| Author |
Message
|
| phani_16 |
 Posted: Wed Mar 23, 2011 5:57 am Post subject: MCA User ID |
 |
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
I have a server connection channel for queue manager " QMC01 " and the MCA user id for the same is set to " junk " user.
Now i have a client application and the user id is set to " test " for the userID field MQEnvironment class . ( MQEnvironment.userID = "test" ).
Though i have set a different user id from the client application,i could still able to put a message in the queue. Want to know whether i have missed something ? Want to know whether the MCA user is dependent on the user id with which we logon to the m/c ? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Mar 23, 2011 6:19 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The advantage of the MCAUSER is that it is ALWAYS the ID that is used, regardless of what the client application has said the user is.
It REPLACES everything that is passed in.
Use SSL and SSLPEER to provide client authentication and matching. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 23, 2011 6:26 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi Jeff,
I couldn't understand the statement " The advantage of the MCAUSER is that it is ALWAYS the ID that is used, regardless of what the client application has said the user is "
My question is then whatz the use of having a MCA user for a channel. I thought that any application connects to this channel should use the user set for this channel and if the MCAUSER replaces the client user id everytime,then there is no point in setting it and rather leave it a blank. |
|
| Back to top |
|
|
| rama1977 |
| Posted: Wed Mar 23, 2011 6:39 am Post subject: |
|
|
Newbie
Joined: 22 Mar 2011
Posts: 7
|
| phani_16 wrote: |
| if the MCAUSER replaces the client user id everytime,then there is no point in setting it and rather leave it a blank. |
if it is leave as blank then application can do MQEnvironment.userID = "mqm" and control queue manager.
But if it set to "test" then application can only do what test user is allowed no matter what application sets |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 23, 2011 6:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The question is if you can trust your applications to send the right thing or not.
If you leave MCAUSER blank, then I can write an application that says that it is the "mqm" user, and then have complete control of your queue manager without you knowing it.
If you set MCAUSER to 'junk', then I can not use this channel to connect as any user other than 'junk', and will only and always have the permissions given to the user 'junk'.
If you want to then make sure that I'm allowed to connect as the user 'junk', you can use SSL and ensure that I have a correct certificate and SSLPEER to make sure my certificate matches the rules for being the user 'junk'. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 23, 2011 6:58 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi Jeff,
Thanks for the response.
The statement below seems to be contradictory to the one which you mentioned earlier.
" If you set MCAUSER to 'junk', then I can not use this channel to connect as any user other than 'junk', and will only and always have the permissions given to the user 'junk'. "
If this is the case,then i should get an error for the all other user ids set from the client applications for which i connect to this channel.
Hi rama,
The user " test " is a test user ( doesn't belong to mqm group) and doesn't have any permissions set.
So how come it is able to put the messages in the queue. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 23, 2011 7:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| phani_16 wrote: |
Hi Jeff,
Thanks for the response.
The statement below seems to be contradictory to the one which you mentioned earlier.
" If you set MCAUSER to 'junk', then I can not use this channel to connect as any user other than 'junk', and will only and always have the permissions given to the user 'junk'. "
If this is the case,then i should get an error for the all other user ids set from the client applications for which i connect to this channel.
Hi rama,
The user " test " is a test user ( doesn't belong to mqm group) and doesn't have any permissions set.
So how come it is able to put the messages in the queue. |
Because you have set permissions at the user level in a Unix/Linux environment. This is a no - no. You should only set permissions at a group level and it is good practice to also do so in windows.
In Unix permissions set at a user level set permissions for the primary group of that user. You need to check all groups the user test belongs to and the permissions granted to each of those groups. The least restrictive will apply.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 23, 2011 7:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Are you absolutely sure you have set authorities for user 'junk'?* Are you absolutely sure that you have MCAUSER('junk') set in the SVRCONN channel?* Are you absolutely sure that the client is using that SVRCONN channel?
* where 'junk' is the userid
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 23, 2011 7:19 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi exerk,
The user 'junk' belongs to a group "Users" which is added to the OAM profiles and have set the authorities.
I'm absolutely sure that i'm using the user id 'junk' for the channel ( ie MCAUSER='junk') . The queue manager doesn't have any other channels and does contain only one server channel. Also the channel name is set in the client application.
So don't know where exactly i'm missing the point. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 23, 2011 7:56 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
if you are on a Unix/Linux box, what is the output of
?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 23, 2011 8:01 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
Hi,
i'm running this on a windows m/c . |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 23, 2011 8:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Again, with an MCAUSER of ('junk'), then everything that the user junk can do, then everyone who connects can do.
So is the application able to put to a queue that the user 'junk' does not have permission to use? Or just able to put to a queue that the user specified in the code does not have permission to? |
|
| Back to top |
|
|
| phani_16 |
| Posted: Wed Mar 23, 2011 8:18 am Post subject: |
|
|
Novice
Joined: 09 Mar 2011
Posts: 20
|
| The application could able to put messages to a queue for which 'junk' user doesn't have permissions to use. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Mar 23, 2011 2:45 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
| phani_16 wrote: |
"Jeff: If you set MCAUSER to 'junk', then I can not use this channel to connect as any user other than 'junk', and will only and always have the permissions given to the user 'junk'. "
If this is the case,then i should get an error for the all other user ids set from the client applications for which i connect to this channel. |
No error is generated. If MCAUSER is set on the SVRCONN, any setting made by the client app is silently ignored.
Unless you also use a security exit &/orr SSL, do not design apps that require a MQ client userid to be set in the app. It is a major security risk because it is too easy to abuse and obtain full admin rights to the Queue Manager and access any queue.
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 23, 2011 5:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
For each group the user junk is a member of run following command
| Code: |
dmpmqaut -m <yourqmgr> -g <groupname>
also run:
dmpmqaut -m <yourqmgr> -p junk |
Happy troubleshooting
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
