| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| RACF key rings and self-signed certs for other QMs |
« View previous topic :: View next topic » |
| Author |
Message
|
| David.Partridge |
 Posted: Wed Jul 16, 2008 2:43 am Post subject: RACF key rings and self-signed certs for other QMs |
 |
|
Master
Joined: 28 Jun 2001
Posts: 249
|
I'm asking about this on behalf of one of our MVS sysprogs.
On the MF we have 3 QSGs PQ0A, PQ0B, PQ0C
DOM1 is an AIX QM whose Self-signed cert we're trying to make available to all 3 QSGs.
The error below was because we added the DOM1 cert to RACF using PQ0AUSER as the 'owner'.
RACF wouldn't let us add it again for PQ0B or C as the 'label' already existed .
RACF wouldn't let us connect it to the keyrings for PQ0B and C without saying that it was owned by PQ0AUSER as it couldn't find it if we tried to say that the owner was PQ0B/C.
So, we've deleted the cert and added it again using PQ0CUSER and only connected it to the ring 'MQKEYRINC' which is used by PQ1C.
>ICH408I USER(PQ0AUSER) GROUP(GOUSER ) NAME(PLEXP MQ USERID
> PQ0C.CONTEXT.SYSTEM.CLUSTER.COMMAND.QUEUE CL(MQADMIN )
> INSUFFICIENT ACCESS AUTHORITY
> FROM PQ0C.** (G)
> ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE )
Could a kind MVS/RACF guru tell us what we're doing wrong here, and what we should to so that all 3 QSGs can talk to DOM1?
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
 |
| ctefehinoz |
| Posted: Mon Jul 21, 2008 11:08 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
David,
You've got a generic CONTEXT profile in the RACF MQADMIN class that is essentially denying access. I would hazard a semi-educated guess that PQOAUSER is trying to send cluster information around the traps, but is bombing out writing to PQOC(?) QMGR SYSTEM.CLUSTER.COMMAND.QUEUE.
In my shop, before CONTEXT checking was disabled, we created an MQADMIN CONTEXT profile for SYSTEM type queue names and gave the QMGR/CHIN's appropriate access along with the blessed few.
Note that you should also check MQQUEUE security profiles as well for the required level of access to the S.C.C.I queue. System Setup Guide, Part 5, Panadol for the headache  .
HTH
Ctefehinoz |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Jul 21, 2008 11:31 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Thanks for the assist on the ICH408I.
What I'd really like to understand is how we can add the SS Cert for DOM1 to a key ring, and have it usable by all three QSGs.
It seems that every permutation we try RACF says - "I can't do that Dave". I feel a bit like Dave Bowman confronted by a deranged HAL9000!
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| ctefehinoz |
| Posted: Mon Jul 21, 2008 11:44 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
David,
I'm one step behind you with SSL unfortunately. No QSG's in my shop - yet. I'll have a read and review what I have got for SSL so far and see if anything turns a light bulb on.
Regards
Ctefehinoz |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jul 22, 2008 12:21 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| David.Partridge wrote: |
| ...RACF wouldn't let us connect it to the keyrings for PQ0B and C without saying that it was owned by PQ0AUSER as it couldn't find it if we tried to say that the owner was PQ0B/C.... |
Can not just connect to keyrings for PQ0B and C specifying PQ0AUSER as the ID owner of the label? |
|
| Back to top |
|
|
| ctefehinoz |
| Posted: Mon Jul 28, 2008 11:10 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
David,
Didn't turn up much at all. From my reading of the manual, Zhanghz's suggestion has real merit as one of the scenario's in the book deals with a similar situation. Having the cert owner specified as part of the SSLKEYR parm may do the trick.
FWIW
Ctefehinoz |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
