ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQSeries 5.2 authorization in Solaris

Post new topic  Reply to topic
 MQSeries 5.2 authorization in Solaris « View previous topic :: View next topic » 
Author Message
mohan
PostPosted: Fri Aug 03, 2001 7:28 am    Post subject: Reply with quote

Newbie

Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan

I am new to solaris. We had installed MQseries 5.2 in solaris. Qmanager and Queues were defined by a id which was part of mqm group. We try to access these objects with another id which is also part of mqm group we get authorization failure. we can't execute runmqsc command. The objects were defined without any security oprion. Any help on this would greatly be appriciated.

Back to top
View user's profile Send private message
bduncan
PostPosted: Fri Aug 03, 2001 8:50 am    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Mohan,
A couple of things. First, if a group has permission to access an MQ object (queue, queue manager, etc) and you add or remove users from that group, the authorities on that MQ object that those users have aren't always updated automatically. It used to be that you had to restart the queue manager to get the permissions on such objects to update, but as of MQSeries 5.2 there is a command called REFRESH SECURITY that you can use. This will force a refresh of the authorization cache. Try this. If you still have problems, then perhaps the user mqm has permission on the objects but the group mqm does not. To check this, you can use a command called dspmqaut. If you installed MQSeries correctly, you should have a man page on it. But essentially it tells you about authorizations on an MQ object with respect to a user or group. In other words, if I type:
dspmqaut -t qmgr -g mqm
This will display the permissions that members of the group mqm have on the Queue Manager itself. Keep in mind that having permission on the queue manager means you can run programs like runmqsc, but it doesn't necessarily mean you have any permissions on queues or other objects that belong to that queue manager. If you find that the permissions aren't set up the way you want, you can use another program setmqaut, which also has a man page, and it will allow you to set permissions for users and/or groups on various MQ objects. Keep in mind that after issuing setmqaut you might still have to go into runmqsc and type REFRESH SECURITY before it will take effect.


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
mohan
PostPosted: Fri Aug 03, 2001 10:33 am    Post subject: Reply with quote

Newbie

Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan

Brandon,
Thnx for getting back. I tested the group (mqm) permission and it has all. When we type groups for the id I am using mqm is part of it but it is not the primary group.
Here is one more thing we did. We granted explicit authority for the id to perform all action for the queue manager. After this we are able to run runmqsc command. But now we have access problems to the queues in that Q Manager. We don't want to grant access to individual id for each object. We want to grant the group the authorization and everyone in the group should get it.
Thanks for Refresh command. We tried both Refresh command and restrated the Qmgr. Nothing works. Any thoughts??!!
Does it matter if mqm is not the primary group?

Thnx
Mohan
Back to top
View user's profile Send private message
bduncan
PostPosted: Fri Aug 03, 2001 12:06 pm    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Mohan,
When you installed the MQSeries product, did you make sure to create the user mqm and the group mqm? Did you also make sure that you created the queue manager as mqm? In other words, when you issued the crtmqm command to build the queue manager, were you logged in as root or mqm at the time? It is very important that whenever you create queue managers or objects that you are either user mqm, or logged in as a user that is a member of group mqm. Also, the group mqm must be user mqm's primary group. As far as other users go, they only need to have the group mqm listed as a supplementary group. There is no need to make mqm their primary group. For instance, we had root as a member of group mqm, but his primary group was still "system". You say that you are having problems with individual queues. If you issue a command like:
dspmqaut -n queuename -t queue -g mqm
What sort of permissions do you see? Does the actual group have the necessary permissions? If so, then issue the same dspmqaut command but supply -p instead of -g and use the name of one of the users that is in the mqm group. Whatever permissions you saw for the group, you should also see for the user who is a member of the group. If the output from the two dspmqaut commands are different, then either your cache is incorrect (in which case a REFRESH SECURITY and/or REFRESH CACHE should fix it) or you have a more severe problem, in which case I would recommend rebuilding the queue manager from scratch, making sure to do everything as user mqm.


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
mohan
PostPosted: Mon Aug 06, 2001 9:45 am    Post subject: Reply with quote

Newbie

Joined: 02 Aug 2001
Posts: 3
Location: Mohan Nagarajan

Brandon,
You sought of pointed us in the right direction. We sat with the unix administartor and found that they had defined mqm id but not the group in the box the MQ was installed. They are using NIS product and defined the group there. Once the group was defined locally everything was fine. Thanks for your help.

Mohan
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » MQSeries 5.2 authorization in Solaris
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.