ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ console URL RESLEVEL

Post new topic  Reply to topic Goto page 1, 2, 3  Next
 MQ console URL RESLEVEL « View previous topic :: View next topic » 
Author Message
Heba_MQ
PostPosted: Mon May 08, 2023 1:02 am    Post subject: MQ console URL RESLEVEL Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 39
Dear All

Is it possible to setup the MQ console url to use the IP instead of the hostname
So it will be https://host-ip:9443/ibmmq/console instead of https://hostname:9443/ibmmq/console

Thanks
Heba
Back to top
View user's profile Send private message
hughson
PostPosted: Mon May 08, 2023 3:04 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
Yes - this is not something specific to the MQ console though - just the way hostnames and IP addresses work generally.

Give it a try. If you don't know what the IP address is, just use a command like nslookup first to get the IP address from the hostname that you know.

Of course if you are running your web server in a way that requires the hostname to be sent in order to pick up the correct TLS certificate because you are on a shared server or some such, then things will be more complicated. Let's assume you are not and see how we get on.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
cicsprog
PostPosted: Thu Aug 29, 2024 12:03 pm    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
Morag
We are sunsetting a product that applications people use for developing MQ on the mainframe. We were thinking the MQ Console might replace the functionality of the product we are removing.

I'm trying to configure MQ Console on the mainframe but remember the mainframe is NOT hosting the MQ Console, a distributed MQ is hosting MQ Console. So, MQ Console is NOT hosted in ZOS USS.

I'm probably missing something really dumb but I've tried so many different ways, it may be time for someone to show the errors of my ways. The mainframe MQ's hook up fine and you can review all the objects. MQ Console will only be used by the application types - not me

As you probably know RACF is the security manager on the mainframe. When an Application user logs onto the MQ Console, they use their network user id and password. Fortunately their Network userid is the same one used on the mainframe for TSO, CICS etc access but the password is different. So developers don't even have TSO access but want to be able to view mainframe MQ objects.

On the test Queue Managers I want to limit what the application people can do. They CAN NOT create/alter/delete objects. The same for production. In test, I allow them to edit their message data - so they can use what little MQ Console has at the moment to manipulate that message data. In prod, I dont want them to have ANY of that type of access to manipulate message data.

It seems to me that MQ Console is sending down their USERID as they make what I assume are PCF commands from MQ Console. I've written RACF rules to stop the add/del/alter and CMD rules for test and prod MQ objects. Somehow the userid passed down is being given to RACF for validation to the appropriate level- GREAT! But I can't seem to figure out a way to stop them from manipulating the message data SYSADMINs should be doing only when needed.. So that's where I'm stuck.

So what I'm trying to secure in PROD is the ability to secure MQOPEN, BROWSE, etc that gives them a view into the message data. I believe I have those RACF rules in place for the GROUP(APPL) which is for application programmers.
I changed USERID MQCONSOL to have group access under GROUP(APPL) and for MQQUEUE RACF class APPL has ACCESS(NONE). Yet they can open and MQPUT messages to Q's on mqm QKSL.

1) In RACF we setup a USERID called MQ Console for MCA usage on the SVRCONN

2) SVRCONN Definition
DEFINE NOREPLACE
CHANNEL('WEBCON.SVRCONN')
CHLTYPE(SVRCONN)
QSGDISP(QMGR)
DEFCDISP(PRIVATE)
TRPTYPE(TCP)
MCAUSER('MQCONSL')

3) Error produced with no channel auth in QKSL. Userid passed is mqm from MQ Console QManager on Distributed. So adding the channel auth with mqm and replaced with MQCONSL allows access in.

