Author |
Message
|
cicsprog |
Posted: Tue Oct 22, 2024 10:34 am Post subject: Change MCAUSER SVRCONN based on AlternateUserID or ??? |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
I need to change MCAUSER on a SVRCONN based on a Network USERID.
Does anyone do that? I assume channel exit or CCDT table is probably the only way. I don't see that CHLAUTH works unless u have a static IP. |
|
Back to top |
|
|
fjb_saper |
Posted: Thu Oct 24, 2024 5:15 am Post subject: Re: Change MCAUSER SVRCONN based on AlternateUserID or ??? |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20736 Location: LI,NY
|
cicsprog wrote: |
I need to change MCAUSER on a SVRCONN based on a Network USERID.
Does anyone do that? I assume channel exit or CCDT table is probably the only way. I don't see that CHLAUTH works unless u have a static IP. |
No the UserMap does not require any IP... If you do enter an IP it will restrict the rule to that IP / subnet. _________________ MQ & Broker admin |
|
Back to top |
|
|
cicsprog |
Posted: Thu Oct 24, 2024 6:34 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
ok. But I need the userid that's inside the PCF messages (altuserid) so I can set MCAUSER so that user specific rules can limit MQ object access. From what I read for SVRCONN you need channel exit on both sides of the connection to possibly do that. The Exit from the client would send along remote-userid.
But, all for not. We were informed yesterday that all the consultant's SYSPROGs contracts for this customer (all 3 of us lol) will end as of Nov 30th. Unexpected but such is the life.
So as the OWL on the old Tootsie POP commercial use to say "the world may never know".
Appreciate all the input, might be back from another customer's site in next couple of months. |
|
Back to top |
|
|
bruce2359 |
Posted: Thu Oct 24, 2024 9:16 am Post subject: Re: Change MCAUSER SVRCONN based on AlternateUserID or ??? |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
cicsprog wrote: |
I need to change MCAUSER on a SVRCONN based on a Network USERID. |
Color me confused. By Network USERID do you mean the logged on userid on the client platform that executed the application? Or something else?
Alternate userid is a field in the MQOD used (if authorized) at MQOPEN. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
cicsprog |
Posted: Thu Oct 24, 2024 9:21 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
The distributed side is using LDAP to manage security. When they signon with a network id, that id gets used inside the MQ messages (alternate user). However, the messages as they arrive to the mainframe MCAUSER is mqm
So how to get ALTERNATE USER as MCAUSER is my quest |
|
Back to top |
|
|
bruce2359 |
Posted: Thu Oct 24, 2024 10:32 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
cicsprog wrote: |
The distributed side is using LDAP to manage security. |
Good so far, LDAP authenticates client signed-on (network) userid.
cicsprog wrote: |
When they signon with a network id, that id gets used inside the MQ messages (alternate user). |
In MQ-speak, alternate user has a very different meaning, and specificly relating to an MQ app attempting to MQOOPEN an MQ object with a different userid. This is likely not your issue here.
At app execution, the default behavior of MQ internals is to take the signed-on userid and set the MQMD-userid field to that value just before MQPUT. An app may set the MQMD-usernd field to any value or no-value, with no additional authority. I'd suggest you look at the app source code to see what, if anything, the app is doing with the MQMD fields.
cicsprog wrote: |
However, the messages as they arrive to the mainframe MCAUSER is mqm |
Please post the complete definition of the SVRCONN channel used by the app. What is the value of MCAUSER? Take a look at MCAUSER values here https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-define-channel-define-new-channel#q085520___mcauser
cicsprog wrote: |
So how to get ALTERNATE USER as MCAUSER is my quest |
Let's first try to determine what the problem is before crafting a solution. The symptom seems to be that the MQMD-userid field is being set to mqm OR the channel agent at the qmgr is doing so, or some CHLAUTH rule is doing so, OR... - the mystery is how/why/where?
Towards that end, what CHLAUTH records apply to SVRCONN channels? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Last edited by bruce2359 on Thu Oct 24, 2024 3:50 pm; edited 1 time in total |
|
Back to top |
|
|
bruce2359 |
Posted: Thu Oct 24, 2024 1:20 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
cicsprog wrote: |
ok. But I need the userid that's inside the PCF messages (altuserid) ... |
What PCF messages? Do you mean MQ's Programmable Command Format? Or, something else? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
cicsprog |
Posted: Fri Oct 25, 2024 6:40 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
yes...PCF messages. Vendor code. |
|
Back to top |
|
|
fjb_saper |
Posted: Fri Oct 25, 2024 9:37 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20736 Location: LI,NY
|
If you mean to say that the messages are put to the distributed and moved via sdr/rcvr channel to the MF, you need to look at your channel set up (put authority context?
If you did not set anything up, you will get the default userid the process (channel) is running under. _________________ MQ & Broker admin |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Oct 25, 2024 9:37 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
cicsprog wrote: |
yes...PCF messages. Vendor code. |
I'm feeling a bit dense this morning.
So, you have a vendor app that is doing MQ admin with MQ Programmable Command Format messages... to do what, exactly?
The app executes with mqm admin priviledge, yes? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
cicsprog |
Posted: Fri Oct 25, 2024 10:31 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
No Worries. This is again MQ Console. Youve probably read the long thread and I opened this one to hopefully get some help and avoid people not wanting to read the really long thread.
To be exact, MQ Console sends "mqm" in MCAUSER. I use CHLAUTH to change that to a know userid in RACF. That userid is always the same for all people wanting to use MQ Console and look at mainframe objects.
I think in the messages sent, MQ's alternative user ID in the messages is set to the userid they used to signon to MQ Console. That's great. But what I cant seem to figure out is the correct combination of MQ attributes that need to be set and/or the RACF resources I'd need to make MQ look at alternative user ID rather than MCAUSER that I changed in CHLAUTH rule. |
|
Back to top |
|
|
cicsprog |
Posted: Fri Oct 25, 2024 10:57 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
|
Back to top |
|
|
bruce2359 |
Posted: Fri Oct 25, 2024 12:53 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
Are these users Read-Only? Did you create a Read-Only console profile? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
cicsprog |
Posted: Fri Oct 25, 2024 1:54 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002 Posts: 344
|
Usual Test vs prod access by user. MQ Console doesn?t have a lot of options, for now, but enough to cause havoc.
I?ve been experimenting with a bunch of options. Just couldn?t get what I was looking for as I mentioned above - get RACF to validate against alternate user id. From what that url says, only a few types of objects can be validated.
I?ll give what?s documented a try and post back. My contract ends for cics and mq ends nov 30th so I better hurry. |
|
Back to top |
|
|
bruce2359 |
Posted: Sun Oct 27, 2024 6:22 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9445 Location: US: west coast, almost. Otherwise, enroute.
|
cicsprog wrote: |
My contract ends for cics and mq ends nov 30th so I better hurry. |
What's next then? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
|