| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| pymqi MQCMD_INQUIRE_AUTH_RECS issue |
« View previous topic :: View next topic » |
| Author |
Message
|
| bobbee |
 Posted: Tue Apr 19, 2022 1:04 pm Post subject: pymqi MQCMD_INQUIRE_AUTH_RECS issue |
 |
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
I have searched for as many smples for INQ of AUTHRECs. I seem to align with them but am still getting a:
3171 - 3171 0x00000c63 MQRCCF_AUTH_VALUE_ERROR
| Code: |
auth_args = {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_NAME_EXPLICIT + pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING,
pymqi.CMQCFC.MQCACF_AUTH_PROFILE_NAME: channel_name,
pymqi.CMQCFC.MQIACF_OBJECT_TYPE: CMQC.MQOT_ALL,
pymqi.CMQCFC.MQCACF_ENTITY_NAME: channel_mcauser}
try:
authrec_response = pcf.MQCMD_INQUIRE_AUTH_RECS(auth_args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No AUTHREC matched channel `%s`' % channel_name)
else:
raise
else:
print('authrec_response = ', authrec_response, '\n') |
|
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Tue Apr 19, 2022 2:19 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi Bobbee,
I barely know how to spell Python, so I can't help you with your code but in Java I would do the following:
| Code: |
PCFMessage request = new PCFMessage(CMQCFC.MQCMD_INQUIRE_AUTH_RECS);
request.addParameter(CMQCFC.MQIACF_AUTH_OPTIONS,
CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING + CMQCFC.MQAUTHOPT_ENTITY_EXPLICIT + CMQCFC.MQAUTHOPT_NAME_AS_WILDCARD );
request.addParameter(CMQCFC.MQCACF_AUTH_PROFILE_NAME, "*");
request.addParameter(CMQCFC.MQIACF_OBJECT_TYPE, CMQC.MQOT_Q);
PCFMessage[] responses = agent.send(request);
for (int i = 0; i < responses.length; i++)
{
PCFMessage response = responses[i];
System.out.println("Profile Name = " + (String) response.getParameterValue(CMQCFC.MQCACF_AUTH_PROFILE_NAME));
System.out.println("QMgr Name = " + (String) response.getParameterValue(CMQC.MQCA_Q_MGR_NAME));
System.out.println("Object Name = " + (String) response.getParameterValue(CMQCFC.MQCACF_OBJECT_NAME));
System.out.println("Object Type = " + (Integer) response.getParameterValue(CMQCFC.MQIACF_OBJECT_TYPE));
System.out.println("Entity Type = " + (Integer) response.getParameterValue(CMQCFC.MQIACF_ENTITY_TYPE));
System.out.println("Entity Name = " + (String) response.getParameterValue(CMQCFC.MQCACF_ENTITY_NAME));
StringBuffer sb = new StringBuffer();
int[] auths = (int[])response.getParameterValue(CMQCFC.MQIACF_AUTHORIZATION_LIST);
if ( (auths != null) && (auths.length > 0) )
{
for (int ai=0; ai < auths.length; ai++)
{
sb.append(MQConstants.lookup(auths[ai], "MQAUTH_.*") + " ");
}
}
System.out.println("Auth: " + sb.toString());
} |
Note: The ordering of PCF parameters is super important. The command server cannot handle out of order parameters!!
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 20, 2022 2:10 am Post subject: Re: pymqi MQCMD_INQUIRE_AUTH_RECS issue |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bobbee wrote: |
| Code: |
| {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_NAME_EXPLICIT + pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING, |
|
According to the description of the PCF command in IBM Docs:-
| IBM Docs wrote: |
Options (MQCFIN)
Options to control the set of authority records that is returned (parameter identifier: MQIACF_AUTH_OPTIONS).
This parameter is required and you must include one of the following two values:
MQAUTHOPT_NAME_ALL_MATCHING
Return all profiles the names of which match the specified ProfileName. This means that a ProfileName of ABCD results in the profiles ABCD, ABC*, and AB* being returned (if ABC* and AB* have been defined as profiles).
MQAUTHOPT_NAME_EXPLICIT
Return only those profiles the names of which exactly match the ProfileName. No matching generic profiles are returned unless the ProfileName is, itself, a generic profile. You cannot specify this value and MQAUTHOPT_ENTITY_SET.
and one of the following two values:
MQAUTHOPT_ENTITY_EXPLICIT
Return all profiles the entity fields of which match the specified EntityName. No profiles are returned for any group in which EntityName is a member; only the profile defined for the specified EntityName.
MQAUTHOPT_ENTITY_SET
Return the profile the entity field of which matches the specified EntityName and the profiles pertaining to any groups in which EntityName is a member that contribute to the cumulative authority for the specified entity. You cannot specify this value and MQAUTHOPT_NAME_EXPLICIT. |
Where it says "you must include ONE of the following two values", you have BOTH of the following two values. You must choose only one. Do you want to match the asterisks in the profile name as a character or as a wildcard. You can't do both.
Also it says you must have one of the next two values as well, and you have neither.