CSQX777E -QKSL CSQXRESP Channel WEBCON.SVRCONN from plm01021 67
(10.2.43.26) has been blocked due to USERSRC(NOACCESS), Detail:
CLNTUSER(mqm)
*** use this set to convert non RACF userid's to MQCONSL
SET
CHLAUTH('WEBCON.SVRCONN')
ACTION(ADD)
TYPE(USERMAP)
ADDRESS('10.2.43.26')
CHCKCLNT(ASQMGR)
CLNTUSER(
'mqm'
)
CUSTOM(' ')
DESCR('MQ WebConsole Access')
MCAUSER('MQCONSL')
USERSRC(MAP)
** Backstop
SET
CHLAUTH('WEBCON.SVRCONN')
ACTION(ADD)
TYPE(ADDRESSMAP)
ADDRESS('*')
CUSTOM(' ')
DESCR(' ')
MCAUSER(' ')
USERSRC(NOACCESS)
WARN(NO)

4) RACF Definitions

jobcard
//*-------------------------------------------------------
//*--- TSO BATCH - STANDARD RACF RULES FOR QKSL
//*-----------------------------------------------------------
//SYSINFO EXEC PGM=IKJEFT01,DYNAMNBR=75,
// REGION=6M
//SYSPROC DD DISP=SHR,DSN=SYS2.CLIST
//SYSOUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSIN DD DUMMY,DCB=BLKSIZE=80
//SYSTSIN DD *
** MQADMIN **********************************************
RDEFINE MQADMIN QKSL.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(TKMS) ACCESS(ALTER)
*PERMIT QKSL.* CLASS(MQADMIN) -
* ID(MQCONSL) ACCESS(UPDATE)
*
RDEFINE MQADMIN QKSL.CHANNEL.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.CHANNEL.* CLASS(MQADMIN) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQADMIN QKSL.CONTEXT UACC(NONE) OWNER(TKMS)
PERMIT QKSL.CONTEXT CLASS(MQADMIN) -
ID(PKMO) ACCESS(CONTROL)
PERMIT QKSL.CONTEXT CLASS(MQADMIN) -
ID(STDCLMGR) ACCESS(UPDATE)
PERMIT QKSL.CONTEXT CLASS(MQADMIN) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.CONTEXT CLASS(MQADMIN) -
ID(MQCONSL) ACCESS(READ)
*
RDEFINE MQADMIN QKSL.TOPIC.SYSTEM.BROKER.ADMIN.STREAM -
UACC(NONE) OWNER(TKMS)
PERMIT QKSL.TOPIC.SYSTEM.BROKER.ADMIN.STREAM CLASS(MQADMIN) -
ID(QKSLCHIN) ACCESS(ALTER)
** MQQUEUE **********************************************
RDEFINE MQQUEUE QKSL.** UACC(NONE) OWNER(TKMS)
PERMIT QKSL.* CLASS(MQQUEUE) -
ID(APPL) ACCESS(NONE)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(APPL) ACCESS(NONE)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
*
RDEFINE MQQUEUE QKSL.SYSTEM.COMMAND.INPUT UACC(NONE) OWNER(TKMS)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
*
RDEFINE MQQUEUE QKSL.SYSTEM.COMMAND.** UACC(NONE) OWNER(TKMS)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.COMMAND.** CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
*
RDEFINE MQQUEUE QKSL.SYSTEM.REST.REPLY.QUEUE UACC(NONE) OWNER(TKMS)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.REST.REPLY.QUEUE CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
*
RDEFINE MQQUEUE QKSL.SYSTEM.CSQOREXX.** UACC(ALTER) OWNER(TKMS)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.SYSTEM.CSQOREXX.** CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
*
RDEFINE MQQUEUE QKSL.FMNTMQL.** UACC(ALTER) OWNER(TKMS)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(DB2) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(TMONMQ) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(TMQLFS) ACCESS(ALTER)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(QKSLCHIN) ACCESS(ALTER)
** RACF MQCMDS ******************************************
RDEFINE MQCMDS QKSL.** UACC(NONE) OWNER(TKMS)
PERMIT QKSL.** CLASS(MQCMDS) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.** CLASS(MQCMDS) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.** CLASS(MQCMDS) -
ID(QKSLCHIN) ACCESS(ALTER)
*PERMIT QKSL.** CLASS(MQCMDS) -
* ID(MVTECHL3) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.ALTER.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.ALTER.* CLASS(MQCMDS) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.ALTER.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.ALTER UACC(NONE) OWNER(TKMS)
PERMIT QKSL.ALTER CLASS(MQCMDS) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.ALTER CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.ARCHIVE.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.ARCHIVE.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.BACKUP.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.BACKUP.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.CLEAR.QLOCAL UACC(NONE) OWNER(TKMS)
PERMIT QKSL.CLEAR.QLOCAL CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DEFINE.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DEFINE.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DELETE.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DELETE.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
PERMIT QKSL.DISPLAY CLASS(MQCMDS) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.DISPLAY CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.* CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.QMGR UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.QMGR CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.QMGR CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.CONNPCF UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.CONNPCF CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.CONNPCF CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.QUEUE UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.QUEUE CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.QUEUE CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.SUB UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.SUB CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.SUB CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.DISPLAY.DQM UACC(NONE) OWNER(TKMS)
PERMIT QKSL.DISPLAY.DQM CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
PERMIT QKSL.DISPLAY.DQM CLASS(MQCMDS) -
ID(APPL) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.PING.CHANNEL UACC(NONE) OWNER(TKMS)
PERMIT QKSL.PING.CHANNEL CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RECOVER.BSDS UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RECOVER.BSDS CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.REFRESH.SECURITY UACC(NONE) OWNER(TKMS)
PERMIT QKSL.REFRESH.SECURITY CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RESET.CHANNEL UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RESET.CHANNEL CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RESET.TPIPE UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RESET.TPIPE CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RESOLVE UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RESOLVE CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RECOVER.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RECOVER.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RESOLVE.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RESOLVE.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.RVERIFY.SECURITY UACC(NONE) OWNER(TKMS)
PERMIT QKSL.RVERIFY.SECURITY CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.START.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.START.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.STOP.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.STOP.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.SET.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.SET.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
*
RDEFINE MQCMDS QKSL.SUSPEND.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.SUSPEND.* CLASS(MQCMDS) -
ID(TKMS) ACCESS(ALTER)
** RACF REFRESH *****************************************
SETROPTS RACLIST(MQADMIN,MQQUEUE,MQPROC,MQNLIST,MQCONN,MQCMDS) REFRESH
/*
//****************************************************************
//** FUNCTION : ISSUE MQ CMD REFRESH SECURITY **
//****************************************************************
//MQUTIL EXEC PGM=CSQUTIL,REGION=4096K,
// PARM='QKSL'
//STEPLIB DD DSN=SYS1.SCSQAUTH,DISP=SHR
// DD DSN=SYS1.SCSQLOAD,DISP=SHR
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
COMMAND DDNAME(CMDINP)
/*
//CMDINP DD *
REFRESH SECURITY(*) TYPE(CLASSES)
/*
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Aug 30, 2024 1:45 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
While I read through this large dump of data, can you confirm that when you issue the following command you see that the channel is running with MCAUSER(MQCONSL)?

