| Author |
Message
|
| muralidhar |
 Posted: Wed Mar 20, 2002 4:49 pm Post subject: |
 |
|
Acolyte
Joined: 28 Feb 2002
Posts: 50
|
We have two MQSeries servers on two WIN 2K machines. MQServer1 has a Queue Manager QM1 and QM1 has two queues Q1 and Q2(Q1 is remote queue def for a queue defined on QM2 on MQserver2 and Q2 is local) . MQServer2 has a Queue Manager QM2 and has two queues Q1 and Q2(Q1 is local and Q2 is remote queue def for a queue defined on MQ1 on MQServer1). We defined channels and channels are in running state.
Functionality required is when we put a message on remote queue Q1 on QM1, the message should be transmitted to Q1 on QM2. If message expires before MQGET call, then it should send a report message to Q2 on QM1. For that we specified Q2 in ReplytoQueue feild. When the message expires on Q1 on QM2, Queue manager is using the userIdentifier associated with the message to put the report message on Q2. Everything works fine when application userid has the authority to put the messages on the queues.
I need your help for the following scenario:
We need to authorise a different userid to put messages on remote queue Q2 on QM2. And application running on the machine same as MQServer1 should pass this userid through MQMD.userIdentifier so that this value will be used when the message expires on Q1 on QM2.
When Putting the message we are setting MQPMO_SET_IDENTITY_CONTEXT in Put message Options.
When we do this, report message is ending up in dead letter queue on QM2 with DLQ Header MQRC_NOT_Authorised. This seems to be security problem but the user identifier associated with MQMD has authority to put the message on Q2.
We tested this by putting a test message directly on Q2 from a remote machine.
I am not able to find out why the QManager is not able to put the message when there is proper authority. Your help is appreciated.
Thanks.
[ This Message was edited by: muralidhar on 2002-03-20 16:50 ] |
|
| Back to top |
|
 |
| mrlinux |
| Posted: Wed Mar 20, 2002 6:58 pm Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Which version of MQSeries are you running ????
V5.1 and older will require the QManager to be recycled after the user is added.
V5.2 you can refresh secuirty from the runmqsc command
runmqsc
refresh security
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| muralidhar |
| Posted: Thu Mar 21, 2002 12:59 pm Post subject: |
|
|
Acolyte
Joined: 28 Feb 2002
Posts: 50
|
I am using MQSeries V5.2. Later on I observed the user identifier that is passed with MQMD structure should be in MQM group on the remote machine. After I added that useridentifier to mqm group, it is working. Is there any way that I can use an userIdentifier without adding to MQM Group ?
Thanks |
|
| Back to top |
|
|
| mrlinux |
| Posted: Thu Mar 21, 2002 1:53 pm Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
You can use the setmqaut command to allow users to have specific rights to queues.
To Set access
setmqaut -m QMGR_NAME -t q -n QUEUE.NAME -p USERID +all
setmqaut -m QMGR_NAME -t q -n QUEUE.NAME -g GROUP_ID +all
To Display access
dspmqaut -m QMGR_NAME -t q -n QUEUE.NAME -p USERID
There are more grainular settings than +all if you do the dspmqaut command it
will show all the possiblities.
NOTE: After setmqaut command YOU MUST REFRESH SECURITY FOR IT TO TAKE EFFECT.
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| muralidhar |
| Posted: Mon Mar 25, 2002 10:01 am Post subject: |
|
|
Acolyte
Joined: 28 Feb 2002
Posts: 50
|
I gave all permissions to the userid that I am passing thru MQMD Structure. I refreshed the security cache using runmqsc command. When I open the remote queue to put the message I am using option MQOO_SET_IDENTITY_CONTEXT. In Put message options I set MQPMO_SET_IDENTITY_CONTEXT. When tried opening the queue, I am getting security error. Application is running under different userid with all permissions. But When I add the userids to MQM group, everything works fine.
I wonder is it mandatory for the userid to be in MQM group if application opens the queue with MQOO_SET_IDENTITY_CONTEXT option. Please let me know the mininmum set of rights required for putting a message.
I appreciate all your help. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon Mar 25, 2002 10:50 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Did you set the Authorities for the Transmist queue that the queue remote is pointing too ????
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| muralidhar |
| Posted: Mon Mar 25, 2002 11:41 am Post subject: |
|
|
Acolyte
Joined: 28 Feb 2002
Posts: 50
|
I set permissions for tranmit Q. I am getting problem when I opening the remote queue. I think if there are not enough permissions on transmition queue, then message should go to dead letter queue from remote queue but should not fail to open the remote queue. Pl. correct me if I am wrong.
Thanks |
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon Mar 25, 2002 1:00 pm Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Did you set permissions to connect to the qmanager ??
If the permissions are not correct on the Transmit Q then it will fail the MQPUt and will not go to the dead queue
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
[ This Message was edited by: mrlinux on 2002-03-25 13:01 ] |
|
| Back to top |
|
|
|
|
