| Author |
Message
|
| amitjain |
 Posted: Tue Apr 21, 2015 6:26 am Post subject: MQexplorer read only user group -AMQ4036 |
 |
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
Hi,
Could you please suggest what I am doing wrong with below setup?
I have created windows group unx-appsupp and added my user in to it.
In linux I have enabled unx-appsupp group & when I run below command I can see my user id in it.
getent group unx-appsupp
I have execute below commands to give unx-appsupp group read only access via MQ explorer.
setmqaut -m TEST_GTX_QM -t qmgr -g "unx-appsupp" +connect +inq +dsp
setmqaut -m TEST_GTX_QM -n "**" -t q -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t topic -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t channel -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t process -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t namelist -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t authinfo -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t clntconn -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t listener -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t service -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n "**" -t comminfo -g "unx-appsupp" +dsp
setmqaut -m TEST_GTX_QM -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g "unx-appsupp" +dsp +inq +get
setmqaut -m TEST_GTX_QM -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "unx-appsupp" +dsp +inq +put
and then did refresh security on runmqsc command.
When I run below command to display auth
dspmqaut -m TEST_GTX_QM -t qmgr -g unx-appsupp
Entity unx-appsupp has the following authorizations for object TEST_GTX_QM:
inq
connect
dsp
/app/mqm/bin/dspmqaut -m TEST_GTX_QM -t qmgr -p ajain
Entity ajain has the following authorizations for object TEST_GTX_QM:
crt
But when I try to connect through MQ explorer on errors directory I get below error
21/04/15 14:56:47 - Process(2019.35755) User(mqm) Program(amqzlaa0)
Host(xxxxxx) Installation(Installation2)
VRMF(8.0.0.0) QMgr(TEST_GTX_QM)
AMQ8077: Entity 'ajain ' has insufficient authority to access object
'TEST_GTX_QM'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 586 --------------------------------------------------------
21/04/15 14:56:47 - Process(3066.190) User(mqm) Program(amqrmppa)
Host(xxxxxxxxx) Installation(Installation2)
VRMF(8.0.0.0) QMgr(TEST_GTX_QM)
AMQ9557: Queue Manager User ID initialization failed for 'ajain'.
EXPLANATION:
The call to initialize the User ID 'ajain' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2199 ------------------------------------------------------- |
|
| Back to top |
|
 |
| amitjain |
| Posted: Tue Apr 21, 2015 6:30 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
dmpmqaut -m TEST_GTX_QM -t qmgr -g unx-appsupp
dmpmqaut output
profile: self
object type: qmgr
entity: unx-appsupp
entity type: group
authority: inq connect dsp |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 21, 2015 6:31 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You need to review the CHLAUTH rules in effect, and the AUTHINFO policies in effect. |
|
| Back to top |
|
|
| amitjain |
| Posted: Tue Apr 21, 2015 6:45 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
What should I configure for unx-appsupp
Connection authentication : SYSTEM.DEFAULT.AUTHINFO.IDPWOS
display authinfo(*)
1 : display authinfo(*)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
AUTHTYPE(IDPWLDAP)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.OCSP)
AUTHTYPE(OCSP)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.CRLLDAP)
AUTHTYPE(CRLLDAP)
display chlauth(*)
2 : display chlauth(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
|
| Back to top |
|
|
| amitjain |
| Posted: Tue Apr 21, 2015 6:58 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
I am looking at ibm knowledger center but not able to understand what need to set/corrected in authinfo.
display authinfo(*) ALL
3 : display authinfo(*) ALL
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
AUTHTYPE(IDPWLDAP) ADOPTCTX(NO)
DESCR( ) CONNAME( )
CHCKCLNT(REQUIRED) CHCKLOCL(OPTIONAL)
CLASSUSR( ) FAILDLAY(1)
BASEDNU( ) LDAPUSER( )
LDAPPWD( ) SHORTUSR( )
USRFIELD( ) SECCOMM(NO)
ALTDATE(2015-02-13) ALTTIME(16.49.39)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2015-02-13) ALTTIME(16.49.39)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.OCSP)
AUTHTYPE(OCSP) DESCR( )
OCSPURL( ) ALTDATE(2015-02-13)
ALTTIME(16.49.39)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.CRLLDAP)
AUTHTYPE(CRLLDAP) DESCR( )
CONNAME( ) LDAPUSER( )
LDAPPWD( ) ALTDATE(2015-02-13)
ALTTIME(16.49.39) |
|
| Back to top |
|
|
| amitjain |
| Posted: Tue Apr 21, 2015 7:05 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 21, 2015 7:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That just says that connection authorization information should be taken from the local OS of the queue manager, not from other things like OCSP or LDAP.
