| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ 7 not authenticating users of grups on Linux 64 bits |
« View previous topic :: View next topic » |
| Author |
Message
|
| dprogwmb |
 Posted: Fri Dec 30, 2011 5:55 am Post subject: MQ 7 not authenticating users of grups on Linux 64 bits |
 |
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
Hi all
I'm running MQ 7.0 on Linux redhat enterprise server 5.7 to 64 bits, and I have the OAM enabled, and I've setted the permissons on a group ("developers") different from the group mqm, with some restrictions on some MQ objects... but MQ not authenticate the users (and therefore not applies the policies to that users)of the "developers" group...
MQ allows me to connect and see everything as if the user was part of the mqm group , but the user is part of the developers group...
What can be happening?
(i have checked the variable MQSNOAUT and it's not set to yes,so that's not the problem... and the qm.ini has the service and the amqzfu module well configured... If i execute an dspaut it shows well by group which authorities it has... )
Any idea or place where to look or change?
Regards. |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Dec 30, 2011 6:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Did you refresh security after setting the authorities?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 30, 2011 6:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Are you in both mqm and developers groups?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dprogwmb |
| Posted: Fri Dec 30, 2011 6:50 am Post subject: ... Answers |
|
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
Yes, I've refreshed the mq security and executed endmqm and strmqm.. and nothing...
In group mqm, there is no user associated...
With any user I can connect to QM via MQ Explorer... and make anything in the queue manager... delete,alter, create, view,etc, with QM objects...
Any ideas??? Or possible places where to look or find something?
Help pleasee!!
REGARDS |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 30, 2011 6:55 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
How are you connecting with MQ Explorer? Client or bindings? If client, check the SVRCONN because it's possible an elevated privilege user has been set as the MCAUSER value, if bindings, if you're in the mqm group, you will have the privilege to do everything.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Dec 30, 2011 7:18 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| exerk wrote: |
| Did you refresh security after setting the authorities? |
That is not necessary - setmqaut changes, adds and deletes are effective immediately if the command completed successfully.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Dec 30, 2011 7:26 am Post subject: Re: ... Answers |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| dprogwmb wrote: |
In group mqm, there is no user associated...
|
I hope the mqm ID is in the mqm group!
| dprogwmb wrote: |
With any user I can connect to QM via MQ Explorer... and make anything in the queue manager... delete,alter, create, view,etc, with QM objects...
|
You SVRCONN channel is probably set up with no SSL, no Security Exit and a blank value for the MCAUSER parameter, or "mqm" for MCAUSER.
Without SSL or an Exit on that channel, anyone can use the channel to connect.
With mqm in the MCAUSER, the channel has 100% access.
With nothing in the MCAUSER, a client starting up MQ Explorer on a Windows machine will connect with full admin access.
With nothing in the MCAUSER, a client starting up any app on their client machine can choose to run as an ID with full access, i.e. mqm.
With nothing in the MCAUSER, a client starting up a Java app on their machine will send no ID to the QM, and MQ will default that channel connection to the ID that the MQ Listener is running under, most likely mqm.
Use SSL or an Exit to control WHO can use that channel.
Use a value in the MCAUSER paramater to control WHAT a user can do once connected over the channel.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
