| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQJExplorer and authorization |
« View previous topic :: View next topic » |
| Author |
Message
|
| cmdmqm |
 Posted: Mon Mar 04, 2002 4:47 am Post subject: |
 |
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
Hi,
normally (with the MQExplorer delivered with Win2k version of MQ) you can remotely access a queue manger (in our case: on OS400) when the user id from Win2k is the same as the user id on the server and this user id on the server has QMQADM rights.
Now, with the MQJExplorer, you can remotely access queue managers even without having any rights on that machine. E.g. a colleague of mine can't access the AS400 from MQExplorer (not authorized), but he can with MQJExplorer, on the same W2k machine, at the same time, with the same user (but his user differs from the one he has on OS400, whereas my user ids are identical)
- What is the trick of MQJExplorer to get the necessary authorizations?
- How can I make MQ more secure in a way that the command server is running, but just gives access to people who should access?
Regards,
Guenther |
|
| Back to top |
|
 |
| hopfe_de |
| Posted: Mon Mar 04, 2002 9:53 am Post subject: |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
Hey,
check out wich Channel the MQJExplorer use, on the AS/400. And remove die MCA Userid, if these is set.
Greets,
Hopfe |
|
| Back to top |
|
|
| mqonnet |
| Posted: Mon Mar 04, 2002 10:46 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
As far as i understand MQ, or rather any Software product for that matter, does not change the basic functionality. I have not used MQJExplorer, but would assume that it would behave as MQExplorer only.
As per your problem, i would Stress on MCAuserid on the Svrconn channel on As/400. Check to see if you have set it to any specific value. If it is blank, then that means any person trying to get in can do so. And my bet would be that you might have removed the check from here and thus your friend is able to get in. If you want only specific groups/members to be able to connect to your QM on As/400, you need to assign that group/member in the mcauserid attribute of the svrconn channel.
As for the command server question.
Setmqaut could be used to set permissions of specific objects for a QM. And that way you could filter out users who should be able to access the objects. I am not aware of any such permissions/utilities for Command server in specific. This way what happens is any PCF command request serviced by the command server would be filtered because of permissions to that specific object, say a queue.
Hope this Helps.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| cmdmqm |
| Posted: Tue Mar 05, 2002 2:53 am Post subject: |
|
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
Hi,
MCAUSRID was not set. But that doesn't mean that everybody comes in - actually noone comes except when the person uses either MQJExplorer or has the same user id on W2k than on OS400. My question was: Why do MQExplorer and MQJExplorer behave differently here?
Bye
Guenther |
|
| Back to top |
|
|
| mqonnet |
| Posted: Tue Mar 05, 2002 5:08 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Check out on As/400 to see if your friend's user-id from Win2K is added to the mqm group or is granted access to use mqm objects. If you dont have mcauser id set then this could be the other possibility.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| cmdmqm |
| Posted: Tue Mar 05, 2002 6:06 am Post subject: |
|
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
Hi,
his user does not exist anyhwere on the AS400, neither as a user on the AS400, nor for MQSeries (I used amqoamd to verify that) nor in any other software running on the AS400. That's why MQExplorer doesn't give him access (and behave 'correct' in that manner). When I *set* MCAUSRID to a user that exists on the AS400, MQExplorer has access, too. When I delete MCAUSRID, access is taken away.
To emphasize it: MQExploer doesn't work with this user when no MCAUSRID is set. When MQJExplorer is started on the same machine with the same user and the same settings on the AS400, it gets access. Maybe it uses some 'general' user id?
Bye
Günther |
|
| Back to top |
|
|
| mqonnet |
| Posted: Tue Mar 05, 2002 7:00 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
When there is no user set in the mcauser attribute on AS/400, it would always try to match the userid comming in with the default user on AS/400 and which would be your friend's Win2K userid. I am not quite sure of MQJexplorer, but i would have thought it would work similar to MQExplorer. Looking at all the set up you have described, it sure looks as if MQJExplorer probably is mapping the userid on Win2k to the userid it is expecting on AS/400. Not really sure about it, and would suggest you verify this with IBM.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| cmdmqm |
| Posted: Tue Mar 05, 2002 11:48 pm Post subject: |
|
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
Hi,
thanks for your help - I will ask IBM to verify how this works in detail.
Bye
Günther |
|
| Back to top |
|
|
| mrlinux |
| Posted: Tue Mar 12, 2002 10:30 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
You could try an MQ Trace and see which ID the AS/400 is trying to verify
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| cmdmqm |
| Posted: Tue Mar 19, 2002 5:06 am Post subject: |
|
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
Hi,
something I didn't test before, but which is of course obvious: When I put a sample message in a queue, I'm able to see which user did that: MQExplorer puts with the NT/W2k user when no MCA user id is set, and with this user id, when it's set. MQJExplorer creates a message with user "mqm" on our AIX, and "QMQM" on AS400, and with MCA user id set, the messages contains that user id.
The other property where the MQE and MQJE messages differ is the accounting token. With MQJE there are just 0s (nulls), if an MCA user id is set, and if this user id is not set, the accounting token is "0F40404040404040404040404040404000000000000000000000000000000008". The accounting token of MQE look more "stochastical" - I don't know if this means anything.
So for me there are two possibilities: MQJE detects which OS is on the server and sets the user id to the standard mq user of that respective platform, or it doesn't submit any user id, which causes the server to set a default. Does someone know which is the case?
Bye
Günther
PS: Which options do I have to set for tracing if I just want to get information about the authentication process? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
