| Author |
Message
|
| camouflages |
 Posted: Mon Apr 07, 2008 12:34 pm Post subject: MQMD.User Identifier - MCAUSER |
 |
|
Newbie
Joined: 07 Apr 2008
Posts: 7
|
Hello Everyone,
I like to know the difference between MQMD.User Identifier defined in MQMD and user defined in MCAUSER in SVRCONN Channel..?
To my understanding, when MCAUSER is defined, it uses this user to authorize the QM Objects and not to check for the valid RACF ID to access the Z/OS System.
We have a windows machine where MQ Client is installed, Solaris Machine where MQ Server is installed & Z/OS Machine which also have MQ Server.
Solaris QM & Z/OS QM are in clusters. I am sending a message from Windows machine to Z/OS machine by connecting to Solaris QM.
I am setting the MQMD.User id to 'xyz' and setting the MCAUSER(mqm) in SVRCONN Channel. I am able to connect to Solaris QM without any problem but i could not place a message in Z/OS Queue and getting not Authorized error. Its checking for the valid RACF ID with the user id, but the user id i defined in application program ('xyz') is a vlid RACF id and the problem here is it is taking the MCAUSER "mqm" as the user id and checks it with RACF Id and hence i am not being authorized.
I wonder where did the mqm came from and i have only defined in SVRCONN Channel and not in CLUSRCVR Channel.
Appreciate your contribution.
Thanks, |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Apr 07, 2008 12:44 pm Post subject: Re: MQMD.User Identifier - MCAUSER |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| camouflages wrote: |
| To my understanding, when MCAUSER is defined, it uses this user to authorize the QM Objects and not to check for the valid RACF ID to access the Z/OS System. |
No, it uses this user id as the user sending the message. Hence anyone contect to the queue manager through the SVRCONN channel with "mqm" as the MCAUSER has full administrative rights on your queue manager because they're logged on as mqm.
You clearly have very trustworthy people on your site.
This user id is also passed to the z/OS as the user sending messages. If "mqm" is not a RACF id (and it tends not to be) you get this effect.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| camouflages |
| Posted: Mon Apr 07, 2008 7:03 pm Post subject: |
|
|
Newbie
Joined: 07 Apr 2008
Posts: 7
|
Hello Everyone,
Thanks for the reply and still i have a doubt in understanding. The User specified in MCAUSER is used only to authorize Queue Manager and Queues.
I have explicitly set the user id in the program and used put option "MQC.MQPMO_SET_IDENTITY_CONTEXT" & "MQC.MQPMO_PASS_IDENTITY_CONTEXT". Still what i observe only mqm is being carried as the User Identifier.
If MCAUSER is being used for the above purpose as you stated then can anyone explain me about the use of "PUTAUTH" (put Authority) in Channel Level.
Thanks, |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 08, 2008 12:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| camouflages wrote: |
| Thanks for the reply and still i have a doubt in understanding. The User specified in MCAUSER is used only to authorize Queue Manager and Queues. |
No it isn't. It's used as the user putting the message.
| camouflages wrote: |
| I have explicitly set the user id in the program and used put option "MQC.MQPMO_SET_IDENTITY_CONTEXT" & "MQC.MQPMO_PASS_IDENTITY_CONTEXT". Still what i observe only mqm is being carried as the User Identifier. |
Because it's being replaced by the contents of MCAUser
| camouflages wrote: |
| If MCAUSER is being used for the above purpose as you stated then can anyone explain me about the use of "PUTAUTH" (put Authority) in Channel Level. |
Because you don't have to set MCAUser (and you should never set it to mqm for the reasons I've previously posted). You could have channel exits, alternate id security, etc, etc, etc.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 08, 2008 7:19 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| camouflages wrote: |
If MCAUSER is being used for the above purpose as you stated then can anyone explain me about the use of "PUTAUTH" (put Authority) in Channel Level.
Thanks, |
Its a way to cause a lot of extra work for the MQ Admin on the receiving system (he has to maintain all the possible IDs that the SNDR may use), while providing zero security (its trivial for the SNDR to send messages with the mqm ID and do whatever they want).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| camouflages |
| Posted: Thu Apr 10, 2008 6:58 am Post subject: |
|
|
Newbie
Joined: 07 Apr 2008
Posts: 7
|
This issue i am facing d only when SSL is used. When connecting to a QM without SSL what ever user id is used in Application code or the user running the program is getting populated as the MQMD.User ID in the receiving end. But when SSL Channels are used then what ever value we set is not getting overridded and always the receiver gets MQMD.User ID as "mqm".
Can anyone explain on the SSL & User name / mqm binding.
Thanks, |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 10, 2008 7:01 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Likely the SSL channel has MCAUSER of "mqm".
MCAUSER is the correct thing to use here. And SSLCAUTH and SSLPEER.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| camouflages |
| Posted: Thu Apr 10, 2008 7:10 am Post subject: |
|
|
Newbie
Joined: 07 Apr 2008
Posts: 7
|
No, even if i leave MCAUSER in SVRCONN Channel blank, still i am getting as mqm on the receiving side.
Can any one help me in understanding the SSL setup and how its binded with mqm or any user...
Appreciate all of your support.... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 10, 2008 7:14 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If the program is Java, then this is also expected.
There's nothing about SSL in particular that will change this.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Apr 10, 2008 7:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| camouflages wrote: |
Can any one help me in understanding the SSL setup and how its binded with mqm or any user...
|
Sounds like (and I'm not an SSL expert) that mqm owns the key you're using and so becomes the authenticated user.
Check out the Security manual, which describes the SSL support.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Apr 10, 2008 7:21 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
SSL can't set an ID in the message.
Either the channel has MCAUSER set to mqm
or
the sending app is running as mqm
or
the sending app is sending a blank user ID (java) and the channel MCAUSER is blank in which case it defaults to the ID running the listener, usually mqm
or
you have a security exit setting it to mqm
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| camouflages |
| Posted: Thu Apr 10, 2008 7:36 am Post subject: |
|
|
Newbie
Joined: 07 Apr 2008
Posts: 7
|
One another query, if i manualy set the user in my java program and additional settings like SET_IDENTITY_CONTEXT will it get passed to the other end when SSL is used.
Sorry for asking same kinda stuff.. the problem here is the application team is saying they have set the user id in the java code and other additional parameters as well and MCAUSER(mqm) is set at the SSL SVRCONN Channel level and the receiver end is getting "mqm" as the user identifier.
But for the same scenario while running in non SSL channel with MCAUSER(mqm) still the receiver end is able to receive the user id that has been set in the program...
hence i am totally confused about the working..?
I thank everyone for the contribution...
Thanks, |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 10, 2008 7:42 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Do not set MQM on MCAUSER.
Anything you set in your Java code is almost certainly going to be set as the Alternate User, and not as the user that is presented when you connect to MQ.
Again, set an appropriate MCAUSER for the application role, grant needed authorities to that authorization id, and then use SSL for authentication.
If the receiving application is somehow expecting the ID of the end user of the java application, then this is a very poor design and should be rethought entirely.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
