| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQSeries access to mqm/mqm |
« View previous topic :: View next topic » |
| Author |
Message
|
| sam |
 Posted: Fri Apr 26, 2002 4:17 pm Post subject: |
 |
|
Acolyte
Joined: 02 Apr 2002
Posts: 52
|
| Do I need to have a group Id and userId set to mqm/mqm in order to access MQSeries components? I mean can I have a different group to have access to MQSeries at setup time? Can I change it if I've assigned group and userid to mqm/mqm? |
|
| Back to top |
|
 |
| deneb |
| Posted: Fri Apr 26, 2002 4:22 pm Post subject: |
|
|
Novice
Joined: 15 Apr 2002
Posts: 18
|
i think u can set the authorities using
- setmqauth
- dspmqauth
commands
setmqauth -t MQObject -n MQObjectName -m QueueMgr -p Principal -g group +put + connect
something like this
Is this what u were looking out for ???
|
|
| Back to top |
|
|
| sam |
| Posted: Fri Apr 26, 2002 7:24 pm Post subject: |
|
|
Acolyte
Joined: 02 Apr 2002
Posts: 52
|
deneb,
I actually wanted to change the authority if everything under var/mqm and opt/mqm to a different group and id, While I installed the software I set the group and user to be mqm/mqm. I want to be able to change it. Can this be done after I installed MQSeries? or can this be done at installation time? I tried changing the group on var/mqm/ and opt/mqm and it gave me an error. Is this an installation time change? thanks for the input. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon Apr 29, 2002 3:58 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
If you just want to change the mqm/mqm to something else,
goto /etc/passwd and change mqm to whatever you want for a userid.
goto /etc/group and change mqm to whatever you want for a groupid
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| sam |
| Posted: Mon Apr 29, 2002 9:46 am Post subject: |
|
|
Acolyte
Joined: 02 Apr 2002
Posts: 52
|
| This does not work. When I changed the user and the group id to something which we were using it fails, I mean I could not restart or do anything with the QueueManager. Is this an installation thing? I think MQ expects a user and group with name mqm/mqm? My question whether at installation time I can change the group and userid to lets say sam/sam? Is this possible at all? Also Since I've now installed MQ with mqm/mqm how can I change the permissions to have a different Group/USER to have access to mqm? Thanks so much. |
|
| Back to top |
|
|
| sam |
| Posted: Wed May 01, 2002 8:36 am Post subject: |
|
|
Acolyte
Joined: 02 Apr 2002
Posts: 52
|
| Does anyone have an answer to this? Can I change the groupId/userId to something else or should it be specifically mqm/mqm? Thanks. |
|
| Back to top |
|
|
| bduncan |
| Posted: Wed May 01, 2002 11:29 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Sam,
Here are my thoughts.
1) If you can live with the mqm:mqm user:group, you don't need to use the setmqaut or dspmqaut commands. To allow additional users to use the queue manager and all of its components, simply add them to the mqm group.
2) If not, you *should* be able to alter /etc/passwd and /etc/group. However I think what you may have done is changed the userID and groupID of mqm:mqm, which is different from simply changing the group name. In UNIX, if a chown a file, and say the new owner is 'brandon' the operating system doesn't stick the name brandon in the file attributes. It looks up the userid of brandon, ex. 501, and then sticks 501 as the owner of the file. Same goes for all the mqm files. So if mqm:mqm is 600:600, you can go into /etc/passwd and /etc/group and change the name 'mqm' to something else, but it had better still be 600. Now to make sure it worked, you should be able to cd into /opt/mqm, do an ls -lrt, and see that all the files are owned by 'newowner' or whatever you call the user/group.
3) Number 2 ONLY takes care of the MQ-related files. You still won't be able to do anything with the queue manager at this point. This is because while the UNIX operating system keys the ownership of files off the userid, not the username, MQSeries is different. When you tell MQSeries that user X has access to connect to the queue manager, it doesn't care what userid X might be, it literally stores the name 'X' in it's security cache. So even if you made the changes in step 2, when you try to connect to the queue manager as 'newusername' the queue manager is still configured to only allow 'mqm' in. It doesn't matter that 'newusername' and 'mqm' are both userid 600. So at this point you WILL need to use the setmqaut command to give BOTH the new user and group you created FULL access to all MQSeries objects. I can't recall off the top of my head exactly what parameters you must provide to setmqaut to accomplish this, but once you do, if you are running MQSeries 5.1 or below, you'll need to restart the queue manager for the changes to take effect. If you are running MQSeries 5.2 and above, just go into the queue manager and type REFESH SECURITY
4) Ooops! hahaha.. I just realized that 2 and 3 are in the wrong order. To be able to use the setmqaut command or REFRESH SECURITY, you need to have access to the queue manager. If you have already blown away mqm in step 2, then you're basically dead in the water. Make the changes for 3 first (even though the new user/group doesn't exist yet, the queue manager doesn't mind) and THEN make the changes in 2.
Personally after looking at what this involves, I hope you'll just stick with mqm:mqm and just add additional users to the mqm group to suit your needs. The alternative is difficult, and whenever you want to upgrade MQSeries or add additonal packages, you'll definitely have trouble because they will probably complain that 'mqm' doesn't exist
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| sam |
| Posted: Wed May 01, 2002 12:39 pm Post subject: |
|
|
Acolyte
Joined: 02 Apr 2002
Posts: 52
|
| Thanks very much for the input.That really helped us take a decision on not to change the group/user. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
