| Author |
Message
|
| SamuelRaj |
 Posted: Mon Nov 18, 2024 10:46 pm Post subject: IBM ACE Queue Based Authorization Issue |
 |
|
Newbie
Joined: 14 Nov 2024
Posts: 3
|
Hi
We have been trying to do Queue Based Authorizations in IBM App Connect v13
OS: RHEL 9.4
MQ :IBM MQ 9.4.0.0 LTS
ACE: App Connect version 13.0.1.0
Firstly we created a integration node (NODE) with a queue manager (QM) and a Execution Group (EG) and enabled the authorizations by the mqsichangeauthmode command
mqsichangeauthmode NODE -s active -m mq
Then we created a user 'bob' and updated his bash profile with the mqsiprofile and gave him the authorizations to the queue manager and the Authorization Queues
setmqaut -m QM -t qmgr -p bob +connect +inq
setmqaut -m QM -t queue -n SYSTEM.BROKER.AUTH -p bob +put +inq +set
setmqaut -m QM -t queue -n SYSTEM.BROKER.AUTH.EG -p bob +put +inq +set
setmqaut -m QM -t queue -n SYSTEM.BROKER.DC.AUTH -p bob +put +inq +set
setmqaut -m QM -t queue -n SYSTEM.BROKER.DC.AUTH.EG -p bob +put +inq +set
And now we are giving the permission for the other users for the /var/mqsi directory (chmod -R 777 /var/mqsi) and afterwards the user 'bob' is able to list with the mqsilist command and deploy a bar file in the Node.
Now we Removed his permissions for all the Authorization Queues
setmqaut -m QM -t queue -n SYSTEM.BROKER.AUTH -p bob -put -inq -set
setmqaut -m QM -t queue -n SYSTEM.BROKER.AUTH.EG -p bob -put -inq -set
setmqaut -m QM -t queue -n SYSTEM.BROKER.DC.AUTH -p bob -put -inq -set
setmqaut -m QM -t queue -n SYSTEM.BROKER.DC.AUTH.EG -p bob -put -inq -set
We Refreshed the Queue Manager and the security, Now According to IBM documentation the user 'bob' should not be able to deploy the bar file. But user 'bob' is still able to deploy and perform all the actions on the NODE. Only after we restart the queue manager the Integration Node rejects the deployment request.
We observed that when we give the permissions (o+rwx) to the file (/var/mqsi/NODE.uds) which is a soft link to other users, we are able to deploy the bar file and after we restart the Queue Manager the permissions of the file is changed again to zero. And when this file doesn't have the permissions, the node rejects the deployment request despite having all the permission for the Authorization Queues.
We did the same setup in IIBv10 and we observed As soon as the Queue Permissions are revoked the broker rejects the deployment request stating the user id lacks permissions.So is there a difference in the new App Connect versions
Pls let us know if we are missing something or we are doing anything wrong and What is the NODE.uds file and most importantly What permissions should be given to the /var/mqsi for a user who is not part of the mqbrkrs group to be able to do the roles properly without any permission errors. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Nov 19, 2024 5:08 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
MQ automatically folds names into upper-case.
Try enclosing the name bob in quotes to preserve lower-case or mixed-case names.
setmqaut -m QM -t qmgr -p 'bob' +connect +inq
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Nov 19, 2024 7:59 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
setmqaut -p and -g are not case folded, I have used them many times with lower case names.
Note that MQ authority failures appear in the qmgr error logs. It shows the object, principal and the required authority.
| Quote: |
| after we restart the Queue Manager the permissions of the file is changed again to zero |
Restarting a qmgr does not modify any file permissions. Something else must be doing it?
_________________
Glenn |
|
| Back to top |
|
|
| SamuelRaj |
| Posted: Wed Nov 27, 2024 1:06 am Post subject: IBM ACE Queue Based Authorization Issue |
|
|
Newbie
Joined: 14 Nov 2024
Posts: 3
|
Hello,
I have tried to use the quotes to enclose the name bob, but still its the same issue
And there are no authorization failures appearing in the queue manager error logs too
| gbaddeley wrote: |
setmqaut -p and -g are not case folded, I have used them many times with lower case names.
Note that MQ authority failures appear in the qmgr error logs. It shows the object, principal and the required authority. |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Nov 29, 2024 5:29 am Post subject: Re: IBM ACE Queue Based Authorization Issue |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| SamuelRaj wrote: |
Hello,
I have tried to use the quotes to enclose the name bob, but still its the same issue
And there are no authorization failures appearing in the queue manager error logs too
| gbaddeley wrote: |
setmqaut -p and -g are not case folded, I have used them many times with lower case names.
Note that MQ authority failures appear in the qmgr error logs. It shows the object, principal and the required authority. |
|
The question you need to ask yourself is did you set up the authorizations at the user level in qm.ini?
By default MQ authorizations in Unix/Linux are granted at the group level. So removing the authorizations from user bob means nothing as you granted them to bob's primary group when granting at the user level whithout having set authorization at the user level in qm.ini ...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| SamuelRaj |
| Posted: Mon Dec 02, 2024 2:37 am Post subject: Re: IBM ACE Queue Based Authorization Issue |
|
|
Newbie
Joined: 14 Nov 2024
Posts: 3
|
I have tried to do with the group option too but still the queue based security is not working.The Authorizations are set properly I have confirmed them with the dspmqaut command
According to IBM Documentation it should work like this, As soon as the queue permissions are revoked and the securities are refreshed, the group or principal should not be able to do the deployment or other actions on the broker. And this is working in IIB, As soon as i remove the permissions I get an error that the entity is not authorized to perform the action. Now in App Connect I am not getting that response. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 02, 2024 1:47 pm Post subject: Re: IBM ACE Queue Based Authorization Issue |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| SamuelRaj wrote: |
I have tried to do with the group option too but still the queue based security is not working.The Authorizations are set properly I have confirmed them with the dspmqaut command
According to IBM Documentation it should work like this, As soon as the queue permissions are revoked and the securities are refreshed, the group or principal should not be able to do the deployment or other actions on the broker. And this is working in IIB, As soon as i remove the permissions I get an error that the entity is not authorized to perform the action. Now in App Connect I am not getting that response. |
Don't use dspmqaut to verify. Using dmpmqaut is preferred.
You'd have to show us the authorizations, how you set them and how you removed them. Don't forget to look at all the group membership of the user.
If authorizations have been granted to the staff group, and all users are part of staff, then any user has the rights to deploy. Don't forget to refresh security, if a user changed group membership as the authorizations get cached...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
