
View user's profile Send private message
vicks_mq
PostPosted: Wed Jan 16, 2019 6:23 am    Post subject: Reply with quote

Disciple

Joined: 03 Oct 2017
Posts: 162

PeterPotkay wrote:
You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.

You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.

If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER.


Hi Peter, what does it mean that I need authority at the Queue level and the Queue Manager level (does you mean that the Java program application user ID?)
or do you mean a MQ admin?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jan 16, 2019 7:15 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

vicks_mq wrote:
Vitor wrote:
vicks_mq wrote:
Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.


Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?


Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.

vicks_mq wrote:
We don't want to leave MCAuser ID field blank due to security reason.


Why not? It was a problem before Channel Authority records, but why is it a problem for you now?


Want to answer the 2nd question now?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Jan 16, 2019 8:25 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

vicks_mq wrote:
PeterPotkay wrote:
You will need authority at the queue level and the queue manager level to set the Identity Context. +setid. You need it on both the queue and queue manager.

You will then need to set the correct option on the MQOPEN call and again the correct option on the MQPUT call to set the Identity context.

If you have this authority and you use these options you will be able to produce a messages whose MQMD User Identifier is what you set, overriding the value in the channel's MCAUSER.


Hi Peter, what does it mean that I need authority at the Queue level and the Queue Manager level (does you mean that the Java program application user ID?)
or do you mean a MQ admin?


You can hard code the MCAUSER of the channel to an ID in a group that has the +setid permissions just for the queues that this channel is meant to serve. Also +setid for the Queue Manager. Then use a Security Exit and/or TLS and/or CHLAUTH to control what application can use that channel. At that point that app can set the MQMD User Identifier if they want, or let it default to the MCAUSER value.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
vicks_mq
PostPosted: Wed Jan 16, 2019 9:51 am    Post subject: Reply with quote

Disciple

Joined: 03 Oct 2017
Posts: 162

Vitor wrote:
vicks_mq wrote:
Vitor wrote:
vicks_mq wrote:
Hi Fjb_saper, we tried to do it before the put but when the message came to MQ over SVRConn channel, it gets replaced by MCA user ID.


Do you mean by this that when you send the message to the MQ appliance the value is replaced by the value of the channel's MCAUSER?


Hi Vitor, yes you are right. The value we set in our Java Program gets replaced by the channel MCAUSER.

vicks_mq wrote:
We don't want to leave MCAuser ID field blank due to security reason.


Why not? It was a problem before Channel Authority records, but why is it a problem for you now?


Want to answer the 2nd question now?

Hi Vitor, "channel authority records" is something I have heard 1st time, need to explore it and then only I will be able to answer ur question.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jan 16, 2019 11:22 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

vicks_mq wrote:
Hi Vitor, "channel authority records" is something I have heard 1st time, need to explore it and then only I will be able to answer ur question.


I recommend to you read the posts made on this forum by Morag, the Queen Empress of Channel Authority Records. These contain not only useful information but links to her very excellent blog posts.


_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jan 16, 2019 2:56 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I think Vitor means "Channel Authentication Records" aka CHLAUTH.

Here's some reading for you.

Channel Authentication (CHLAUTH) and other Security articles

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Thu Jan 17, 2019 5:33 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

hughson wrote:
I think Vitor means "Channel Authentication Records" aka CHLAUTH.



I have an accent
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jan 17, 2019 5:43 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
hughson wrote:
I think Vitor means "Channel Authentication Records" aka CHLAUTH.



I have an accent

One that is becoming increasingly mid-Atlantic as time moves on...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jan 17, 2019 5:47 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

exerk wrote:
Vitor wrote:
hughson wrote:
I think Vitor means "Channel Authentication Records" aka CHLAUTH.



I have an accent

One that is becoming increasingly mid-Atlantic as time moves on...


One more comment like that and I'll dock your pay. I'll start paying you, then dock it.

Now go clean that torture chamber - I've got a project manager meeting later.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » MQ Appliance MQMD.UserIdentifier
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.