| Author |
Message
|
| jonesn |
 Posted: Wed Jun 24, 2009 5:11 am Post subject: SYSTEM.BKR.CONFIG MCAUSER attribute being ignored |
 |
|
Apprentice
Joined: 09 Jan 2002
Posts: 47
|
I have a toolkit running on XP & I want to connect it to an AIX configuration manager. The XP userid is not defined on the AIX box but I have another userid, configured correctly (setmqaut/mqsicreateacl), on the AIX box. This is a test box so the security implications of forcing in the user in this manner are not a major concern.
I created a new SVRCONN channel on the AIX queue manager with MCAUSER attribute containing the AIX user. I tested this using amqsputc from XP to AIX and the message appears on the queue with the correct (AIX) userid.
So you would expect it to be a simple matter of using this channel name when I create the domain connection in the toolkit? Unfortunately this is not the case & I get an error indicating that the XP user does not have permission...
BIP1711W: The ConfigManagerProxy is not viewable by user XPDomain\XPUser
An attempt was made to view or manipulate the ConfigManagerProxy with UUID '', but the user who initiated this operation does not have the required authority to do so.
Ask the domain's administrator to grant your user ID the necessary authority to perform the requested action.
The postings on this subject on this site suggest that MCAUSER should work and I have used this technique many times before to force a particular userid into a message so am quite surprised by the error.
I am using...
Toolkit: 6.1.0.2
Broker: 6.1.0.2
WMQ: 6.0.2.4
Is anyone aware of any additional configuration on the toolkit to get this configuration to work?
Thanks
_________________
---
Nick Jones
IBM Certified Solutions Expert (WebSphere MQ Integrator) |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Jun 24, 2009 5:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The MCAUSER only gets you MQ permissions, and only alters things at the MQ transport layer.
You need to use mqsicreateaclentry for user XPDomain\XPuser, regardless of whether or not the AIX security registry knows how to talk to XPDomain and authenticate XPUser. |
|
| Back to top |
|
|
| jonesn |
| Posted: Wed Jun 24, 2009 5:46 am Post subject: |
|
|
Apprentice
Joined: 09 Jan 2002
Posts: 47
|
mqjeff.
Thanks for your help, I am now able to connect to the configuration manager.
Am I correct in thinking that the XPuser is passed in the body of the message and that the AIXuser is put into the MQMD.UserIdentifier attribute? The MQMD.UserIdentifier allows the message to be put to the queue and the XPuser is used to authenticate at the configuration manager level.
Regards
_________________
---
Nick Jones
IBM Certified Solutions Expert (WebSphere MQ Integrator) |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jun 24, 2009 6:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That's probably not correct as you've written it, no.
The MCAUSER on the channel replaces the identity provided by the Toolkit for the purposes of MQ authorization.
The ConfigMgr uses some portion of the MQ message, probably an undocumented portion, to perform it's own authorization for ConfigMgr actions. MCAUSER does not alter the MQ message in any way. |
|
| Back to top |
|
|
| jonesn |
| Posted: Wed Jun 24, 2009 7:22 am Post subject: |
|
|
Apprentice
Joined: 09 Jan 2002
Posts: 47
|
For SVRCONN channels the content of the MCAUSER attribute replaces the MQMD.UserIdentifier attribute. This is not the case for the normal MQ channels.
This is proved by creating a SVRCONN channel containing an MCAUSER attribute & putting a message using amqsputc. The MCAUSER content appears in the message.
Regards
_________________
---
Nick Jones
IBM Certified Solutions Expert (WebSphere MQ Integrator) |
|
| Back to top |
|
|
|
|
