| Author |
Message
|
| bkRaju |
 Posted: Mon Jul 25, 2011 1:58 am Post subject: Question on MO71 |
 |
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
Hi,
Can anyone suggest, how to allow MO71 for only browse operations?. or I dont want to allow MO71 to do MQ alter/create/clear operations so how to restrict ?
Thanks for help. |
|
| Back to top |
|
 |
| zpat |
| Posted: Mon Jul 25, 2011 2:38 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
MO71 is a MQ client based application. It does only the things that you have permitted a MQ client application to do (using your MQ connection id).
Therefore you need to secure your queue manager properly so that people who should have browse only access, do indeed have browse only access.
Then, any attempt to use more powerful access will fail, whether this is by MO71, explorer, rfhutilc or any other MQ application.
However MO71 also allows the disablement of various MO71 features. This is not a substitute for MQ security.
Do this by creating the file MQMON.AUT in your MO71 directory.
Here is an example of such a file - (see the MO71 documentation).
| Code: |
# Set authorisations for users of MQMON
#
# Global Authorisations
queue_display
msg_all
location_display
channel_display
nomenu_refresh_information
nomenu_refresh_default_objects
nomenu_open_location
nomenu_copy_location
nomenu_add_location
nomenu_delete_location
nomenu_save_configuration
nomenu_preferences
nomenu_mqsc
nomenu_predefined_dialog
nomenu_predefined_event
nomenu_filters
nomenu_compare
nomenu_monitoring
nomenu_publish_message
nomenu_talk
nomenu_view_network
nomenu_view_console
nomenu_default_lists
nomenu_list_view
nomenu_font
nomenu_colours
nomenu_view
nomenu_splitlist
nomenu_defaultfilter
nomenu_predefined
nomenu_listtitles
nomenu_export
nomenu_api_exerciser |
Here is an article on Read only ACL
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
However I would strongly recommend using group ids, not user ids in the setmqaut commands (and adding the user(s) to the group to grant access).
The same ACL should work with MO71, this assumes that your users do NOT have full MQ admin rights. If you are coding mqm in svrconn mcauser or leaving it blank, then adding ACLs won't take away that overiding access.
Your question really is - how do I set up proper MQ security on my queue manager? |
|
| Back to top |
|
|
| bkRaju |
| Posted: Mon Jul 25, 2011 3:19 am Post subject: |
|
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
Thanks a lot for you inputs!!, but it doesnt have that possibility in our project.
Also, he can overwrite any userid with mqm and can access the qmgr, which is not allowed.
do you have any other alternatives where I can restrict users to access qmgr operations. It seems, I should do ip and userid validation too.
Example: USER should access my server and my qmgr and should do read only operations.
Thanks, |
|
| Back to top |
|
|
| bkRaju |
| Posted: Mon Jul 25, 2011 3:32 am Post subject: |
|
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
| Thanks for the inputs Knight!. I am working on your suggestions. Please ignore my previous update. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 25, 2011 3:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
MO71 can also be set up in web-access mode (Chapter 13 of the manual), which is read-only. You may wish to investigate that facility.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jul 25, 2011 4:05 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| bkRaju wrote: |
Also, he can overwrite any userid with mqm and can access the qmgr, which is not allowed.
do you have any other alternatives where I can restrict users to access qmgr operations. It seems, I should do ip and userid validation too.
Thanks, |
The free BlockIP2 exit can be used to stop access with MQ admin ids and lots of other useful functions (IP checking and so on).
The most standard IBM way to implement MQ security would be to use SSL certificates. |
|
| Back to top |
|
|
| bkRaju |
| Posted: Fri Aug 05, 2011 2:15 am Post subject: |
|
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
Hi All,
I have a question it might be strange but it is important to me.
I have a queue manager and they are many users who can connect to the queue managers by using MO71/some other tools through SVRCONN channel. I would like to know which queue they are accesing in the qmgr?, I need to restrict few of the queus. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Aug 05, 2011 2:57 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Queue status should give you some information, but the easiest way is to put an MCAUSER in the channels and restrict that way initially, and wait to see who complains. 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 05, 2011 3:59 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
You can turn on queue stats / accounting and examine the results using support pac MS0P.
You can see queue open status with MO71 or MQ explorer. |
|
| Back to top |
|
|
|
|
