ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Change MCAUSER SVRCONN based on AlternateUserID or ???

Post new topic  Reply to topic
 Change MCAUSER SVRCONN based on AlternateUserID or ??? « View previous topic :: View next topic » 
Author Message
cicsprog
PostPosted: Tue Oct 22, 2024 10:34 am    Post subject: Change MCAUSER SVRCONN based on AlternateUserID or ??? Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

I need to change MCAUSER on a SVRCONN based on a Network USERID.

Does anyone do that? I assume channel exit or CCDT table is probably the only way. I don't see that CHLAUTH works unless u have a static IP.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Oct 24, 2024 5:15 am    Post subject: Re: Change MCAUSER SVRCONN based on AlternateUserID or ??? Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20736
Location: LI,NY

cicsprog wrote:
I need to change MCAUSER on a SVRCONN based on a Network USERID.

Does anyone do that? I assume channel exit or CCDT table is probably the only way. I don't see that CHLAUTH works unless u have a static IP.

No the UserMap does not require any IP... If you do enter an IP it will restrict the rule to that IP / subnet.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
cicsprog
PostPosted: Thu Oct 24, 2024 6:34 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

ok. But I need the userid that's inside the PCF messages (altuserid) so I can set MCAUSER so that user specific rules can limit MQ object access. From what I read for SVRCONN you need channel exit on both sides of the connection to possibly do that. The Exit from the client would send along remote-userid.

But, all for not. We were informed yesterday that all the consultant's SYSPROGs contracts for this customer (all 3 of us lol) will end as of Nov 30th. Unexpected but such is the life.

So as the OWL on the old Tootsie POP commercial use to say "the world may never know".

Appreciate all the input, might be back from another customer's site in next couple of months.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Oct 24, 2024 9:16 am    Post subject: Re: Change MCAUSER SVRCONN based on AlternateUserID or ??? Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

cicsprog wrote:
I need to change MCAUSER on a SVRCONN based on a Network USERID.

Color me confused. By Network USERID do you mean the logged on userid on the client platform that executed the application? Or something else?

Alternate userid is a field in the MQOD used (if authorized) at MQOPEN.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
cicsprog
PostPosted: Thu Oct 24, 2024 9:21 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

The distributed side is using LDAP to manage security. When they signon with a network id, that id gets used inside the MQ messages (alternate user). However, the messages as they arrive to the mainframe MCAUSER is mqm

So how to get ALTERNATE USER as MCAUSER is my quest
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Oct 24, 2024 10:32 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

cicsprog wrote:
The distributed side is using LDAP to manage security.
Good so far, LDAP authenticates client signed-on (network) userid.
cicsprog wrote:
When they signon with a network id, that id gets used inside the MQ messages (alternate user).
In MQ-speak, alternate user has a very different meaning, and specificly relating to an MQ app attempting to MQOOPEN an MQ object with a different userid. This is likely not your issue here.

At app execution, the default behavior of MQ internals is to take the signed-on userid and set the MQMD-userid field to that value just before MQPUT. An app may set the MQMD-usernd field to any value or no-value, with no additional authority. I'd suggest you look at the app source code to see what, if anything, the app is doing with the MQMD fields.

cicsprog wrote:
However, the messages as they arrive to the mainframe MCAUSER is mqm
Please post the complete definition of the SVRCONN channel used by the app. What is the value of MCAUSER? Take a look at MCAUSER values here https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-define-channel-define-new-channel#q085520___mcauser

cicsprog wrote:
So how to get ALTERNATE USER as MCAUSER is my quest
Let's first try to determine what the problem is before crafting a solution. The symptom seems to be that the MQMD-userid field is being set to mqm OR the channel agent at the qmgr is doing so, or some CHLAUTH rule is doing so, OR... - the mystery is how/why/where?

Towards that end, what CHLAUTH records apply to SVRCONN channels?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.


Last edited by bruce2359 on Thu Oct 24, 2024 3:50 pm; edited 1 time in total
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Oct 24, 2024 1:20 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

cicsprog wrote:
ok. But I need the userid that's inside the PCF messages (altuserid) ...
What PCF messages? Do you mean MQ's Programmable Command Format? Or, something else?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Oct 25, 2024 6:40 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

yes...PCF messages. Vendor code.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Oct 25, 2024 9:37 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20736
Location: LI,NY

If you mean to say that the messages are put to the distributed and moved via sdr/rcvr channel to the MF, you need to look at your channel set up (put authority context?
If you did not set anything up, you will get the default userid the process (channel) is running under.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Fri Oct 25, 2024 9:37 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

cicsprog wrote:
yes...PCF messages. Vendor code.

I'm feeling a bit dense this morning.

So, you have a vendor app that is doing MQ admin with MQ Programmable Command Format messages... to do what, exactly?

The app executes with mqm admin priviledge, yes?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Oct 25, 2024 10:31 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

No Worries. This is again MQ Console. Youve probably read the long thread and I opened this one to hopefully get some help and avoid people not wanting to read the really long thread.

To be exact, MQ Console sends "mqm" in MCAUSER. I use CHLAUTH to change that to a know userid in RACF. That userid is always the same for all people wanting to use MQ Console and look at mainframe objects.

I think in the messages sent, MQ's alternative user ID in the messages is set to the userid they used to signon to MQ Console. That's great. But what I cant seem to figure out is the correct combination of MQ attributes that need to be set and/or the RACF resources I'd need to make MQ look at alternative user ID rather than MCAUSER that I changed in CHLAUTH rule.
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Oct 25, 2024 10:57 am    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

I think maybe this is it
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=initiator-channel-example
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Oct 25, 2024 12:53 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

Are these users Read-Only? Did you create a Read-Only console profile?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
cicsprog
PostPosted: Fri Oct 25, 2024 1:54 pm    Post subject: Reply with quote

Partisan

Joined: 27 Jan 2002
Posts: 344

Usual Test vs prod access by user. MQ Console doesn?t have a lot of options, for now, but enough to cause havoc.
I?ve been experimenting with a bunch of options. Just couldn?t get what I was looking for as I mentioned above - get RACF to validate against alternate user id. From what that url says, only a few types of objects can be validated.

I?ll give what?s documented a try and post back. My contract ends for cics and mq ends nov 30th so I better hurry.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Oct 27, 2024 6:22 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9445
Location: US: west coast, almost. Otherwise, enroute.

cicsprog wrote:
My contract ends for cics and mq ends nov 30th so I better hurry.
What's next then?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Change MCAUSER SVRCONN based on AlternateUserID or ???
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.