| Author |
Message
|
| csaunders |
 Posted: Mon May 16, 2005 3:33 pm Post subject: MQ explorer security |
 |
|
Acolyte
Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va
|
Im getting AMQ4036 error when using MQ explorer to connect to solaris 5.9. Were using MQseries 5.3.
1.)My windows user name is csaunder, I have a UNIX account csaunder in the mqm group.
2)I created the CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(mqm), On the qmanager USVAS01.QM
Is there anything else I could be missing? |
|
| Back to top |
|
 |
| mq_crazy |
| Posted: Mon May 16, 2005 3:54 pm Post subject: |
|
|
Master
Joined: 30 Jun 2004
Posts: 295
|
| make sure the command server is running. |
|
| Back to top |
|
|
| csaunders |
| Posted: Mon May 16, 2005 4:16 pm Post subject: |
|
|
Acolyte
Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va
|
| how do i confirm that it is running? |
|
| Back to top |
|
|
| mq_crazy |
| Posted: Mon May 16, 2005 4:40 pm Post subject: |
|
|
Master
Joined: 30 Jun 2004
Posts: 295
|
dspmqcsv qm
where qm is your queuemanager name |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon May 16, 2005 7:12 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| Quote: |
| 2)I created the CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(mqm), On the qmanager USVAS01.QM |
Do you actually know what you have done???? 
First off, you are attempting to set the channel's UserID to mqm. That means ANYBODY connecting on that channel will get full access. This is absolutely the worst thing you could do for securing the queue manager.
Secondly, but even funnier, you shot yourself in the foot because you do not understand how runmqsc works. runmqsc will uppercase all fields that are not between quotes. Therefore, since you put MCAUSER(mqm) and not MCAUSER('mqm'), you will get 2035-not authorized message (because MQM is not the same UserID as mqm).
Define your channel as follows:
| Code: |
| define CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(' ') |
THen issue the REFRESH SECURITY command via runmqsc.
Finally, I would strongly suggest that you use some sort of security exit to manage users who are connecting the queue manager.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| csaunders |
| Posted: Tue May 17, 2005 5:44 am Post subject: |
|
|
Acolyte
Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va
|
Roger thanks for the help and Im glad I could make you laugh 
I ran
define CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(' ')
Also ran the refresh security command,
I am still getting the permission error,
anything else come to mind |
|
| Back to top |
|
|
| mq_crazy |
| Posted: Tue May 17, 2005 6:00 am Post subject: |
|
|
Master
Joined: 30 Jun 2004
Posts: 295
|
| did u check the command server?? |
|
| Back to top |
|
|
| csaunders |
| Posted: Tue May 17, 2005 6:00 am Post subject: |
|
|
Acolyte
Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va
|
ok roger, your probably going to yell at me, but for jokes sake, I made the channel
alter CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mqm')
Now it works.....
This allows anyone to connect to the QM and do anything? Kind of like being root? I dont understand why (' ') didnt work... |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Tue May 17, 2005 6:54 am Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
It works because 'mqm' is an authorised id. If you code ' ' then no id is used and so it fails.
What you have now done is opened up your queue manager so that anyone and everyone can do whatever they want to it. Roger is advising you to look for some security exit that will prevent you from having to expose the soft underbelly of your queue managers.
I think BlockIP is rapidly becoming the 'standard' Do a search on this sie and I am sure you will get plenty of hits.  |
|
| Back to top |
|
|
| csaunders |
| Posted: Tue May 17, 2005 8:04 am Post subject: |
|
|
Acolyte
Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va
|
| mq_crazy wrote: |
| did u check the command server?? |
yes sir, working now, but i guess im open to the world |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue May 17, 2005 1:20 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
We bought Capitalware's MQAUSX solution to protect all our QMs. Anyone that tries to access our QMs with MQExplorer or MO71 is prompted for an ID and password, assuming they have the client side of the exit to begin with.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed May 18, 2005 8:36 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Yes, Capitalware sells 2 security solutions. For more information, go to:
http://www.capitalware.biz/products.html#mqausx
Now getting back to csaunders problem. I would look into the following areas:
(1) Did you actually create the 'csaunders' UserID on the remote server? (case IS important)
(2) Did you actually put the 'csaunders' UserID in the mqm group?
(3) Did you issue the REFRESH SECURITY via runmqsc after doing the above?
(4) Did you ever issue setmqaut against the UserID or against the UserID's primary group? If so, remove those setting. The OAM uses the more restrictive setting. (issue refresh security again)
(5) Is there a UserID on the remote server called: 'csaunder' (no 's')? UserIDs on Unix are unique on only the first 8 characters. Therefore, you are getting a mismatch on the UserID and there is nothing you can do (other than create a new UserID).
Since you have root access on the remote server, have you created a new UserID on it? Follow points 1,2 & 3 above (creating 'fred123').
- Now use a sample Java program and set MQEnvironment.userID = "fred123"; and you should get access
- Or if you do not code, then download 30-day trial of MQ Visual Edit and configure the queue manager and set the UserID to the new UserID and test it.
In either case, you should get full access. I have done this a million times over the years.
Finally, yes, I am most certainly advocating that people use a security exit to protect the queue manager.
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