Code:
DISPLAY CHSTATUS(WEBCON.SVRCONN) MCAUSER

Also can you tell me what access the CHINIT user ID has to your RESLEVEL profile?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
cicsprog
PostPosted: Fri Aug 30, 2024 7:47 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
Sorry about all the doc. I wasnt sure what might be broken so I gave you what I had done to try and make this work.

Anyway, I dont get any output from the DISPLAY command because I cant catch the channel running...darm mainframes are too fast.

In the doc above, I took out the two CHLAUTH settings and ran MQ Console. In the CHIN I got :
CSQX777E -QKSL CSQXRESP Channel WEBCON.SVRCONN from plm01021
(10.2.43.26) has been blocked due to USERSRC(NOACCESS), Detail:
CLNTUSER(mqm)

So the distributed MQ is sending "mqm" as the userid associated with the PCF messages.

When I put the two CHLAUTH commands back in I dont get that error and in the CHIN I see lots of these:
10.34.30 STC12201 +CSQX511I -QKSL CSQXRESP Channel WEBCON.SVRCONN started 573
573 connection 10.2.43.26
10.34.30 STC12201 +CSQX511I -QKSL CSQXRESP Channel WEBCON.SVRCONN started 574
574 connection 10.2.43.26
10.34.30 STC12201 +CSQX512I -QKSL CSQXRESP Channel WEBCON.SVRCONN no longer act
575 connection 10.2.43.26
10.34.30 STC12201 +CSQX512I -QKSL CSQXRESP Channel WEBCON.SVRCONN no longer act
576 connection 10.2.43.26

I'd assume those PCF messages get the MCAUSER changed to MQCONSL.

