| Author |
Message
|
| bbburson |
 Posted: Fri Jun 12, 2009 5:25 am Post subject: |
 |
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| shashivarungupta wrote: |
| I think REFRESH SECURITY is required when changes are being done related to SSL. Its not mandate to shoot this command when it comes to OAM. |
REFRESH SECURITY is required when the change was to something OUTSIDE MQ (such as group memberships, SSL key databases, etc), but not when the change was to something INSIDE MQ (OAM). REFRESH SECURITY by itself causes MQ to update its knowledge of user/group relationships. REFRESH SECURITY TYPE(SSL) is specifically for updating the queue manager's knowledge of its key database entries. |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Jun 12, 2009 5:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| aditya.aggarwal wrote: |
Hi Peter ,
Yes we run the REFRESH SECURITY command.
'oracle' user primary group is 'dba' and there is only one more user in 'dba' group.
All,
Still i am wondering why i need to run 'setmqaut' specially even after adding the 'oracle' user in to 'mqm' group?
And also how can i enable the authorization errors, user access control in the queue manager error logs?
Cheers,
Aditya |
Try http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg21377578
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| aditya.aggarwal |
| Posted: Fri Jun 12, 2009 5:47 am Post subject: |
|
|
Master
Joined: 13 Jan 2009
Posts: 252
|
Hi Exerk,
Thanks, it's a good technote.
All,
Is there any method that we can track that 'oracle' or any user have logged in to the MQ servers and executed any MQ command?
Cheers,
Aditya |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Fri Jun 12, 2009 7:07 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| aditya.aggarwal wrote: |
Is there any method that we can track that 'oracle' or any user have logged in to the MQ servers and executed any MQ command?
|
Hmmm.. If you are using the Unix flavors then you can track the users who logged in to your MQ Servers by writing some scripts.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| aditya.aggarwal |
| Posted: Fri Jun 12, 2009 8:46 am Post subject: |
|
|
Master
Joined: 13 Jan 2009
Posts: 252
|
Thanks we have resolve the issue after bouncing the queue manager.
bbburson wrote:
| Quote: |
shashivarungupta wrote:
I think REFRESH SECURITY is required when changes are being done related to SSL. Its not mandate to shoot this command when it comes to OAM.
REFRESH SECURITY is required when the change was to something OUTSIDE MQ (such as group memberships, SSL key databases, etc), but not when the change was to something INSIDE MQ (OAM). REFRESH SECURITY by itself causes MQ to update its knowledge of user/group relationships. REFRESH SECURITY TYPE(SSL) is specifically for updating the queue manager's knowledge of its key database entries. |
As Per page 191 of the WebSphere MQ System Administration Guide :
"A principal can belong to more than one group (its group set) and has the aggregate of all the authorities granted to each group in its group set. These authorities are cached, so any changes you make to the principal’s group membership are not recognized until the queue manager is restarted, unless you issue the MQSC command REFRESH SECURITY (or the PCF equivalent)."
http://www-01.ibm.com/software/integration/wmq/library/library60.html
Cheers,
Aditya  |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Fri Jun 12, 2009 10:34 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| aditya.aggarwal wrote: |
bbburson wrote:
| Quote: |
shashivarungupta wrote:
I think REFRESH SECURITY is required when changes are being done related to SSL. Its not mandate to shoot this command when it comes to OAM.
REFRESH SECURITY is required when the change was to something OUTSIDE MQ (such as group memberships, SSL key databases, etc), but not when the change was to something INSIDE MQ (OAM). REFRESH SECURITY by itself causes MQ to update its knowledge of user/group relationships. REFRESH SECURITY TYPE(SSL) is specifically for updating the queue manager's knowledge of its key database entries. |
As Per page 191 of the WebSphere MQ System Administration Guide :
"A principal can belong to more than one group (its group set) and has the aggregate of all the authorities granted to each group in its group set. These authorities are cached, so any changes you make to the principal’s group membership are not recognized until the queue manager is restarted, unless you issue the MQSC command REFRESH SECURITY (or the PCF equivalent)."
|
bbburson and aditya.aggarwal comments on REFRESH SECURITY seems to be in favor of mine.
Two different ways to same thing.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| mqrules |
| Posted: Fri Jul 17, 2009 9:41 am Post subject: |
|
|
Centurion
Joined: 01 Jun 2005
Posts: 100
Location: US
|
Sashivarungupta Wrote:
| Quote: |
Note: When you change authorizations with the setmqaut command, the OAM implements such changes immediately. Queue managers store authorization data on a local queue called SYSTEM.AUTH.DATA.QUEUE. This data is managed by amqzfuma.exe.
I think REFRESH SECURITY is required when changes are being done related to SSL. Its not mandate to shoot this command when it comes to OAM.
|
Sorry, but your are mistaken. You must run REFRESH SECURITY for the latest OAM changes to take effect since the last REFRESH SECURITY command or qmgr startup.
MRules |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Fri Jul 17, 2009 11:03 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| mqrules wrote: |
| Sorry, but your are mistaken. You must run REFRESH SECURITY for the latest OAM changes to take effect since the last REFRESH SECURITY command or qmgr startup. |
No, if I grant to group monkey that will take effect right away. If George is in monkey and this is his first attempt, he will succeed.
If George was not in monkey and made an attempt, he would fail. If then, the George is added to monkey, then you need to Refresh Security.
So, it is when you change something at the OS level that the refresh becomes necessary. |
|
| Back to top |
|
|
| bbburson |
| Posted: Fri Jul 17, 2009 1:21 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
Thank you, Joseph. Couldn't have said it better myself.  |
|
| Back to top |
|
|
| Monk |
| Posted: Mon Jul 27, 2009 10:26 pm Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
The issue with controlling fine granular access for users and groups with MQ.
I have developed a Custom OAM module..which helps me to give permissions to user ids ( and these user ids need not even exist on the system).
May be IBM will think of something like to for AIX;s..
and Why would you give access to S.C.T.Q..
make alias queue point to S.C.T.Q and give permissions to alias queue..
DO NOT GIVE PERMISSIONS FOR ANY USER ON S.C.T.Q.
_________________
Thimk |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 27, 2009 11:33 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Monk wrote: |
| ...make alias queue point to S.C.T.Q and give permissions to alias queue... |
I think you mean point the QA at the cluster queue...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Tue Jul 28, 2009 12:39 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
| I think you mean point the QA at the cluster queue... |
That's correct, Thanks for correcting me.
_________________
Thimk |
|
| Back to top |
|
|
|
|
