MQSeries.net :: View topic - MQ 5.2 upgrade on OpenVMS Breaks Security??

scanzoneri

We're an HP OpenVMS shop running MQ 5.1 but are in the process of upgrading to 5.3. I've run into a security issue with the new version that
involves the mqm identifier that I can't explain.

Our security model for mq is pretty straightforward. Everyone who uses mq gets the mqm identifier, which effectively gives full access to everyting. It's really not that bad since there's only one application operator and 2 or 3 admin (sys admin; mq admin) accounts that access mq and the application operator account is menu driven so he can't do anything bad.

In any case, it's been this way for several years and works well. We began upgrading to MQ 5.3, as well as doing a required O/S upgrade, in January and at this point have rolled the upgrade out to 12 environments. Things were working fine until last week when the application operator went to start a program that opens a queue and he got a authorization error. After verifying that he still had the mqm identifier and that it's access was still in place I wound up writing specific security rules (via setmqaut) for the user to fix the problem.

Same thing happened last night in a different environment during a strmqm. Same exact symptoms, also solved by doing a setmqaut and writing specific access rules for a user that already has the mqm identifier.

I can understand if the upgrade broke security somehow - my colleagues on the mainframe side of our shop saw that when they upgraded to 5.3 several years - but I'd expect things to break immediately. Everything seemed to be working fine for months (and our apps run every day).

Have logged a call with IBM, but was hoping that someone here has seen something similar and might be able to shed some light on this.

Thanks

Sal