There is NOT any RELEVEL set.

As an add bonus here is the CHIN settings from our nightly backups (because I know you need more doc):
ALTER QMGR
DESCR('QKSL, IBM WebSphere MQ for z/OS v9.3')
CHLAUTH(ENABLED)
DEADQ('QKSL.DEAD.Q')
TRIGINT(999999999)
MAXHANDS(256)
MAXUMSGS(10000)
EXPRYINT(OFF)
AUTHOREV(DISABLED)
INHIBTEV(DISABLED)
LOCALEV(DISABLED)
REMOTEEV(DISABLED)
STRSTPEV(ENABLED)
PERFMEV(DISABLED)
CONFIGEV(DISABLED)
CMDEV(DISABLED)
CHLEV(ENABLED)
SSLEV(ENABLED)
BRIDGEEV(ENABLED)
CHADEXIT(' ')
CLWLDATA(' ')
CLWLEXIT(' ')
CLWLLEN(100)
CLWLMRUC(999999999)
CLWLUSEQ(LOCAL)
REPOS(' ')
REPOSNL(' ')
DEFXMITQ('QKSL.DEFXMIT.Q')
SQQMNAME(USE)
MARKINT(5000)
MAXPROPL(NOLIMIT)
SSLRKEYC(0)
SSLKEYR('QKSLRING')
SSLCRLNL(' ')
SSLTASKS(5)
SSLFIPS(NO)
CERTLABL('ibmWebSphereMQQKSL')
CERTQSGL(' ')
IGQ(DISABLED)
IGQAUT(DEF)
IGQUSER(' ')
IPADDRV(IPV4)
ACCTQ(ON)
MONQ(OFF)
MONCHL(OFF)
MONACLS(QMGR)
ROUTEREC(MSG)
ACTIVREC(MSG)
PARENT(' ')
TREELIFE(1800)
PSMODE(ENABLED)
PSCLUS(ENABLED)
PSNPMSG(DISCARD)
PSNPRES(NORMAL)
PSRTYCNT(5)
PSSYNCPT(IFPER)
GROUPUR(DISABLED)
SCYCASE(UPPER)
CHIADAPS(
CHIDISPS(5)
MAXCHL(4000)
ACTCHL(4000)
TCPCHL(4000)
TCPKEEP(YES)
TCPNAME('TCPIP')
TCPSTACK(SINGLE)
OPORTMIN(0)
OPORTMAX(0)
LU62CHL(200)
LUGROUP(' ')
LUNAME(' ')
LU62ARM(' ')
DNSGROUP(' ')
DNSWLM(NO)
LSTRTMR(60)
RCVTIME(0)
RCVTTYPE(MULTIPLY)
RCVTMIN(0)
ADOPTCHK(ALL)
ADOPTMCA(ALL)
TRAXTBL(900)
TRAXSTR(NO)
CHISERVP('00000000000000000000000000000000')
CFCONLOS(TERMINATE)
DEFCLXQ(SCTQ)
CUSTOM(' ')
REVDNS(ENABLED)
CONNAUTH('USE.PW')
STATCHL(OFF)
STATACLS(QMGR)
STATQ(OFF)
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Aug 30, 2024 8:02 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
I STOPPED the SVRCONN channel and ran MQ Console and did the DISPLAY:
DISPLAY CHSTATUS(WEBCON.SVRCONN) MCAUSER
CSQN205I COUNT= 3, RETURN=00000000, REASON=00000000
CSQM425I -QKSL
CHSTATUS(WEBCON.SVRCONN)
CHLDISP(PRIVATE)
CONNAME( )
CURRENT
CHLTYPE(SVRCONN)
STATUS(STOPPED)
SUBSTATE( )
STOPREQ(NO)
RAPPLTAG( )
MCAUSER( )

But, this might just mean that the CHLAUTH code didnt get executed because the CHANNELs run status is checked before.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Aug 30, 2024 7:05 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
cicsprog wrote:
There is NOT any RELEVEL set.

