| Author |
Message
|
| smahon |
 Posted: Thu May 09, 2002 10:13 am Post subject: |
 |
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
What I've done do far:
1) On AIX, the SYSTEM.ADMIN.SVRCONN channel has a blank MCAUSER field. This is desired.
2) Created an AIX userid, test1 AND group mqmtest1 (primary group: staff, group set: mqmtest1); user test1 is NOT in the mqm group because I do not what it to have full admin permission.
3) Created a W2k local user, test1 who is in the local mqm group on W2k.
4) On AIX issued: setmqaut -m SBQMHUB -t qmgr -g mqmtest1 +all
5) issued: chmod o+rx /usr/mqm/bin/runmqsc (execute but no setguid)
So now, on AIX as test1, I CAN issue runmqsc SBQMHUB successfully, even though this user does NOT belong to the mqm group.
But, on W2k as test1, I CANNOT connect to the queue manager with MQ Explorer. I get "Access not authorized".
Only if I add user test1 to the mqm group can MQ Explorer connect to the queue manager.
IF I stop the command server on AIX, I get a "Command server not running" error instead of "Access not authorized". This leads me to suspect that the command server is not deferring to the OAM for authentication. Anyone know what is going on here? |
|
| Back to top |
|
 |
| mrlinux |
| Posted: Thu May 09, 2002 10:17 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
You also need to add the following
setmqaut -m QMGR_NAME -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p USERID +all (or at least connect)
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries
[ This Message was edited by: mrlinux on 2002-05-09 11:18 ] |
|
| Back to top |
|
|
| smahon |
| Posted: Thu May 09, 2002 11:16 am Post subject: |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
I tried this, but it had no effect. Also, since the AIX admin manual states that granting a user authority actually grants it to the user's "primary group" (which this command did), I tried using "-g mqmtest1" as well. In both cases, the authorities were granted to the user, as validated with dspmqaut, but MQ Explorer still complained about "access not authorized", even after restarting the queue manager.
| Quote: |
On 2002-05-09 11:17, mrlinux wrote:
You also need to add the following
setmqaut -m QMGR_NAME -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p USERID +all (or at least connect)
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries
[ This Message was edited by: mrlinux on 2002-05-09 11:18 ]
|
[ This Message was edited by: smahon on 2002-05-09 12:23 ] |
|
| Back to top |
|
|
| mrlinux |
| Posted: Fri May 10, 2002 3:44 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Try creating the userid on the UNIX side in uppercase
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| mqonnet |
| Posted: Fri May 10, 2002 3:46 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Here's a simple test.
Add this user test1 to mqm group on AIX and see if you are able to connect/access the queue manager from W2K. If you are, then you need to add more authorities. In similar queries earlier in this forum, i requested someone to post(if possible), the minimum set of authorities that need to be added to a user to be able to access a qm. This sure include, connect and 3/4 more. On top of my head, i can't remember them.
Hope this helps.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| smahon |
| Posted: Fri May 10, 2002 9:03 am Post subject: |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
Thanks for the interest in geting this solved. In my original post, I said adding the user to mqm allows access via MQ Explorer. I also gave the user "all" permissions to the queue manager, so I'm not even trying to limit access at this point. Are there more authorities I can give? Also, since it works when in the mqm group, I must assume that the case of the userid is correct (suggested by mrlinux).
| Quote: |
On 2002-05-10 04:46, mqonnet wrote:
Here's a simple test.
Add this user test1 to mqm group on AIX and see if you are able to connect/access the queue manager from W2K. If you are, then you need to add more authorities. In similar queries earlier in this forum, i requested someone to post(if possible), the minimum set of authorities that need to be added to a user to be able to access a qm. This sure include, connect and 3/4 more. On top of my head, i can't remember them.
Hope this helps.
Cheers.
Kumar
|
[ This Message was edited by: smahon on 2002-05-10 10:04 ] |
|
| Back to top |
|
|
| smahon |
| Posted: Mon May 13, 2002 6:40 am Post subject: Update....Please help. |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
| Well, here is an update.....this still does not work. The error I reported earlier when the command server is not runnning was incorrect. Regardless of whether the command server is running, I get "Access not authorized". I really need to get this working, or find out why is isn't, today. Please help. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon May 13, 2002 6:57 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Ok,
If the box is not real busy, or you can find a time where it is somewhat MQ Idle
1) strmqtrc -e -m QMGR_NAME (-e for early trace may not be supported)
2) run your test program
3) endmqtrc -e -m QMGR_NAME
4) search through trace files find the file with rc of 7f3 (2035) and send it
to me.
