ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Security12 Character restriction on user/group in Linux

Post new topicReply to topic
12 Character restriction on user/group in Linux View previous topic :: View next topic
Author Message
saurabh25281
PostPosted: Thu Apr 11, 2019 2:05 pm Post subject: 12 Character restriction on user/group in Linux Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Hi All,

As per the latest IBM MQ documentation for MQ v9.1.0 "If you want to run administration commands, for example crtmqm (create queue manager) or strmqm (start queue manager), your user ID must be a member of the mqm group. This user ID must not be longer than 12 characters."
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.ins.doc/q008503_.htm

However, it seems that this restriction also applies to any OS level users and groups in Linux, not only for adding members to mqm, but also to provide any authorization.

Is there any documentation that clearly points out the limitation w.r.t. size of users and groups.

Regards
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Thu Apr 11, 2019 10:44 pm Post subject: Re: 12 Character restriction on user/group in Linux Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1185
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
Is there any documentation that clearly points out the limitation w.r.t. size of users and groups.

Reference related to this question
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Thu Apr 11, 2019 11:24 pm Post subject: Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Thanks for the clarification Morag.

Quote:
User IDs - describes the O/S level restrictions on user id lengths.

The above documentation create more doubts, for e.g.
On z/OS and UNIX and Linux, the maximum length of a user ID is 12 characters. If you use the MQCSP structure to pass credentials, the maximum length of a user ID is 1024 characters.

Doubt here is - If you cannot set authorization (using setmqaut) for users with more than 12 characters then what is the use of passing credentials using MQCSP with more than 12 characters? Is this only for authentication and not authorization?

The MQCSP documentation says the following.
- The MQCSP connection security parameters structure contains a user ID and password, which the authorization service can use to identify and authenticate the user.
- The authorization service component supplied with IBM MQ is called the Object Authority Manager (OAM). The OAM authorizes users based on the ID contained in the MQCSP but does not validate the password.

Doubt here is - both the statements seems contradictory. 1st one says that authorization service can authenticate the user (which in itself creates doubt). 2nd statement says, the OAM (authorization service) does not validate the password. Then how does it authenticate the user? Is it only through the chained exits on OAM?

Regards
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Fri Apr 12, 2019 4:29 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1185
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
On z/OS and UNIX and Linux, the maximum length of a user ID is 12 characters. If you use the MQCSP structure to pass credentials, the maximum length of a user ID is 1024 characters.

Doubt here is - If you cannot set authorization (using setmqaut) for users with more than 12 characters then what is the use of passing credentials using MQCSP with more than 12 characters? Is this only for authentication and not authorization?

This page does not mention a more recently added feature which means you can (instead of O/S users) use LDAP users - these can be passed in through the MQCSP, and thus it is long enough for an LDAP user ID. If you are not using these features, and only using O/S users, then the shorter lengths are what you are after.

saurabh25281 wrote:
The MQCSP documentation says the following.
- The MQCSP connection security parameters structure contains a user ID and password, which the authorization service can use to identify and authenticate the user.
- The authorization service component supplied with IBM MQ is called the Object Authority Manager (OAM). The OAM authorizes users based on the ID contained in the MQCSP but does not validate the password.

Doubt here is - both the statements seems contradictory. 1st one says that authorization service can authenticate the user (which in itself creates doubt). 2nd statement says, the OAM (authorization service) does not validate the password. Then how does it authenticate the user? Is it only through the chained exits on OAM?

Again I suspect out of date pages as a result of newer features added since these pages were written. Originally the OAM did not does anything with the password, since V8 it has a provided call to validate the password against either the O/S or an LDAP server (depending on which you choose to use). It itself does not validate the password, just asks one of those other services to do it.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Security12 Character restriction on user/group in Linux
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.