It's the authinfo objects that control what IDs can do what.
You might also look at upgrading MQ explorer, or at least look at fixes in 8.0.0.2. |
|
| Back to top |
|
|
| amitjain |
| Posted: Tue Apr 21, 2015 7:47 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
I am using below mq explorer.
IBM WebSphere MQ Explorer
Version: 8.0.0.1
I will download 8.0.0.2 support pac from IBM webiste and check. Thanks |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 21, 2015 7:54 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Also, take a look at Morag Hughson's various blogs in regard to CHLAUTH and other security-related stuff...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| amitjain |
| Posted: Tue Apr 21, 2015 8:22 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
setmqaut -m TEST_GTX_QM -n "**" -t authinfo -g "unx-appsupp" +dsp
will it not allow mq explorer to have readonly access ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 21, 2015 12:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| amitjain wrote: |
setmqaut -m TEST_GTX_QM -n "**" -t authinfo -g "unx-appsupp" +dsp
will it not allow mq explorer to have readonly access ? |
It should be +inq +dsp.
+dsp alone may not be sufficient...
Also give us the output of the unix / linux "id" command.
If your ID is member of mqm group the other group memberships are irrelevant... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| amitjain |
| Posted: Wed Apr 22, 2015 12:47 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
[ajain@ulonapmqss01 ~]$ id
uid=111623(ajain) gid=28(unx-is) groups=28(unx-is),6001(unx-beauchamp),10004(tg dev all),108671(splunk),111515(unx-appsupp)
As mqjeff suggested , now I am trying below commands to define LDAP info as my account ajain is on windows.
DEFINE AUTHINFO('USE.LDAP') AUTHTYPE(IDPWLDAP) CONNAME
Only confusion which I have now is that I have few unix account and few windows account both want to access queue manager , if I change queue manager connauth , will it start failing unix accounts ?
ALTER QMGR CONNAUTH('USE.LDAP')
I will first try to make AUTHINFO LDAP work for my id atleast. |
|
| Back to top |
|
|
| amitjain |
| Posted: Wed Apr 22, 2015 2:12 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
ALTER QMGR CONNAUTH('L')
AMQ8005: WebSphere MQ queue manager changed.
REFRESH SECURITY TYPE(CONNAUTH)
5 : REFRESH SECURITY TYPE(CONNAUTH)
AMQ8560: WebSphere MQ security cache refreshed.
DIS QMSTATUS ALL
6 : DIS QMSTATUS ALL
AMQ8705: Display Queue Manager Status Details.
QMNAME(TEST_GTX_QM) STATUS(RUNNING)
CONNS(22) CMDSERV(RUNNING)
CHINIT(RUNNING) INSTNAME(Installation2)
INSTPATH(/app/mqm) INSTDESC( )
LDAPCONN(CONNECTED) STANDBY(NOPERMIT)
STARTDA(2015-04-22) STARTTI(09.56.50)
end
7 : end
6 MQSC commands read.
Now LDAPCONN(CONNECTED) , will try connecting through mq explorer and check. |
|
| Back to top |
|
|
| amitjain |
| Posted: Wed Apr 22, 2015 2:40 am Post subject: |
|
|
Apprentice
Joined: 14 Jan 2015
Posts: 39
|
What could be wrong ? BASEDNU in AUTHINFO('L') AUTHTYPE(IDPWLDAP) ?
----- amqrmrsa.c : 925 --------------------------------------------------------
AMQ5531: Error authenticating user in LDAP
EXPLANATION:
The LDAP authentication service has failed in the ldap_search call while trying
to find user 'ajain'. Returned count is 0. Additional context is ''.
ACTION:
Specify the correct user name when connecting, or fix the directory
configuration. There may be additional information in the LDAP server error
logs.
----- amqzfula.c : 1646 -------------------------------------------------------
AMQ9557: Queue Manager User ID initialization failed for 'ajain'.
EXPLANATION:
The call to initialize the User ID 'ajain' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2199 ------------------------------------------------------- |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 22, 2015 4:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| amitjain wrote: |
| As mqjeff suggested , now I am trying below commands to define LDAP info as my account ajain is on windows. |
I didn't suggest that.
I suggested that you understand the AUTHINFO objects that were already defined, and that you then understand how they were interacting with the connection you were trying to make. |
|
| Back to top |
|
|
|
|