I suspect the above statement is in fact untrue.

cicsprog wrote:
4) RACF Definitions

//*-------------------------------------------------------
//*--- TSO BATCH - STANDARD RACF RULES FOR QKSL
//*-----------------------------------------------------------
** MQADMIN **********************************************
RDEFINE MQADMIN QKSL.* UACC(NONE) OWNER(TKMS)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(OPER) ACCESS(READ)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(PKMO) ACCESS(ALTER)
PERMIT QKSL.* CLASS(MQADMIN) -
ID(TKMS) ACCESS(ALTER)
*PERMIT QKSL.* CLASS(MQADMIN) -
* ID(MQCONSL) ACCESS(UPDATE)
*

Please have a read of IBM Docs page The RESLEVEL security profile where it warns:-
IBM Docs wrote:
Attention: RESLEVEL is a very powerful option; it can cause the bypassing of all resource security checks for a particular connection.
If you do not have a RESLEVEL profile defined, you must be careful that no other profile in the MQADMIN class matches hlq.RESLEVEL. For example, if you have a profile in MQADMIN called hlq.** and no hlq.RESLEVEL profile, beware of the consequences of the hlq.** profile because it is used for the RESLEVEL check.

Define an hlq.RESLEVEL profile and set the UACC to NONE, rather than have no RESLEVEL profile at all. Have as few users or groups in the access list as possible.


So I would ask again, what level of access does the CHINIT user ID have to the RESLEVEL profile?

One further question. Can you issue the following command and provide the output please so we can see which security switches you have enabled.

Code:
DISPLAY SECURITY

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
cicsprog
PostPosted: Fri Aug 30, 2024 8:34 pm    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
Skip

Last edited by cicsprog on Fri Aug 30, 2024 8:38 pm; edited 1 time in total
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Aug 30, 2024 8:37 pm    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
Not in front of terminal now or until Tuesday (Monday US Holiday) but was checking this post.

I used RACFADM and didnt see a QKSL.RESLEVEL in MQADMIN specified unless I missed it.

This customer would like to use MQ Con if possible. They?re not in a good place in spending $ on a product to replace what?s being sunsetted.

But it?s a difficult requirement considering users of MQ Con won?t always have a userid in RACF and MQ Cons is installed on distributed platform. And they want enterprise view of all their mqms. Given this, I?m not sure I can configure RACF and or CHLAUTH to accommodate. Not a manual that explains this type of config. Not being a RACF specialist doesn?t help either. So I have to mess with the config to see if I can secure test and prod instances accessing MQ objects and message data where MQ Con is the access method.

Will post back info you requested Tuesday. ZOS MQ v9.3.

As always you are very helpful!
Back to top
View user's profile Send private message
zpat
PostPosted: Fri Aug 30, 2024 11:38 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK
RESLEVEL is a RACF check made by MQ.

If you don't have a specific RACF profile to match, it will pick up a access level from whatever profile happens to match, such as QM.**

This is the major issue with RESLEVEL. It's not a great design imho.

I have suggested to IBM that they have the CHIN display a huge warning message if the access level found is higher than NONE.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Sep 02, 2024 3:05 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
cicsprog wrote:
I used RACFADM and didnt see a QKSL.RESLEVEL in MQADMIN specified unless I missed it.

Indeed - but you do have a QKSL.** profile which will be used - see referenced note in IBM Docs.

cicsprog wrote:
But it?s a difficult requirement considering users of MQ Con won?t always have a userid in RACF and MQ Cons is installed on distributed platform.

It's going to be no different to any other remotely attached MQ admin tool. If what they are replacing was also that, then they can use the same IDs they used for that.

We'll speak more once you are back in the office.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
cicsprog
PostPosted: Tue Sep 03, 2024 7:29 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
Here is hopefully the info you need.

