| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| A few Client connection Questions |
« View previous topic :: View next topic » |
| Author |
Message
|
| kevinf2349 |
 Posted: Thu Apr 29, 2004 6:21 am Post subject: A few Client connection Questions |
 |
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
I have been trying to get a Windows V5.2.1 Client working. The target is a Windows2K 5.3 CSD05 system. We use active directory.
I am not 100% familiar with the NT user permissions....and before you all freak out this is not exactly a 2035 question!
I can get the Client working, but only if I code their (or another Admin userid) in the MCA USerid field on the SERVCONN.
The userid is defined in both the Local machine and in Active Directory with Admin authority.
We have no security exit in place on this box, and their userid, is as I have stated, defined on the local box with Admin authority.
If I don't code the MCAUserid the error message implies user doesn't have sufficient authority to connect. (2035)
What is puzzling me is that the manual states that if the userid fields are to be derived from the userid that started the server-connection channel that the id that is used for TCP/IP (non z/OS) is the userid from the inetd.conf entry or the userid that started the listener.
How do you tell who started the listener?
Where is inetd.conf ?
In the short-term I have defined the server-conn with a userid that has MQ authority, but this seems to me to be a security exposure.
I don't understand why the locally defined userid isn't being picked up and used if we don't have a MCAUser specified and why if we hard code the same userid in the serv-conn def it works fine.
What am I missing? |
|
| Back to top |
|
 |
| mqonnet |
| Posted: Thu Apr 29, 2004 7:06 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Kevin, looks a little odd to me. As you said, missing something somewhere.
Could you issue a setmqaut -... -t qmgr and -t q(of course if you get 2035 on open and not on connect) for the qm and the userid in question and post it here.
Listener process always runs with the same userid that has started it. Usually it would be the one who started the qm. On windows, i dont think one could start listener process with any other userid other than the logged on userid.
Make sure that you got the case right, when defining principals/userids and double check their authorizations to access qm/queues.
Cheers
Kumar |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Apr 29, 2004 12:29 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Kevin, you might be hitting a problem I grappled with. Good old Windows Security.
Say your ID is ABCDEF. IF you log onto the client machine as ABCDEF but in domain 123, the ID that Windows will flow over to the server is really 123 / ABCDEF.
So if you leave the MCAUSER blank, the QM does security checking against 123 / ABCDEF.
If you gave authority on the MQ server to ABCDEF, that is not a match! 123/ABCDEF does not equal ABCDEF. But if you hardcode ABCDEF in the MCAUSER, you get the match. What is the real kick in the teeth is when you do try and authenticate 123/ABCDEF, the error logs only show it as ABCDEF. Oh my gawd is that confusing!!!
Define the user on the MQ server as a domain user (123/ABCDEF), give that user the MQ rights with setmqaut (you must do it again even if you previously ran the commands against ABCDEF) , and you should be all set.
Here are the gory details in a related post:
http://www.mqseries.net/phpBB2/viewtopic.php?t=11771&highlight=security
Hopefully this is the problem.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
