| Author |
Message
|
| skrv |
 Posted: Thu Jun 26, 2014 6:25 am Post subject: MCAUSER |
 |
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
Hi,
We have 2 servers, server A and server B, both connected with cluster channels. cluster channels have MCAUSER as xyz on their receiver channels.
application connects to server A as xyz and puts a message. message goes to server B and another application cosumes that message and sends reply back to server A from server B.
but that applications runs as user : tms and sends reply as user "tms".
so is that going to be an issue with cluster channels as MCAUSER is xyz and application replies the message as user "tms".
do we need to give any extra permissions on server B so that this will work even thoguh we have different MCAUSER and different application ID connecting to MQ. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jun 26, 2014 6:57 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You don't state how your apps connect to their queue managers, i.e. bindings or client, so the following is predicated on bindings mode:
1. Your 'xyz' app is authorised to the queues it can access on server A, your 'tms' app is authorised to the queues it can access on server B;
2. the MCAUSER values on your CLUSRCVR channels should be userids which you control, i.e. not the same userids as the apps;
3. You set the authorisations for the MCAUSERs on each of the queue managers.
Basically, the application userids should not be used as MQAUSER values in queue manager channels.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skrv |
| Posted: Thu Jun 26, 2014 7:10 am Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
thanks for the reply.
we have binding mode for all applications.
server B sends a fully qualified reply to server A, so it connects to Server A using cluster channels and puts the reply message on server A queues.
unfortunately we have MCAUSER as xyz which is nothing but the application run as user ID on Server A.
So you think we won't have any issue for application conneted to server B as user "tms" to start the CLUSSDR channel to server A which has MCAUSER as xyz? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 26, 2014 7:49 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| skrv wrote: |
| we have binding mode for all applications. |
So the applications should not be authorised to the SYSTEM.CLUSTER.TRANSMIT.QUEUE (S.C.T.Q) or whichever queue you are suing as such (dependent on your version of WMQ).
| skrv wrote: |
| server B sends a fully qualified reply to server A, so it connects to Server A using cluster channels and puts the reply message on server A queues. |
Server B sends the messages to Server A via cluster channels but it's Server A that puts them on the queues.
| skrv wrote: |
| unfortunately we have MCAUSER as xyz which is nothing but the application run as user ID on Server A. |
App xyz should only be authorised to the queues it can put to, and get from, it should not be used as a CLUSRCVR channel MCAUSER value.
| skrv wrote: |
| So you think we won't have any issue for application conneted to server B as user "tms" to start the CLUSSDR channel to server A which has MCAUSER as xyz? |
I don't know because I don't know what authorisations and other peripheral settings are extant in your queue managers, so I suggest you try it and see.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 26, 2014 8:28 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The relationship between the ID in the MCAUSER of a CLUSRCVR channel and the ID in the MQMD User Identifier filed of a message coming across that channel is determined by the PUTAUT attribute of that channel.
http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q085520_.htm
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Jun 26, 2014 10:43 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
So say you had an ID specifically for non-SVRCONN inbound channels called mcauser in a group also call mcagrp (this way it will also work on Winblows).
First off, this mcagrp group needs on the Qmgr:
setmqaut -m <QmgrName> -g <group> -t qmgr +dsp +inq +connect
Next, this mcagrp group needs on the queues:
setmqaut -m <QmgrName> -g <group> -t queue -n '**' +dsp +inq +put +setall
So this last command was a bit too wide, so lets revoke those rights from SYSTEM queues:
setmqaut -m <QmgrName> -g <group> -t queue -n 'SYSTEM.**' +none
If you use SYSTEM.DEAD.LETTER.QUEUE (which you should not) for the DLQ, then add back:
setmqaut -m <QmgrName> -g <group> -t queue -n 'SYSTEM.DEAD.LETTER.QUEUE' +dsp +inq +put +setall
You will probably need to add a few more (like channel events to that queue).
I'm sure others can suggest a few more... |
|
| Back to top |
|
|
| skrv |
| Posted: Thu Jun 26, 2014 11:34 am Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
thanks for all the replies.
what difference does it make in using wither of below 2 when using MCAUSER.
PUTAUT = DEF
PUTAUT = CTX |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 26, 2014 11:40 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The difference detailed in the Knowledge Center article that I linked directly to above for your benefit.
What specific questions do you have about what's written there?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| skrv |
| Posted: Thu Jun 26, 2014 11:51 am Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
i want to know whether that will help in my case any way.
i'm just having this doubt that whether AUTO CLUSSDR channel will start or not from server B to server A.
Since AUTO CLUSSDR channel will have "xyz" MCAUSER in it and application on server B will use "tms" ID to intiate this channel and then put the message on server A. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 26, 2014 12:16 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| skrv wrote: |
i want to know whether that will help in my case any way.
i'm just having this doubt that whether AUTO CLUSSDR channel will start or not from server B to server A.
Since AUTO CLUSSDR channel will have "xyz" MCAUSER in it and application on server B will use "tms" ID to intiate this channel and then put the message on server A. |
A CLUSSDR uses the CLUSRCVR as the pattern for filling many if its attributes - what makes you think that setting an MCAUSER in the sending end will be honoured in the receiving end? I strongly suggest you read the appropriate part of the Knowledge Centre in regard to MCAUSER and for which channels it is valid.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skrv |
| Posted: Thu Jun 26, 2014 12:20 pm Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
i mentioned AUTO CLUSSDR channel so it inherits the CLUSRCVR channel definition.
i have "xyz" MCAUSER on the CLUSRCVR on the other end so this auto CLUSSDR will inherit that MCAUSER "xyz" for its definition. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 26, 2014 12:44 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| skrv wrote: |
i mentioned AUTO CLUSSDR channel so it inherits the CLUSRCVR channel definition.
i have "xyz" MCAUSER on the CLUSRCVR on the other end so this auto CLUSSDR will inherit that MCAUSER "xyz" for its definition. |
See my earlier post in regard to separation of 'administrative' MCAUSERs and 'application' MCAUSERs, and most definitely read the link PeterPotkay posted.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 26, 2014 12:48 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
| skrv wrote: |
i mentioned AUTO CLUSSDR channel so it inherits the CLUSRCVR channel definition.
i have "xyz" MCAUSER on the CLUSRCVR on the other end so this auto CLUSSDR will inherit that MCAUSER "xyz" for its definition. |
See my earlier post in regard to separation of 'administrative' MCAUSERs and 'application' MCAUSERs, and most definitely read the link PeterPotkay posted. |
I'm reposting Peter's link in a slightly cleaned up format
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q085520_.htm?lang=en
Particularly review the section on the MCAUSER itself. |
|
| Back to top |
|
|
|
|