FYI The sunsetted product had its own internal security

DISPLAY SECURITY
CSQU000I CSQUTIL IBM MQ for z/OS V9.3.0
CSQU001I CSQUTIL Queue Manager Utility - 2024-09-03 10:24:10
COMMAND TGTQMGR(QKSL) RESPTIME(30)
CSQU127I Executing COMMAND using input from CSQUCMD data set
CSQU120I Connecting to QKSL
CSQU121I Connected to queue manager QKSL
CSQU055I Target queue manager is QKSL
DISPLAY SECURITY
CSQN205I COUNT= 21, RETURN=00000000, REASON=00000000
CSQH015I -QKSL Security timeout = 54 minutes
CSQH016I -QKSL Security interval = 12 minutes
CSQH037I -QKSL Security using uppercase classes
CSQH030I -QKSL Security switches ...
CSQH034I -QKSL SUBSYSTEM: ON, 'QKSL.NO.SUBSYS.SECURITY' not found
CSQH034I -QKSL CONNECTION: ON, 'QKSL.NO.CONNECT.CHECKS' not found
CSQH034I -QKSL COMMAND: ON, 'QKSL.NO.CMD.CHECKS' not found
CSQH034I -QKSL CONTEXT: ON, 'QKSL.NO.CONTEXT.CHECKS' not found
CSQH034I -QKSL ALTERNATE USER: ON, 'QKSL.NO.ALTERNATE.USER.CHECKS' not
found
CSQH034I -QKSL PROCESS: ON, 'QKSL.NO.PROCESS.CHECKS' not found
CSQH034I -QKSL NAMELIST: ON, 'QKSL.NO.NLIST.CHECKS' not found
CSQH034I -QKSL QUEUE: ON, 'QKSL.NO.QUEUE.CHECKS' not found
CSQH031I -QKSL TOPIC: OFF, 'QKSL.NO.TOPIC.CHECKS' found
CSQH034I -QKSL COMMAND RESOURCES: ON, 'QKSL.NO.CMD.RESC.CHECKS' not
found
CSQH040I -QKSL Connection authentication ...
CSQH041I -QKSL Client checks: OPTIONAL
CSQH042I -QKSL Local bindings checks: NONE
CSQ9022I -QKSL CSQHPDTC ' DISPLAY SECURITY' NORMAL COMPLETION
CSQU057I 1 commands read
CSQU058I 1 commands issued and responses received, 0 failed
CSQU143I 1 COMMAND statements attempted
CSQU144I 1 statements executed successfully
CSQU148I CSQUTIL Utility completed, return code=0

LISTUSER QKSLCHIN
USER=QKSLCHIN NAME=QKSLCHIN SERVICEACCO OWNER=PKMO CREATED=03.113
DEFAULT-GROUP=TKMS PASSDATE=00.000 PASS-INTERVAL=N/A PHRASEDATE=N/A
PASSWORD ENVELOPED=NO
ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=24.241/19:13:16
CLASS AUTHORIZATIONS=NONE
INSTALLATION-DATA=NAME(MQSERIES CHIN LRN),CAT(SYSTASK)
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=TKMS AUTH=USE CONNECT-OWNER=TKMS CONNECT-DATE=03.113
CONNECTS= 967 UACC=NONE LAST-CONNECT=24.241/19:13:16
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED

RACFADM RESOURCE

S Profile
-----------------------------------------------------
QKSL.*
QKSL.CHANNEL.*
QKSL.CONTEXT
QKSL.NO.TOPIC.CHECKS
QKSL.TOPIC.SYSTEM.BROKER.ADMIN.STREAM

PROFILE: QKSL.*
CLASS: MQADMIN
UACC: NONE (Default
WARNING: NO (YES/NO)
DATA: NONE

SELECT: S Show, L List, C C

S Group/ID Access
----------------------------
OPER READ
PKMO ALTER
TKMS ALTER

PROFILE: QKSL.CHANNEL.*
CLASS: MQADMIN
UACC: NONE (Defaul
WARNING: NO (YES/NO
DATA: NONE

SELECT: S Show, L List, C

S Group/ID Access
--------------------------
TKMS ALTER

PROFILE: QKSL.CONTEXT
CLASS: MQADMIN
UACC: NONE (Defa
WARNING: NO (YES/
DATA: NONE

SELECT: S Show, L List,

S Group/ID Access
------------------------
MQCONSL READ
PKMO CONTROL
STDCLMGR UPDATE
TKMS ALTER

PROFILE: QKSL.NO.TOPIC.CHECKS
CLASS: MQADMIN
UACC: NONE (Default access)
WARNING: NO (YES/NO)
DATA: NONE

SELECT: S Show, L List, C Change,

S Group/ID Access
-----------------------------------
NO USERS

PROFILE: QKSL.TOPIC.SYSTEM.BROKER.ADMIN.STREAM
CLASS: MQADMIN
UACC: NONE (Default access) OWNER:
WARNING: NO (YES/NO) AUDIT:
DATA: NONE