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| mqonnet |
| Posted: Mon May 13, 2002 7:02 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Smahon,
I am afraid i dont think this is possible. And you shall always get "Access not authorized". Reason for this being. When you try to connect to the QM on AIX using MQExplorer, it tries to connect using the authorities of the user on AIX. Since the connection which is established through MQExplorer is using PCF messages, the authentication process changes altogether. No One outside the mqm group is allowed to perform any "admin" operations. In this case, you are trying to start/connect the SVRCONN channel. And since this is an admin op, the user "test1" is never allowed to get to it.
As per my knowledge this cannot be done and defeats the very purpose of having authorities and principals.
The workaround for this would be to Define a principal on AIX who is within the "mqm" group. Allow only minimum(those you need) authorities to this user and map this user to the NT user. Also bear in mind you need to assign authorities to specific queues, since you have revoked most of the permissions.
Hope this helps.
Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| smahon |
| Posted: Mon May 13, 2002 7:33 am Post subject: Yes but.... |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
| The user "test1" can run the program "runmqsc" on the AIX box, though only after I allowed read and execute permission for all on the runmqsc program. If I remove all of the authorities granted to the "test1" user, using setmqaut, then running "runmqsc" yields "Not authorized". It seems to me that I ought to be able to do something similar for "browse only" users connecting to the sysadmin channel. |
|
| Back to top |
|
|
| kolban |
| Posted: Mon May 13, 2002 7:46 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
At a quick guess, I would say that you had not bounced the queue manager or run the REFRESH SECURITY runmqsc command. Changing security attributes with setmqaut only happens after the REFRESH SECURITY. Try using a client on the Windows box and connect to the SYSTEM.ADMIN.SVRCONN channel on the AIX box. Does it work? If not, resolve that, if yes, try put a junk message on the command server input queue (again as a client on the Windows box). If this fails, this again is the possible problem.
Finally, check the AIX MQ error log. A security check is usually logged and will provide much more information. |
|
| Back to top |
|
|
| mqonnet |
| Posted: Mon May 13, 2002 7:55 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
You were able to perform runmqsc ops because you have given appropriate authority for the same.
Try this. If you are able to start and stop channels using your user "test1" on the AIX box, you should be able to connect to this qm using your NT user. If you are not able to achieve this, then you are out of luck.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| smahon |
| Posted: Mon May 13, 2002 8:54 am Post subject: I can do this... |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
Well, as a client on the NT box, I can connect to the remote queue manager and put put messages to the SYSTEM.ADMIN.COMMAND.QUEUE with amqsputc.exe. It doesn't matter if the command server is running, but if it is the messages go to the DLQ. In the header I can see the appropriate userid and the data shows the data I typed.
| kolban wrote: |
At a quick guess, I would say that you had not bounced the queue manager or run the REFRESH SECURITY runmqsc command. Changing security attributes with setmqaut only happens after the REFRESH SECURITY. Try using a client on the Windows box and connect to the SYSTEM.ADMIN.SVRCONN channel on the AIX box. Does it work? If not, resolve that, if yes, try put a junk message on the command server input queue (again as a client on the Windows box). If this fails, this again is the possible problem.
Finally, check the AIX MQ error log. A security check is usually logged and will provide much more information. |
|
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon May 13, 2002 8:59 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
So what is the reason for being in the DLQ, I am assuming it is the 2035,
which means whatever the command was it was read from the queue
and the security error was for the processing of the command againist the
QMGR
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| smahon |
| Posted: Mon May 13, 2002 9:00 am Post subject: I cannot do this... |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
As user test1 on AIX, I can connect to the queue manager using runmqsc. I can display all sorts of stuff. When I try to stop a channel I get "File error", but I CAN alter a queue that I was given authority to alter (ie SYSTEM.ADMIN.COMMAND.QUEUE).
Actually, if I enter dis q(*), I get "Not authorized" for each and every queue, except SYSTEM.ADMIN.COMMAND.QUEUE and a single reply queue MQAI.REPLY.3CDFD49B00007013.
| mqonnet wrote: |
You were able to perform runmqsc ops because you have given appropriate authority for the same.
Try this. If you are able to start and stop channels using your user "test1" on the AIX box, you should be able to connect to this qm using your NT user. If you are not able to achieve this, then you are out of luck.
Cheers.
Kumar |
Last edited by smahon on Mon May 13, 2002 9:09 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