I suggest you might want to try the following as replacement for the code you have, but I have not tested this code.
| Code: |
| {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_ENTITY_EXPLICIT + pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING, |
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bobbee |
| Posted: Wed Apr 20, 2022 5:28 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
Thank you Roger and Thank you Morag. I am working. Interesting how the Principles and Groups are handled also. Trying to find out how they set:
SecurityPolicy=user|group|UserExternal|default
Although, from the 10,000 foot level it may not matter.
But I am movuing to a completion with my MQ Hardening Python Script. PYMQI certainly makes it easier.
again.........BIG THANKS!!! |
|
| Back to top |
|
|
| bobbee |
| Posted: Wed Apr 20, 2022 8:17 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
I have tried all conceivable combination on the ENTITY (without quotes, with quotes, as a byte string). When I specify the Entity and Entity Type I get a NOT FOUND. When I execute it leaving off ENTITY and ENTITY_TYPE I get my output. But too much.
When I execute the command under runmqsc. I get the infor I want. I want all QUEUES that have authrec's with that entity assigned.
| Code: |
auth_args = {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_ENTITY_EXPLICIT +
pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING,
# pymqi.CMQCFC.MQCACF_AUTH_PROFILE_NAME: channel_name,
pymqi.CMQCFC.MQIACF_OBJECT_TYPE: CMQC.MQOT_Q,
pymqi.CMQCFC.MQCACF_ENTITY_NAME: channel_mcauser_bytes,
pymqi.CMQCFC.MQIACF_ENTITY_TYPE: pymqi.CMQZC.MQZAET_PRINCIPAL,
pymqi.CMQCFC.MQIACF_AUTH_PROFILE_ATTRS: pymqi.CMQCFC.MQIACF_ALL} |
RUNMQSC Output
| Code: |
DIS AUTHREC OBJTYPE(QUEUE) PRINCIPAL('mqadmin') ALL
2 : DIS AUTHREC OBJTYPE(QUEUE) PRINCIPAL('mqadmin') ALL
AMQ8864I: Display authority record details.
PROFILE(BRTPA00.LQ) ENTITY(mqadmin)
ENTTYPE(PRINCIPAL) OBJTYPE(QUEUE)
AUTHLIST(GET,PUT)
AMQ8864I: Display authority record details.
PROFILE(@class) ENTITY(mqadmin)
ENTTYPE(PRINCIPAL) OBJTYPE(QUEUE)
AUTHLIST(NONE) |
|
|
| Back to top |
|
|
| hughson |
| Posted: Thu Apr 21, 2022 3:14 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bobbee wrote: |
I have tried all conceivable combination on the ENTITY (without quotes, with quotes, as a byte string).
| Code: |
auth_args = {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_ENTITY_EXPLICIT +
pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING,
# pymqi.CMQCFC.MQCACF_AUTH_PROFILE_NAME: channel_name,
pymqi.CMQCFC.MQIACF_OBJECT_TYPE: CMQC.MQOT_Q,
pymqi.CMQCFC.MQCACF_ENTITY_NAME: channel_mcauser_bytes,
pymqi.CMQCFC.MQIACF_ENTITY_TYPE: pymqi.CMQZC.MQZAET_PRINCIPAL,
pymqi.CMQCFC.MQIACF_AUTH_PROFILE_ATTRS: pymqi.CMQCFC.MQIACF_ALL} |
|
You've kinda missed off the important bit of code for us to look at. Can you show us how you are setting the channel_mcauser_bytes field that you are using as the MQCACF_ENTITY_NAME in this command?
P.S. Quotes is just an MQSC thing. For PCF, if it's lower case, just supply it as a string containing the lower case characters. Nothing is going to upper case it.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bobbee |
| Posted: Thu Apr 21, 2022 3:43 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
Sorry, I did check the fields. From print and len() statement they contain what I expected. Here is is.
