| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MS03 Client Authorities? |
« View previous topic :: View next topic » |
| Author |
Message
|
| rb462627 |
 Posted: Tue Sep 13, 2005 4:45 am Post subject: MS03 Client Authorities? |
 |
|
Novice
Joined: 23 Apr 2004
Posts: 23
Location: Hartford, CT
|
I'm attempting to run the MS03 Client across a channel we've locked down security on and not having much success.
Didn't believe MS03 needed much authority, but was wonder if anyone knew specifically WHAT authorities it does need?
Specifics as follows:
Channel/TCP/Servername:
SET MQSERVER=MO71.VIEW/TCP/ERDHFDMQS901
Command:
saveqmgrc -m HIGIDGQ2 -f HIGIDGQ2_MS03.txt -R 2>>HIGIDGQ2_OUTPUT_LOG.txt
O/P File:
*
* This file generated by SAVEQMGR V6.0.0a on 2005-09-12 at 14.24.33 hours.
*
* QMNAME (HIGIDGQ2) +
* CRDATE (2003-08-21) +
* CRTIME (17.05.15) +
* ALTDATE (2003-08-26) +
* ALTTIME (15.23.40) +
* QMID (HIGIDGQ2_2003-08-21_17.05.15) +
* CMDLEVEL (530) +
* DISTL (YES) +
* MAXPRTY (9) +
* PLATFORM (WINDOWSNT) +
* SYNCPT +
* COMMANDQ (SYSTEM.ADMIN.COMMAND.QUEUE) +
ALTER QMGR +
AUTHOREV(DISABLED) +
DEADQ('SYSTEM.DEAD.LETTER.QUEUE') +
DEFXMITQ('HIGHUBQA.XMITQ') +
DESCR(' ') +
INHIBTEV(DISABLED) +
LOCALEV(DISABLED) +
MAXHANDS(256) +
MAXUMSGS(10000) +
PERFMEV(ENABLED) +
REMOTEEV(DISABLED) +
STRSTPEV(ENABLED) +
TRIGINT(300000) +
MAXMSGL(104857600) +
CHAD(DISABLED) +
CHADEV(DISABLED) +
CHADEXIT(' ') +
CCSID(437) +
CLWLEXIT(' ') +
CLWLDATA(' ') +
REPOS(' ') +
REPOSNL(' ') +
CLWLLEN(100) +
SSLCRLNL (' ') +
SSLKEYR ('E:\Programs\MQSeries\qmgrs\HIGIDGQ2\ssl\key') +
FORCE
* === > Processing Aborted, output file may be incomplete
Log File Contents:
SAVEQMGR V6.0.0a
Compiled for Websphere MQ V6.0 on Aug 30 2005
With no client connection information specified.
Requesting attributes of the queue manager...
Writing Queue Manager definition to HIGIDGQ2_MS03.txt.
Generating attributes for Websphere MQ Release 5.3.0
Requesting attributes of all authinfo objects...
Requesting attributes of all queues...
Requesting attributes of all channels...
Requesting attributes of all processes...
Requesting attributes of all namelists...
Got bad PCF response message
Type = 2
StrucLength = 36
Version = 1
Command = 83
MsgSeqNumber = 1
Control = 0
CompCode = 2
Reason = 2035
ParameterCount = 0
Processing Aborted, output file may be incomplete
MQAUTH Settings:
setmqaut -m HIGIDGQ2 -t qmgr -p MO71VIEW +dsp +inq +connect
setmqaut -m HIGIDGQ2 -n *.** -t q -p MO71VIEW +dsp +inq +browse
setmqaut -m HIGIDGQ2 -n *.** -t nl -p MO71VIEW +dsp +inq
setmqaut -m HIGIDGQ2 -n *.** -t prcs -p MO71VIEW +dsp +inq
setmqaut -m HIGIDGQ2 -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -p MO71VIEW +dsp +inq +put
setmqaut -m HIGIDGQ2 -n SYSTEM.DEFAULT.MODEL.QUEUE -t q -p MO71VIEW +allmqi +dsp
Channel Definition:
AMQ8414: Display Channel details.
CHANNEL(MO71.VIEW) CHLTYPE(SVRCONN)
TRPTYPE(TCP) DESCR(Adminstrative Use Only)
SCYEXIT( ) MAXMSGL(104857600)
SCYDATA( ) HBINT(30)
SSLCIPH( ) SSLCAUTH(REQUIRED)
KAINT(AUTO) MCAUSER(MO71VIEW)
ALTDATE(2005-05-12) ALTTIME(11.03.0
SSLPEER()
SENDEXIT( )
RCVEXIT( )
SENDDATA( )
RCVDATA( )
Sorry for the long post...
Thanks,
_________________
Ralph Beckers
IBM Certified Specialist - MQSeries
IBM Global Services - The Hartford Account
Office #: 860.547.4745
ralph.beckers@thehartford.com
rbeckers@us.ibm.com
"No! Try Not. Do. Or Do Not... There Is No Try!" Master Yoda |
|
| Back to top |
|
 |
| wschutz |
| Posted: Tue Sep 13, 2005 5:52 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
83 is INQUIRE_AUTH_INFO ..... try giving authority for +dsp to -t authinfo
| Quote: |
| * This file generated by SAVEQMGR V6.0.0a |
You must be working with Peter 
_________________
-wayne |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Sep 13, 2005 6:53 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
On Windows the system error msgs for authority failures contain the authorities that are missing.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| rb462627 |
| Posted: Wed Sep 14, 2005 8:57 am Post subject: MS03 Client Authorities? |
|
|
Novice
Joined: 23 Apr 2004
Posts: 23
Location: Hartford, CT
|
Thanks for the feedback folks...
