ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » MQExplorer on NT machine to Solaris box - authorization prob

Post new topic  Reply to topic
 MQExplorer on NT machine to Solaris box - authorization prob « View previous topic :: View next topic » 
Author Message
Pierre-Yves Lesage
PostPosted: Fri Sep 21, 2001 4:34 am    Post subject: Reply with quote

Novice

Joined: 21 Aug 2001
Posts: 17
Location: London, UK

Hi,

we have installed the MQSeries Explorer on an NT machine. We are trying to get it connected to the Solaris box on which we have a queue manager.
The user exists both on the Solaris box and the NT machine. On the Solaris box, he does not belong to the mqm group.

When trying to connect, we get a "you are not authorized .." type of message. However, if we ssh to the Solaris machine as the user and issue runmqsc commands, it works fine.

When we log on to the NT machine with a user that does belong to the mqm, everything works fine.

In conclusion, it seems that the only way to user MQExplorer is to use a user that belongs to the mqm group on the target unix machine. However, we don't want that because we don't want to give this particular user the same permissions as mqm users.

Does anybody know of any workaround?

Thanks !

Pierre-Yves Lesage
Back to top
View user's profile Send private message
jhalstead
PostPosted: Fri Sep 21, 2001 4:59 am    Post subject: Reply with quote

Master

Joined: 16 Aug 2001
Posts: 258
Location: London

Hey Pierre, if it doesn't have to be explorer there is a support pack which effectively wraps up the runmqsc command line such the it can be configured to a particular user requirements. i.e. they can use runmqsc and display queues etc. however have no access to other MQSC commands...

Obviously explorer is a graphical interpretation of runmqsc so users must be in mqm. I too would be extremely keen to know of a workaround!

Good luck!

Jamie
Back to top
View user's profile Send private message Send e-mail
jhalstead
PostPosted: Fri Sep 21, 2001 5:00 am    Post subject: Reply with quote

Master

Joined: 16 Aug 2001
Posts: 258
Location: London

Support pack is MS0E!

Jamie
Back to top
View user's profile Send private message Send e-mail
Pierre-Yves Lesage
PostPosted: Fri Sep 21, 2001 6:09 am    Post subject: Reply with quote

Novice

Joined: 21 Aug 2001
Posts: 17
Location: London, UK

Thanks Jamie.
However, we would love to impress our users with MQExplorer if there is an option available besides putting them in the mqm group!

Pierre-Yves
Back to top
View user's profile Send private message
EddieA
PostPosted: Mon Sep 24, 2001 10:23 am    Post subject: Reply with quote

Jedi

Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles

Hi

Firstly, one point in the 1st post doesn't seem quite right. If the userid on the NT/Solaris machine isn't part of mqm, then trying to use the Explorer should give the 'not authorized' return. But connecting to the Solaris box and using runmqsc should do the same. Hmmmm.

OK. Back to the question. On the Solaris box use setmqaut to give the following authorizations for a user (actually, it would be preferable to use a group) that isn't part of mqm.

For the qmgr, process, namelist, and every (yes EVERY) queue give: allmqi & dsp.

Now try connecting from a user in this new group. You will get a warning when you try and access the queues. This is because you cannot give anyone (other than mqm) access to the AUTH.DATA queue. However, everything else is fine.

This user (group) can now look at all the properties, but cannot modify them. You might want to tailor the allmqi part if you want to restrict access to messages on the queues.

You can also use the same technique to open up access to MQJExplorer.

BTW The one thing you can't open up to non-mqm users are Channel commands.

Cheers.

_________________
Eddie Atherton
IBM Certified Specialist - MQSeries
IBM Certified Specialist - MQSeries Integrator

[ This Message was edited by: EddieA on 2001-09-24 11:24 ]
Back to top
View user's profile Send private message
Pierre-Yves Lesage
PostPosted: Wed Oct 10, 2001 5:47 am    Post subject: Reply with quote

Novice

Joined: 21 Aug 2001
Posts: 17
Location: London, UK

Eddie,

Sorry about the late response.
Thank you very much for your answer. It works.

I also confirm my first post. The userid on the NT/Solaris machine isn't part of mqm. Connecting to the Solaris box and using runmqsc works as we have given executable permission to 'other' on the runmqsc command.
When using runmqsc, if the user tries to display queues that he is not authorized to, he gets:
dis ql(FORBIDDEN_QUEUE)
1 : dis ql(FORBIDDEN_QUEUE)
AMQ8135: Not authorized.

I have a question however. Could you explain why your solution works? IBM support told us on several occasions that only users belonging to the mqm group are able to use MQExplorer. How is your solution going past this?

Many Thanks!

Pierre-Yves


[ This Message was edited by: Pierre-Yves Lesage on 2001-10-10 06:50 ]
Back to top
View user's profile Send private message
EddieA
PostPosted: Wed Oct 10, 2001 8:31 am    Post subject: Reply with quote

Jedi

Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles

Pierre-Yves,
Ah-ha. It's the 'change' to the executable permissions that I didn't know about when I made my first comment.

OK, Explorer. The IBM support is correct. The user has to be a memeber of mqm in order to use the Explorer. But that's only on the LOCAL NT box where they actually run the Explorer.

Once you use Explorer to connect to another machine, the commands issued, to that second machine, are based on the userid that the Explorer is running and as such are treated just like any other client connection and are subject to 'normal' MQ authorisation.

Or you could use the MCAUSER option on the SYSTEM.ADMIN.SVRCONN channel on the Solaris box, so all connections from Exporers (and anyone else using that channel) will use that userid instead of there own. But beware, this 'could' pose a secuity problem.

Hope that explains it.

Cheers.

_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » MQExplorer on NT machine to Solaris box - authorization prob
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.