| Author |
Message
|
| masteringmq |
 Posted: Tue Jan 27, 2009 9:51 pm Post subject: WMQ tool |
 |
|
Master
Joined: 20 Oct 2008
Posts: 200
|
I am using two different tools to connect to my box.
1. WMQ tool
2. PUTTY
Using the WMQ tool I am able to create QM, display channel status, start and stop a channel and much more. However with PUTTY I am unable to display channel status and so on. It says not authorized. Is this because that my WMQ tool is tied up to my domain userid that I am able to do all the things that I am unable to do using PUTTY?. |
|
| Back to top |
|
 |
| zpat |
| Posted: Tue Jan 27, 2009 10:26 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
More likely that WMQTool is connecting in a manner that grants you mqm group authority.
This is not the fault of the tool, which is excellent and supports several security options.
You need to close the exposure in your MQ setup.
Last edited by zpat on Tue Feb 17, 2009 12:33 am; edited 1 time in total |
|
| Back to top |
|
|
| masteringmq |
| Posted: Tue Jan 27, 2009 10:44 pm Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
| I checked my domain userid and found that it has been assigned to the mqm group. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Jan 28, 2009 7:07 am Post subject: Re: WMQ tool |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| masteringmq wrote: |
I am using two different tools to connect to my box.
1. WMQ tool
2. PUTTY
Using the WMQ tool I am able to create QM, display channel status, start and stop a channel and much more. However with PUTTY I am unable to display channel status and so on. It says not authorized. Is this because that my WMQ tool is tied up to my domain userid that I am able to do all the things that I am unable to do using PUTTY?. |
Which platform is that?. On Unix machines you can type 'id' and see whether you logged with 'mqm' user. If you logged with your own user id(network id), then you should be part of mqm group. As you are saying you are part of mqm, then you should have all the MQ admin rights for your user id.
Are you able to do
runmqsc QMgrName ?
If you are able to do that, you should be able to do all the runmqsc commands.
To check the channel state are you using, dis chs(channelName)?.
Let us know what exactly you are issuing and what error you are getting exactly?.
Thanks. |
|
| Back to top |
|
|
| masteringmq |
| Posted: Wed Jan 28, 2009 8:24 am Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
The WMQ tool is installed on Windows XP platform. I am using WMQ to connect to a UNIX box where all the MQ definitions are located. Since WMQ is using my domain userid which is assigned to the mqm group therefore I can perform administrative functionality on the UNIX box using WMQ tool.
The error is with PUTTY. To access the UNIX box using PUTTY I am using a different userid. I believe this userid is not assigned to the mqm group. Therefore I have no administrative privilage. But I did see the administrator assigning the userid to the mqm group which I need to check again with the administrator. By right if my userid is assigned to the mqm group then I must be able to issue the mqsc command and display the channels and so on. I should not be getting the error "not authorized". |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 28, 2009 8:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| masteringmq wrote: |
| The WMQ tool is installed on Windows XP platform. I am using WMQ to connect to a UNIX box where all the MQ definitions are located. Since WMQ is using my domain userid which is assigned to the mqm group therefore I can perform administrative functionality on the UNIX box using WMQ tool. |
UNIX (obviously) is blind to Windows domains, so it's the matching UNIX id that's checked. Depending on how the tool is connecting, it could be using a different userid with administrative access rather than your Windows one.
| masteringmq wrote: |
| To access the UNIX box using PUTTY I am using a different userid. I believe this userid is not assigned to the mqm group. Therefore I have no administrative privilage. But I did see the administrator assigning the userid to the mqm group which I need to check again with the administrator. By right if my userid is assigned to the mqm group then I must be able to issue the mqsc command and display the channels and so on. I should not be getting the error "not authorized". |
Was there a question there? Because yes, if your UNIX id is a member of the mqm group (subject to some wrinkles on some UNIX platforms) then you should have mqm access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 29, 2009 9:43 am Post subject: Re: WMQ tool |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
Hi,
See my comments here , regarding Java MQ tools:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
The reason your UserId is blocked via Putty is because have have not "spoofy-ed" your UserId to another UserId. Since your Unix UserId is not in the "mqm" group or it has not being given privileges via setmqaut, it gets "not authorized".
As I always say: "A basic setup of WebSphere MQ Server potentially allows any user to freely access any message in any queue. "
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 29, 2009 10:05 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
| Why is it when I post a short, but correct answer, people keep on asking the question? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 29, 2009 10:16 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
| zpat wrote: |
| Why is it when I post a short, but correct answer, people keep on asking the question? |
Your post was "spot on". I was trying to explain the "why" it was a security hole. 
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| masteringmq |
| Posted: Sun Feb 01, 2009 11:55 pm Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
| This WMQ privilage is only given for SIT. For PRD I have no such privilage. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Feb 02, 2009 1:56 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have you tried su - mqm in your PUTTY session?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| masteringmq |
| Posted: Mon Feb 02, 2009 5:09 pm Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Feb 02, 2009 5:22 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
What do you think that means? 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| masteringmq |
| Posted: Mon Feb 02, 2009 5:25 pm Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
| I dont have access to the mqm userid. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Feb 02, 2009 10:49 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
| RogerLacroix wrote: |
| zpat wrote: |
| Why is it when I post a short, but correct answer, people keep on asking the question? |
Your post was "spot on". I was trying to explain the "why" it was a security hole.
Regards,
Roger Lacroix |
Extending the answer is fine, repeating the original question is what I find annoying. |
|
| Back to top |
|
|
|
|