I've goten around my authorities issue with the SYSTEM.DEFAULT.AUTHINFO.CRLLDAP queue via
setmqaut -m HIGIDGQ2 -n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -p MO71VIEW +dsp
Now i'm stuck on SYSTEM.AUTH.DATA.QUEUE not authorized to access the required object. The following requested permissions are unauthorized: dsp
Even though I setmqaut for +dsp on this queue, it doesnt seem to take.
Seem to recall this is a "special" queue, one needs to be in the "mqm" group to access this queue?
If so I guess we'll have to take a different approach as we want to lock down access on this (MO71VIEW) channel.
Comments?
Thanks
_________________
Ralph Beckers
IBM Certified Specialist - MQSeries
IBM Global Services - The Hartford Account
Office #: 860.547.4745
ralph.beckers@thehartford.com
rbeckers@us.ibm.com
"No! Try Not. Do. Or Do Not... There Is No Try!" Master Yoda |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 14, 2005 3:15 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi Ralph,
MQ Security Rule # 1: Nobody, absolutely nobody is allowed access to SYSTEM.AUTH.DATA.QUEUE except for mqm.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Sep 14, 2005 5:02 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Yeah, I thought that might be it. So exactly what does MS03 need with the SYSTEM.AUTH.DATA.QUEUE? Is it just display, as the error indicates. Why in the world is the display of SYSTEM.AUTH.DATA.QUEUE limited to mqm? What harm can come from that?
If there is no way around it, then we gotta get the client MS03 scripts working with MQAUSX (Roger's Security Exit), so we contact each QM over a secure channel that also allows mqm rights. Unfortunatly, we designed our MS03 client scripts to set the MQSERVER variable before each connection attempt. No exits allowed for clients with MQSERVER.
Soooo, it looks like making a monster channel table, and coding MQAUSX in each entry, and rewriting our scripts. Unless, hmmmm, what if MS03 in client mode could be invoved ala the MQCONNX call?
Hey Wayne, there's an enhancement I think would be real useful. Allow the client version of the utility to be called with flags that allow us to set things like hostname, channel name, port number, security exit, security user data, etc. Actually, all the fields that good ol' MO71 allows us to set for its client connections. puh-lease????
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Sep 14, 2005 5:28 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
All the fields? Today, you can specify this:
| Code: |
If either the -a or -x switch is used, then MQCONNX will be used for the client connection
-a host : is the address of the host for a client connection (default is "localhost")
-x channel : is the SVRCONN name for a client connection (default is "SYSTEM.DEF.SVRCONN")
-C cipher spec : indicates to use an SSL cipher spec for this client connection
-k key repository : name of key respository directory if using SSL for client connection
|
so at least two more flags (scyexit and data?)
_________________
-wayne |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Sep 14, 2005 5:46 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Where is that? I looked in the read.me file after downloading MS03, and none of those flags are listed, but a bunch of others are.
But yes, is -a and -x exist, and -a allows the port # (i.e. hostname(1415)) then adding 2 new ones for scyexit and data would be peachy keen. I really don't have a need for all the other MQCONNX parms, but who knows, sooner or later maybe someone else will?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Sep 14, 2005 5:51 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| Where is that? I looked in the read.me file |
Well... it will be, but you should be able to get them from "saveqmgrc -h".
| Quote: |
| ...then adding 2 new ones for scyexit and data would be peachy keen. |
Well..maybe we''lll just start with allowing all the exits and their data.... give me a short spell...... 
_________________
-wayne |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 14, 2005 7:16 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| PeterPotkay wrote: |
| Yeah, I thought that might be it. So exactly what does MS03 need with the SYSTEM.AUTH.DATA.QUEUE? Is it just display, as the error indicates. Why in the world is the display of SYSTEM.AUTH.DATA.QUEUE limited to mqm? What harm can come from that? |
If you can read SYSTEM.AUTH.DATA.QUEUE queue then you can figure what users or groups have particular access to a queue, hence, a bad boy could drop a message on a queue to credit their account for say $10 million.
For those that don't know, the SYSTEM.AUTH.DATA.QUEUE queue contains the ACL (Access Control List) for that particular queue manager. In plain English, it is where the queue manager stores the results of setmqaut commands.
| PeterPotkay wrote: |
Soooo, it looks like making a monster channel table, and coding MQAUSX in each entry, and rewriting our scripts. Unless, hmmmm, what if MS03 in client mode could be invoved ala the MQCONNX call?
Hey Wayne, there's an enhancement I think would be real useful. Allow the client version of the utility to be called with flags that allow us to set things like hostname, channel name, port number, security exit, security user data, etc. Actually, all the fields that good ol' MO71 allows us to set for its client connections. puh-lease???? |
Yes, please Wayne, help me make a common customer happy. 
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Sep 15, 2005 4:48 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
If you're interested in trying out the clntconn channel exit support, drop me a PM or e-mail:
| Code: |
If either the -a or -x switch is used, then MQCONNX will be used for the client connection
-a host : is the address of the host for a client connection (default is "localhost")
-x channel : is the SVRCONN name for a client connection (default is "SYSTEM.DEF.SVRCONN")
-C cipher spec : indicates to use an SSL cipher spec for this client connection
-k key repository : name of key respository directory if using SSL for client connection
-eX channel exit: X = 'y' for security, 's' for send, 'r' for receive
-dX "channel exit data": X = 'y' for security, 's' for send, 'r' for receive.
|
_________________
-wayne |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