SELECT: S Show, L List, C Change, A Add, R Remo

S Group/ID Access
------------------------------------------------
QKSLCHIN ALTER
Back to top
View user's profile Send private message
cicsprog
PostPosted: Tue Sep 03, 2024 8:07 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
so per manual and your recommendation I added:

QKSL.*
QKSL.CHANNEL.*
QKSL.CONTEXT
QKSL.NO.TOPIC.CHECKS
QKSL.RESLEVEL
QKSL.TOPIC.SYSTEM.BROKER.ADMIN.STREAM

PROFILE: QKSL.RESLEVEL
CLASS: MQADMIN
UACC: NONE (Default access) OWNER: TKMS
WARNING: NO (YES/NO) AUDIT: FAILURES(
DATA: NONE

SELECT: S Show, L List, C Change, A Add, R Remove

S Group/ID Access
----------------------------------------------------------
NO USERS

I had my user do testing. His userid is in RACF GROUP(APPL) - application programmers.
I tried to make it that anyone that is in the GROUP APPL, can NOT add messages to Q's. So, hoping MQOPEM type cmds would be stopped.

So adding just this RELEVEL, assume I did it correctly, he is still able to add messages into Q's.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Sep 03, 2024 2:15 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
cicsprog wrote:
I had my user do testing. His userid is in RACF GROUP(APPL) - application programmers.

I got the impression from your earlier posts that the connection from the MQ Console (running elsewhere) was assigned the user ID MQCONSL to run with?

Do you have an example name of a queue that your user is attempting (and succeeding) to put messages to ? Is it a name starting FMNTMQL by any chance?
cicsprog wrote:
RDEFINE MQQUEUE QKSL.FMNTMQL.** UACC(ALTER) OWNER(TKMS)
PERMIT QKSL.FMNTMQL.** CLASS(MQQUEUE) -
ID(MQCONSL) ACCESS(ALTER)


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
cicsprog
PostPosted: Tue Sep 03, 2024 2:31 pm    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 347
I think that's an old RACF entry. There is no Q with the name FMNTMQL in QKSL.

As I mentioned earlier, I'm pretty sure the msgs from MQ Console are PCF messages. When I first started to install (really no install that I know of) the messages where coming in with userid "mqm". I received :

CSQX777E -QKSL CSQXRESP Channel WEBCON.SVRCONN from plm01021
(10.2.43.26) has been blocked due to USERSRC(NOACCESS), Detail:
CLNTUSER(mqm)

So I added these:
*** use this set to convert non RACF userid's to MQCONSL
SET
CHLAUTH('WEBCON.SVRCONN')
ACTION(ADD)
TYPE(USERMAP)
ADDRESS('10.2.43.26')
CHCKCLNT(ASQMGR)
CLNTUSER(
'mqm'
)
CUSTOM(' ')
DESCR('MQ WebConsole Access')
MCAUSER('MQCONSL')
USERSRC(MAP)
** Backstop
SET
CHLAUTH('WEBCON.SVRCONN')
ACTION(ADD)
TYPE(ADDRESSMAP)
ADDRESS('*')
CUSTOM(' ')
DESCR(' ')
MCAUSER(' ')
USERSRC(NOACCESS)
WARN(NO)

and created a RACF userid of MQCONSL.

That made MQ Console actually work. After than it was just pretty much me putting in RACF rules in a TEST version for Application types and then the ones from above for PROD. So Im assuming the messages are now associated with userid MQCONSL and RACF is doing validation against that.

Where Im stuck is Im trying to prevent anyone in PROD mqms from putting messages to Q's or even looking at messages.

Why aren't the RACF rules that I have in place stopping MQOPEN (and other API type opens)?

Whats odd is with these ruless in place, I can still put messages to supposedly secure Q's ?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2, 3  Next Page 1 of 3

MQSeries.net Forum Index » General IBM MQ Support » MQ console URL RESLEVEL
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.