| Author |
Message
|
| YN_MQ |
 Posted: Thu Apr 15, 2010 10:53 pm Post subject: Pb with wildcards and setmqaut |
 |
|
Newbie
Joined: 15 Apr 2010
Posts: 3
|
Hello,
I have a queue named QL.PT.RECV on a QMGR named MUB4.
I try to establish a template for MQ auth on this QMGR and some others.
So i tried the following command to apply rights to all local q on this qm :
| Code: |
| # setmqaut -m MUB4 -t queue -n "QL.**" -g mqgsysadm +all +setall |
I can't access the queue with the mqusysadm user (part of the mqgsysadm group of course...)
Then if i try the following command :
| Code: |
| # setmqaut -m MUB4 -t queue -n QL.PT.RECV -g mqgsysadm +all +setall |
It's working well, i can access the q with mqusysadm ...
Any idea ? |
|
| Back to top |
|
 |
| zpat |
| Posted: Thu Apr 15, 2010 11:09 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Generic profiles do work. What release of WMQ?
Did you refresh security? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 15, 2010 11:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Depending on the environment you want to verify the setmqaut with dspmqaut.
you might also want to consider passing the command like this:
| Code: |
| setmqaut -m MUB4 -t queue -n QL.\*\* -g mqgsysadm +all +setall |
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| YN_MQ |
| Posted: Fri Apr 16, 2010 12:15 am Post subject: |
|
|
Newbie
Joined: 15 Apr 2010
Posts: 3
|
I did refresh the security.
I tried the command with the backslash, but without success :
| Code: |
> setmqaut -m MUB4 -t queue -n QL.\*\* -g mqgsysadm +all +setall
The setmqaut command completed successfully. |
| Code: |
> echo "refresh security(*)" | runmqsc MUB4
5724-H72 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED.
Starting MQSC for queue manager MUB4.
1 : refresh security(*)
AMQ8560: WebSphere MQ security cache refreshed.
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed. |
| Code: |
> dspmqaut -m MUB4 -t queue -n QL.PT.RECV -g mqgsysadm
Entity mqgsysadm has the following authorizations for object QL.PT.RECV:
> dspmqaut -m MUB4 -t queue -n QL.** -g mqgsysadm
Entity mqgsysadm has the following authorizations for object QL.**:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
|
|
|
| Back to top |
|
|
| jlamond |
| Posted: Fri Apr 16, 2010 7:54 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
Please help me helping you!
Are you on AS/400?
JM
_________________
Jean-Marc |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 16, 2010 4:39 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Use this command (no quotes needed):
| Code: |
setmqaut -m MUB4 -t queue -n QL.** -g mqgsysadm +all
|
I use this type of command all the time. It works. The only time I find I need to wrap the q name in quotes is if the name starts with an *.
No need for +setall if you gave +all.
No need for Refresh Security. The setmqaut command works immediatly. The only time you need Refresh Security is if you change group memberships and you want the QM to refresh its cache, that it built at QM start up, that holds what IDs are in what groups.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Apr 16, 2010 5:36 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Of course +all is pretty much equal to no security.
A suggestion: for each and every setmqaut command, begin with -all for the user/group; then grant with + just the access you really want the user/group to have.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Apr 17, 2010 12:37 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you want to look at the security profile for the queue and not at security profiles, don't use dspmqaut, use dmpmqaut. The dump should show that the security from the profile was bestowed onto the queue.....
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| YN_MQ |
| Posted: Mon Apr 19, 2010 3:28 am Post subject: |
|
|
Newbie
Joined: 15 Apr 2010
Posts: 3
|
| Quote: |
| If you want to look at the security profile for the queue and not at security profiles, don't use dspmqaut, use dmpmqaut. The dump should show that the security from the profile was bestowed onto the queue..... |
Thanks for this... I found the pb.
For those interested :
I previously ran the command setmqaut on the queue, to avoid access to the group "mqgsysadm". What i didn't realize is that this authorization stays registered for the object, even if you add a new auth for the object.
When i ran the commd dmpmqaut :
| Code: |
> dmpmqaut -m MUB4 -n QL.PT.RECV
profile: QL.PT.RECV
object type: queue
entity: mqm
entity type: group
authority: allmqi dlt chg dsp clr
- - - - - - - -
profile: QL.PT.RECV
object type: queue
entity: mqgsysadm
entity type: group
authority: none
- - - - - - - -
profile: QL.**
object type: queue
entity: mqgsysadm
entity type: group
authority: allmqi dlt chg dsp clr |
So i had to run the command, coz MQ is taking the most restrictive profile :
| Code: |
| setmqaut -m MUB4 -remove -t queue -n QL.PT.RECV -g mqgsysadm |
Now, dmpmqaut looks like that :
| Code: |
> dmpmqaut -m MUB4 -n QL.PT.RECV
profile: QL.PT.RECV
object type: queue
entity: mqm
entity type: group
authority: allmqi dlt chg dsp clr
- - - - - - - -
profile: QL.**
object type: queue
entity: mqgsysadm
entity type: group
authority: allmqi dlt chg dsp clr |
And i can access the queue mqusysadm...
Thanks everyone, you've been helping me a lot ! |
|
| Back to top |
|
|
|
|
