| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQSeries 5.2 authorization in Solaris |
« View previous topic :: View next topic » |
| Author |
Message
|
| mohan |
 Posted: Fri Aug 03, 2001 7:28 am Post subject: |
 |
|
Newbie
Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan
|
I am new to solaris. We had installed MQseries 5.2 in solaris. Qmanager and Queues were defined by a id which was part of mqm group. We try to access these objects with another id which is also part of mqm group we get authorization failure. we can't execute runmqsc command. The objects were defined without any security oprion. Any help on this would greatly be appriciated.
|
|
| Back to top |
|
 |
| bduncan |
| Posted: Fri Aug 03, 2001 8:50 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Mohan,
A couple of things. First, if a group has permission to access an MQ object (queue, queue manager, etc) and you add or remove users from that group, the authorities on that MQ object that those users have aren't always updated automatically. It used to be that you had to restart the queue manager to get the permissions on such objects to update, but as of MQSeries 5.2 there is a command called REFRESH SECURITY that you can use. This will force a refresh of the authorization cache. Try this. If you still have problems, then perhaps the user mqm has permission on the objects but the group mqm does not. To check this, you can use a command called dspmqaut. If you installed MQSeries correctly, you should have a man page on it. But essentially it tells you about authorizations on an MQ object with respect to a user or group. In other words, if I type:
dspmqaut -t qmgr -g mqm
This will display the permissions that members of the group mqm have on the Queue Manager itself. Keep in mind that having permission on the queue manager means you can run programs like runmqsc, but it doesn't necessarily mean you have any permissions on queues or other objects that belong to that queue manager. If you find that the permissions aren't set up the way you want, you can use another program setmqaut, which also has a man page, and it will allow you to set permissions for users and/or groups on various MQ objects. Keep in mind that after issuing setmqaut you might still have to go into runmqsc and type REFRESH SECURITY before it will take effect.
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| mohan |
| Posted: Fri Aug 03, 2001 10:33 am Post subject: |
|
|
Newbie
Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan
|
Brandon,
Thnx for getting back. I tested the group (mqm) permission and it has all. When we type groups for the id I am using mqm is part of it but it is not the primary group.
Here is one more thing we did. We granted explicit authority for the id to perform all action for the queue manager. After this we are able to run runmqsc command. But now we have access problems to the queues in that Q Manager. We don't want to grant access to individual id for each object. We want to grant the group the authorization and everyone in the group should get it.
Thanks for Refresh command. We tried both Refresh command and restrated the Qmgr. Nothing works. Any thoughts??!!
Does it matter if mqm is not the primary group?
Thnx
Mohan |
|
| Back to top |
|
|
| bduncan |
| Posted: Fri Aug 03, 2001 12:06 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Mohan,
When you installed the MQSeries product, did you make sure to create the user mqm and the group mqm? Did you also make sure that you created the queue manager as mqm? In other words, when you issued the crtmqm command to build the queue manager, were you logged in as root or mqm at the time? It is very important that whenever you create queue managers or objects that you are either user mqm, or logged in as a user that is a member of group mqm. Also, the group mqm must be user mqm's primary group. As far as other users go, they only need to have the group mqm listed as a supplementary group. There is no need to make mqm their primary group. For instance, we had root as a member of group mqm, but his primary group was still "system". You say that you are having problems with individual queues. If you issue a command like:
dspmqaut -n queuename -t queue -g mqm
What sort of permissions do you see? Does the actual group have the necessary permissions? If so, then issue the same dspmqaut command but supply -p instead of -g and use the name of one of the users that is in the mqm group. Whatever permissions you saw for the group, you should also see for the user who is a member of the group. If the output from the two dspmqaut commands are different, then either your cache is incorrect (in which case a REFRESH SECURITY and/or REFRESH CACHE should fix it) or you have a more severe problem, in which case I would recommend rebuilding the queue manager from scratch, making sure to do everything as user mqm.
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| mohan |
| Posted: Mon Aug 06, 2001 9:45 am Post subject: |
|
|
Newbie
Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan
|
Brandon,
You sought of pointed us in the right direction. We sat with the unix administartor and found that they had defined mqm id but not the group in the box the MQ was installed. They are using NIS product and defined the group there. Once the group was defined locally everything was fine. Thanks for your help.
Mohan |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
