| Author |
Message
|
| nic3500 |
 Posted: Wed May 22, 2013 9:29 am Post subject: What if Windows user id cannot be == unix user id? |
 |
|
Newbie
Joined: 22 May 2013
Posts: 5
|
Greetings, I have been researching this for a while, I hope you can help.
My windows account is: DOMAIN\nic3500windowsaccount
My unix account is: nic3500
My nic3500 user has rights to administer the local QM, on the unix system. I can do everything ok.
With MQ Explorer on my PC (Win 7) I am able to connect to the unix QM since the Explorer has a field where you can specify the user to use for connecting (nic3500).
I am trying to use MO71, MO72, MS03 and cannot connect ever, since I get a RC=2035. But I cannot find where I can specify the user to use.
My guesses are:
- MO71, MO72 and MS03 send nic3500windowsaccount to the Unix QM, so it fails.
- I did not set a MCAUSER on SYSTEM.ADMIN.SVRCONN. And after reading a lot of posts here, I will NOT do it (danger danger!).
- both the windows and unix administrators will not change my account names. Not their problem (ya, good luck when they need my help!)
- I am not local admin on my PC, so I cannot create a local user to match my unix account.
- I could "open" it all and setup SSL to block others from connecting to the Unix QM...
So is there a solution?
Thanks for any ideas, Nic. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed May 22, 2013 9:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
You don't have to use SYSTEM.ADMIN.SVRCONN, which you're right to avoid.
If you have WMQv7.5 you have all of the additional client security features available to assist you.
If you're below that BlockIP2 may assist.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu May 23, 2013 10:13 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| Vitor wrote: |
You don't have to use SYSTEM.ADMIN.SVRCONN, which you're right to avoid.
If you have WMQv7.5 you have all of the additional client security features available to assist you.
If you're below that BlockIP2 may assist. |
actually the channel authentication was added in v7.1 so if Nic is on v7.1 and needs to administer his QM's on Win or Unix he can setup the apropriate CHannel authentication rules
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| nic3500 |
| Posted: Fri May 24, 2013 3:10 am Post subject: |
|
|
Newbie
Joined: 22 May 2013
Posts: 5
|
I ended up doing this:
- setup a new SVRCONN for me
- use BlockIP2 to filter my Windows account. I did not want to block by IP since my work PC changes address, I use VPN, sometimes wired, sometimes wireless, ...
Thanks for the suggestions!
Nic |
|
| Back to top |
|
|
| hughson |
| Posted: Fri May 24, 2013 4:06 am Post subject: Re: What if Windows user id cannot be == unix user id? |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| nic3500 wrote: |
My windows account is: DOMAIN\nic3500windowsaccount
My unix account is: nic3500
My nic3500 user has rights to administer the local QM, on the unix system. I can do everything ok.
So is there a solution? |
If you are on V7.1 (minimum) you could set one of the following CHLAUTH rules to achieve this:-
| Code: |
SET CHLAUTH(channel-name) TYPE(USERMAP) CLNTUSER('nic3500windowsaccount') MCAUSER('nic3500')
DESCR('Unauthenticated user ID translation')
SET CHLAUTH(channel-name) TYPE(USERMAP) CLNTUSER('nic3500windowsaccount') MCAUSER('nic3500')
ADDRESS(ip-address)
DESCR('Weak IP authentication with user ID translation')
SET CHLAUTH(channel-name) TYPE(SSLPEERMAP)
SSLPEER(your-dn) MCAUSER('nic3500')
DESCR('SSL authentication setting user - ignore client side user') |
If you're going to use CHLAUTH you may also find it interesting to read a few blog posts I wrote about it which are listed here.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 24, 2013 4:11 am Post subject: Re: What if Windows user id cannot be == unix user id? |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hughson wrote: |
If you are on V7.1 (minimum) you could set one of the following CHLAUTH rules to achieve this:-
| Code: |
SET CHLAUTH(channel-name) TYPE(USERMAP) CLNTUSER('nic3500windowsaccount') MCAUSER('nic3500')
DESCR('Unauthenticated user ID translation')
SET CHLAUTH(channel-name) TYPE(USERMAP) CLNTUSER('nic3500windowsaccount') MCAUSER('nic3500')
ADDRESS(ip-address)
DESCR('Weak IP authentication with user ID translation')
SET CHLAUTH(channel-name) TYPE(SSLPEERMAP)
SSLPEER(your-dn) MCAUSER('nic3500')
DESCR('SSL authentication setting user - ignore client side user') |
|
These alll assume that nic3500 is not a member of mqm and that the channel-name does not start with SYSTEM. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri May 24, 2013 4:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
@mqjeff & @hughson...
| nic3500 wrote: |
| ...I did not want to block by IP since my work PC changes address... |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 24, 2013 4:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
@mqjeff & @hughson...
| nic3500 wrote: |
| ...I did not want to block by IP since my work PC changes address... |
|
Yes, that means that nic3500 can use SSLPEER, or the first, weakest, option.
But again, none of Morag's options work as-is if the user 'nic3500' on the unix box is a member of the mqm group, and none of Morag's options work as-is if the channel in question has a name that starts with 'SYSTEM'.
Both the mqm group and all SYSTEM channels are blocked by the default CHLAUTH rules in v7.1 and later. So if either is being used, then an additional CHLAUTH rule must be added to allow this specific situation. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri May 24, 2013 6:12 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mqjeff wrote: |
But again, none of Morag's options work as-is if the user 'nic3500' on the unix box is a member of the mqm group, and none of Morag's options work as-is if the channel in question has a name that starts with 'SYSTEM'.
Both the mqm group and all SYSTEM channels are blocked by the default CHLAUTH rules in v7.1 and later. So if either is being used, then an additional CHLAUTH rule must be added to allow this specific situation. |
I've got a blog post in the pipeline about how to allow privileged (mqm) users on one channel without opening up other channels, however, in general I'd encourage you to do remote admin with a non privileged user ID. It's very simple to do - see A non-privileged MQ administrator
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 24, 2013 6:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hughson wrote: |
| mqjeff wrote: |
But again, none of Morag's options work as-is if the user 'nic3500' on the unix box is a member of the mqm group, and none of Morag's options work as-is if the channel in question has a name that starts with 'SYSTEM'.
Both the mqm group and all SYSTEM channels are blocked by the default CHLAUTH rules in v7.1 and later. So if either is being used, then an additional CHLAUTH rule must be added to allow this specific situation. |
I've got a blog post in the pipeline about how to allow privileged (mqm) users on one channel without opening up other channels, however, in general I'd encourage you to do remote admin with a non privileged user ID. It's very simple to do - see A non-privileged MQ administrator |
I'm not making a recommendation.
I'm merely pointing out a likely possibility. |
|
| Back to top |
|
|
|
|