| Code: |
try:
response = pcf.MQCMD_INQUIRE_CHANNEL(chl_args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
# print('\nChannel_Info = ',channel_info, '\n')
# print('Channel Info type = ', type(channel_info))
# pcfget(channel_info)
#b.decode('UTF-8'
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME].decode('utf-8')
channel_name = channel_name.strip()
print('Channel Name = ', channel_name)
channel_mcauser = channel_info[pymqi.CMQCFC.MQCACH_MCA_USER_ID].decode('utf-8')
channel_mcauser = channel_mcauser.strip()
print('Channel MCAUSER = ', channel_mcauser)
auth_args = {pymqi.CMQCFC.MQIACF_AUTH_OPTIONS: pymqi.CMQCFC.MQAUTHOPT_ENTITY_EXPLICIT +
pymqi.CMQCFC.MQAUTHOPT_NAME_ALL_MATCHING + CMQCFC.MQAUTHOPT_NAME_AS_WILDCARD,
pymqi.CMQCFC.MQCACF_AUTH_PROFILE_NAME: '*',
pymqi.CMQCFC.MQIACF_OBJECT_TYPE: CMQC.MQOT_Q,
pymqi.CMQCFC.MQCACF_ENTITY_NAME: channel_mcauser,
pymqi.CMQCFC.MQIACF_ENTITY_TYPE: pymqi.CMQZC.MQZAET_PRINCIPAL,
pymqi.CMQCFC.MQIACF_AUTH_PROFILE_ATTRS: pymqi.CMQCFC.MQIACF_ALL}
try:
authrec_response = pcf.MQCMD_INQUIRE_AUTH_RECS(auth_args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No AUTHREC matched channel `%s`' % channel_name)
else:
raise
else:
# print('authrec_response = ', authrec_response, '\n')
for queue_authrec_info in authrec_response:
profile_name = queue_authrec_info[pymqi.CMQCFC.MQCACF_AUTH_PROFILE_NAME].decode('utf-8')
if 'SYSTEM' not in profile_name:
print('queue_authrec_info = ',queue_authrec_info, '\n') |
Here is the output from the run:
| Code: |
Channel Name = BAC.11.BRTPA00
Channel MCAUSER = mqadmin
Channel Name = BAC.21.BRTPA00
Channel MCAUSER = fred
Traceback (most recent call last):
File "mq_hardening.py", line 642, in <module>
channel_mca_auth_check()
File "mq_hardening.py", line 484, in channel_mca_auth_check
authrec_response = pcf.MQCMD_INQUIRE_AUTH_RECS(auth_args)
File "/usr/local/lib64/python3.6/site-packages/pymqi/__init__.py", line 2770, in __call__
res, mqcfh_response = self.__pcf.unpack(message)
File "/usr/local/lib64/python3.6/site-packages/pymqi/__init__.py", line 2919, in unpack
raise MQMIError(mqcfh.CompCode, mqcfh.Reason)
pymqi.MQMIError: MQI Error. Comp: 2, Reason 3200: FAILED: MQRCCF_NONE_FOUND |
Here is the runmqsc dis authrec:
| Code: |
dis authrec objtype(queue) principal('mqadmin') all
1 : dis authrec objtype(queue) principal('mqadmin') all
AMQ8864I: Display authority record details.
PROFILE(BRTPA00.LQ) ENTITY(mqadmin)
ENTTYPE(PRINCIPAL) OBJTYPE(QUEUE)
AUTHLIST(GET,PUT)
AMQ8864I: Display authority record details.
PROFILE(@class) ENTITY(mqadmin)
ENTTYPE(PRINCIPAL) OBJTYPE(QUEUE)
AUTHLIST(NONE) |
|
|
| Back to top |
|
|
| bobbee |
| Posted: Thu Apr 21, 2022 4:15 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
Morag,
As I was looking at the output, AGAIN, and the code, I realized I had hit that first queue and then went straight to the second queue in the response list and saw nothing in the output to indicate it was processed. Looking at the code, I noticed the 'else:' was on byte off from where it should have been. I brought the code up in vi, rather than ULTRAEDIT, and cleaned up the lines.
'WE got a response.' in the output was what I was looking for!! Thanks as always!!
| Code: |
Target Channel Name = BAC.11.BRTPA00
Channel type name = MQCHT_RECEIVER
Target Channel Name = BAC.21.BRTPA00
Channel type name = MQCHT_RECEIVER
SYSTEM Channel = SYSTEM.AUTO.RECEIVER
SYSTEM Channel = SYSTEM.DEF.RECEIVER
***** mq_participant_channel_port_check checking successful
********** Starting Channel/Queue Auth Check **********
Channel Name = BAC.11.BRTPA00
Channel MCAUSER = mqadmin
We got a response
Profile Name = BRTPA00.LQ
queue_authrec_info = {2015: b'BOBBEE\x00\x00', 3067: b'BRTPA00.LQ ', 3068: b'mqadmin ', 1118: 1, 1016: 1, 1228: 97, 1115: [9, 11]}
Profile Name = @class
queue_authrec_info = {2015: b'BOBBEE\x00\x00', 3067: b'@class ', 3068: b'mqadmin ', 1118: 1, 1016: 1, 1228: 97, 1115: [0]}
|
|
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Apr 21, 2022 5:09 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| bobbee wrote: |
| ... Looking at the code, I noticed the 'else:' was on byte off from where it should have been. I brought the code up in vi, rather than ULTRAEDIT, and cleaned up the lines. |
and Python is the most popular programming language according to https://pypl.github.io/PYPL.html ? Sheesh.
_________________
Glenn |
|
| Back to top |
|
|
| bobbee |
| Posted: Fri Apr 22, 2022 2:54 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
| After 45 years of coding. My thoughts are it is really nice, but............ |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Apr 22, 2022 4:46 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Popular? I don't recall ever been asked to vote on this.
Also, I've never relied on univariant analysis results. Google searches for 'python' may have included the ever-popular household pet (snake).
A perhaps more relevant metric: How about 'lines of code in production by language?' Most of my clients are biggies, where COBOL is still king. I, too, am that old. Estimates are that 200+ billion lines of COBOL code out there in the ether.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
