ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » WMQTool

Post new topic  Reply to topic
 WMQTool « View previous topic :: View next topic » 
Author Message
bdrummond
PostPosted: Wed Aug 04, 2004 7:00 am    Post subject: WMQTool Reply with quote

Disciple

Joined: 06 May 2004
Posts: 164
I am trying to enable several of our Queue Managers access via the freeware software WMQTool however I have come across a security issue.
WMQTool connects to a QM via a SVRCONN channel with the same name as the QM. We have set the MCA user for this channel as (for example) 'WMQTool'.
The SYSTEM.ADMIN.COMMAND.QUEUE has 'setmqaut' options for this user of +all. Without this, WMQTool believes that the command server is not running.
The SYSTEM.DEFAULT.MODEL.QUEUE has the following 'setmqaut' options: +allmqi +alladm -passid -passall -setid -setall.
Connection is made via WMQTool however all users have full access to local queues (create, delete, put etc) however the 'WMQTool' user does not have any other local authorities issued on the QM (excluding the above).
I only want users connecting via this tool to be able to browse messages.
Is there any way to do this or should I just block all access via this tool..?

The authority options within WMQTool do not help as users are able to remove and re-install the application therefore resetting any security measures previously setup

Any ideas would be very helpful.

Thanks.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Aug 04, 2004 7:06 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
Quote:

The SYSTEM.ADMIN.COMMAND.QUEUE has 'setmqaut' options for this user of +all. Without this, WMQTool believes that the command server is not running.


If this is really true, then you are stuck giving any user of the tool +all.

Have you tried +all, and then subtracting permissions one by one to see at what point it stops working?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
bdrummond
PostPosted: Wed Aug 04, 2004 7:16 am    Post subject: Reply with quote

Disciple

Joined: 06 May 2004
Posts: 164
Unfortunately, it seems as if the application is unable to connect (just hangs) whenever anything is taken away via the setmqaut command for the SYSTEM.ADMIN.COMMAND.QUEUE.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed Aug 04, 2004 7:54 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
Hi,

It is probably trying to inquire on 'SYSTEM.ADMIN.COMMAND.QUEUE' queue's attributes.

Try adding +inq to both the connection level and queue level for the UserID or Group access.

Have you looked at other tools that ONLY provide the ability to browse messages in a queue.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
neelatul
PostPosted: Thu Aug 05, 2004 7:52 am    Post subject: Reply with quote

Novice

Joined: 29 Jul 2002
Posts: 17
Did you install Security Exit ? Without installing Security Exit you cannot restrict your users. Precisely, what you should do is like this.

1. Install Server side Security Exit (SecExit.dll) on MQ Server and provide Security Exit Name "SecExit(CHANNELEXIT)" in Server Connection channel.
2. Provide +all authority to 'WMQTool' userid.
3. Revoke all the authorities (-all) from the user. This is necessary because now he/she cannot create his key/shared file on his own. If this user is running any application, provide him with 'connect' on queue manager and +get and +put on the interested queues.
4. Create a key file for that user or a shared file. Provide userid 'WMQTool' with password in it. WMQTool uses it to connect the queue manager. Select authorities for ONLY browsing the messages from WMQTool. You may want to refer to the WMQTool documentation for it.
5. If created key file, install it in user's computer under WMQTool directory. If it is a shared file, ask user to 'Set Authority File' by selecting the menu option Tools/Set Authority File'.
6. Test it.

- Atul
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » WMQTool
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.