| Author |
Message
|
| PeterPotkay |
 Posted: Tue Apr 19, 2005 6:20 am Post subject: Check it out - new features in z/OS MQ 6.0 |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Apr 19, 2005 6:44 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
This one is cool...
| Quote: |
| Support for programmable command format (PCF) messages has been added, making it possible to write administration and monitoring programs that are common to z/OS and distributed platforms. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 19, 2005 6:47 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I wanna see this in action:
| Quote: |
WebSphere MQ can track the route that a message would be expected to take through its network. New flags can request that queue managers that process the message should send back an activity report (for example: which channel, queue manager, and transmission queue have been used).
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| LuisFer |
| Posted: Tue Apr 19, 2005 7:20 am Post subject: |
|
|
Partisan
Joined: 17 Aug 2002
Posts: 302
|
3 important features (for me):
Messages 100Mb for Queue Sharing
MQSC DIS CONN
OTMA Suspend/Resume for IMS. |
|
| Back to top |
|
|
| kirani |
| Posted: Tue Apr 19, 2005 7:45 pm Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
I was looking forward to this,
| Quote: |
The Eclipse-based configuration user interface that is provided by the WebSphere MQ V6.0 product on the Microsoftâ„¢ Windowsâ„¢ and Linuxâ„¢ x86 platforms can be used to define and manage MQ resources on the z/OS platform. Eclipse is an award-winning, open source platform for the construction of powerful software development tools and rich desktop applications.
|
I hope we can define roles (Admin, Developer, read-only etc) to access queue managers.
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Apr 19, 2005 8:03 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| Quote: |
| I hope we can define roles (Admin, Developer, read-only etc) to access queue managers. |
For Unix, it's called: setmqaut
For z/OS, it's called: RACF (or ACF2 or TopSecret)
 
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| kirani |
| Posted: Tue Apr 19, 2005 9:49 pm Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
I was talking about the GUI tool. For example, to use MQExplorer you have to be a part of MQM group, so we cannot allow developers to use MQExplorer in any environment.
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Apr 20, 2005 9:03 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi
| Quote: |
| to use MQExplorer you have to be a part of MQM group, so we cannot allow developers to use MQExplorer in any environment. |
No, that is not entirely true.
Install MQ Server on a user's PC but make sure the mqm group is a local group and then put the UserID 'kirani' (or domain UserID) in the mqm group. Now they have MQ Explorer and all they can fully administer only the queue manager(s) on their PC.
Now on another Unix/Linux/Windows server, create a group called 'DEV01' and put the UserID of 'kirani' (or for Windows the domian UserID of 'xxx\kirani').
Now lets assume you want the user to ONLY access queues that begin will ABC in the 'TESTQM' on the remote box, then you set the authority as follows:
| Code: |
setmqaut -m TESTQM -t qmgr -g DEV01 +connect +inq
setmqaut -m TESTQM -t q -g DEV01 -n ABC.** +allmqi +dsp
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.DEFAULT.MODEL.QUEUE +dsp +inq +get |
Now issue the REFRESH SECURITY command against the TESTQM and then the user will have limited access to TESTQM queue manager using MQ Explorer.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Apr 20, 2005 1:08 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Not sure about this...but if you give this ability:
| Code: |
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
|
doesn't that mean DEV01 can put any message it wants to the command queue? Like delete any queue? Or alter any queue?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Apr 20, 2005 6:30 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| PeterPotkay wrote: |
Not sure about this...but if you give this ability:
| Code: |
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
|
doesn't that mean DEV01 can put any message it wants to the command queue? Like delete any queue? Or alter any queue? |
Actually that is one of the big misconception about MQ's security. Yes, you are giving the user permission to put a PCF command to the Command Queue but the real question is WILL the command server actually do the command? The answer is 'it depends on if the user has the appropriate MQ privileges.
Using my early example, lets do 3 test cases for user 'kirani' in DEV01 group:
(1) Issue a define queue command for a queue called 'XYZ.Q1' - the Command Server will reject the command.
(2) Issue an alter queue command for a queue called 'ABC.Q1' - the Command Server will reject the command.
(3) Issue display queue command for a queue called 'ABC.Q1' - the command server will process it.
Why:
(1) Rejected because the user has no privileges to queues that begin with 'XYZ'
(2) Rejected because the user has only allmqi privileges to queues but not 'alt' privilege to 'ABC' queues.
(3) Accepted because the user has the 'dsp' privilege for queues that begin with 'ABC'.
Just because a user can write to the Command Server queue does not mean they also get full access to your queue manager!!!
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 20, 2005 6:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
Now lets assume you want the user to ONLY access queues that begin will ABC in the 'TESTQM' on the remote box, then you set the authority as follows:
| Code: |
setmqaut -m TESTQM -t qmgr -g DEV01 +connect +inq
setmqaut -m TESTQM -t q -g DEV01 -n ABC.** +allmqi +dsp
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
setmqaut -m TESTQM -t q -g DEV01 -n SYSTEM.DEFAULT.MODEL.QUEUE +dsp +inq +get |
Now issue the REFRESH SECURITY command against the TESTQM and then the user will have limited access to TESTQM queue manager using MQ Explorer.
Regards,
|
Roger, is +dsp necessary with +allmqi ? I thought allmqi included dsp...
Well I guess it can't hurt to specify it again...
Thanks
F.J. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Apr 20, 2005 6:53 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| Quote: |
| Roger, is +dsp necessary with +allmqi ? I thought allmqi included dsp... |
No.
allmqi includes the following privileges: altusr, browse, connect, get, inq, put & set
alladm includes the following privileges: chg, clr, crt, dlt & dsp
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mapi |
| Posted: Thu Apr 21, 2005 2:44 am Post subject: testsubj |
|
|
Newbie
Joined: 21 Apr 2005
Posts: 3
|
hello
has anybody an idea, what the new function
Granularity for Passticket security validation is improved
means ?
and, thats maybe my problem,
what is a passticket on z/OS ?
thanks
mapi |
|
| Back to top |
|
|
| javagate |
| Posted: Thu Apr 21, 2005 10:02 am Post subject: |
|
|
Disciple
Joined: 15 Nov 2004
Posts: 159
|
Thanks for the heads up for the Announcement Letter z/OS.... But regarding this feature "New status information shows whether messages are being processed or are being delayed, and indicates potential delay points" on z/OS it seams to me this may not come with the base product (extra feature, extra charge?. I assume its part of one of the candle products. Seams like a great diagnostics feature.
_________________
WebSphere Application Server 7.0 z/OS &
MQ 6.0. I work with WebSphere in the real world not in some IBM lab. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Apr 21, 2005 1:01 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Yeah, that looks interesting. Looks like no more playing around with the put time and the expiry trying to guess how long a message has been sitting on a queue.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
