| Author |
Message
|
| zpat |
 Posted: Wed Nov 15, 2006 9:02 am Post subject: MQ and RACF with lower case resources |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
z/OS 1.7, MQ 5.3.1
We receive a message on the mainframe (QM=XXXX) from a distributed queue manager whose QM name is in lower case (QM=yyyyyyy).
When the mainframe program replies, RACF tests a resouce name of CLASS(MQQUEUE) RESOURCE(XXXX.yyyyyyy)
However the IBM supplied RACF CDT entry for MQQUEUE specifies that this RACF class only supports UPPER case profiles.
We tried defining a profile of XXXX.YYYYYYY but it does not get matched.
How can we define a suitable RACF profile for a lower case MQ object name when the RACF class only allows upper case profiles?
RACF or MQ seems to perform the RACROUTE AUTH (RACHECK) using the original case (rather than folding it to upper case first).
Any advise on the issue of the RACF CDT entry for MQQUEUE have CASE=UPPER set and no apparent means to change this, yet MQ itself allows lower or mixed case objects. How can this make sense? |
|
| Back to top |
|
 |
| kevinf2349 |
| Posted: Wed Nov 15, 2006 12:21 pm Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
| Not too sure about RACF but ACF has an option in the ACF2 rules to tell it not to fold to upper. The default is that it does. There may be a similar setting for RACF but as I say, I am not 100% sure. |
|
| Back to top |
|
|
| ramires |
| Posted: Wed Nov 15, 2006 3:21 pm Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
Try to define an alias (upper case) for the MQ object. It may work.
Regards |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 15, 2006 11:35 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Good idea and didn't work! |
|
| Back to top |
|
|
| ramires |
| Posted: Thu Nov 16, 2006 3:03 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
Maybe you need to change ISPF profiles and RACF to make them case-sensitive. Though I don't know what to change...
Regards |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 16, 2006 3:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
| Good idea and didn't work! |
You need a 2 fer here.
Create 2 aliases. On the distributed qmgr create an uppercase qmgr alias pointing to yourself.
On the MF create a default path using the upper case qmgr name(see previous alias) (in case of an alias:)
| Code: |
def qr(upperalias) rqmname(upperalias) xmitq(chl to mixed case)
// on distributed
def qr(upperalias) rqmname(mixed case) |
When defining a reply to queue for the MF use the uppercase alias in the qmgr field...
Note that the channel name can be all uppercase as it need not follow the usual convention (source.to.destination after all isn't that why we are using the aliases?)
This should work...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 16, 2006 4:01 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Unfortunately the replytoqueuemanager field is supplied by the MQMD of the request message (as the lower case yyyyyy qm name) and we can't change these messages.
RACF classes can be changed to support ASIS (or mixed case) but the MQQUEUE class in the CDT is IBM supplied and the manuals say that these classes should not be changed.
Maybe it's a bug in MQ that it is not folding the resource name to upper case before performing a RACHECK? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 16, 2006 4:11 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
| Unfortunately the replytoqueuemanager field is supplied by the MQMD of the request message (as the lower case yyyyyy qm name) and we can't change these messages. |
Why not? as a hack you could define the aliases as described above and just fold the reply to qmgr to uppercase before sending the reply? It should still get there...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Nov 16, 2006 4:17 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
I would *think* (my opinion only) that the CDT should allow ASIS..since Q1 is different than q1, and I might want to apply different profiles... .... can you open a PMR with IBM service and let us know what they say?
_________________
-wayne |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 16, 2006 5:05 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| fjb_saper wrote: |
| zpat wrote: |
| Unfortunately the replytoqueuemanager field is supplied by the MQMD of the request message (as the lower case yyyyyy qm name) and we can't change these messages. |
Why not? as a hack you could define the aliases as described above and just fold the reply to qmgr to uppercase before sending the reply? It should still get there... |
Yes, sounds feasible, but the mainframe code is heavily change-managed and it would take several weeks to have it altered (in another country) and then re-promoted/tested through several Endevor stages.
It might be possible to code the RACHECK pre-processing exit (ICHRCX01) to fold this particular resource name I suppose.
I'll ask IBM GS (who support our infrastructure) to open a PMR about the CDT being set to CASE=UPPER for MQQUEUE. |
|
| Back to top |
|
|
| tleichen |
| Posted: Mon Nov 20, 2006 7:35 am Post subject: |
|
|
Yatiri
Joined: 11 Apr 2005
Posts: 663
Location: Center of the USA
|
|
| Back to top |
|
|
| zpat |
| Posted: Mon Nov 20, 2006 7:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
No, the ICH408I message shows the name of the resource that RACF is checking access to, and it is lower-case.
We have temporarily defined another RACF profile using % characters to cover this resource until the PMR is closed. |
|
| Back to top |
|
|
|
|
