| Author |
Message
|
| marian |
 Posted: Mon Apr 07, 2003 5:34 am Post subject: MQ Series 5.3 and RACF |
 |
|
Newbie
Joined: 07 Apr 2003
Posts: 4
|
I have activate RACF check to MQ Queues, but I received
RACF message which I don't understand.
The started task are M2D1MSTR and M2D1CHIN and both use userid STCPROC. User STCPROC has access ALTER to all profiles in class MQQUEUE. Our application runs under CICS.
When I activate checks by RACF I received RACF message -
ICH408I JOB(M2D1MSTR) STEP(M2D1MSTR)
M2D1.QR.M1TSSV.SSVT.RESPONSE.A001 CL(MQQUEUE )
INSUFFICIENT ACCESS AUTHORITY
FROM M2D1.QR.M1TSSV.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
Then I added profile M2D1.RESLEVEL and allowed access UPDATE to user STCPROC, because I thought the message was because of more user levels authentification. But I received same message.
Then I allowed access ALTER to user STCPROC and it is OK now.
Please, could you explain me this case.
Thanks
Marian |
|
| Back to top |
|
 |
| mgrabinski |
| Posted: Mon Apr 07, 2003 9:34 pm Post subject: |
|
|
Master
Joined: 16 Oct 2001
Posts: 246
Location: Katowice, Poland
|
You have M2D1.QR.M1TSSV.** profile in MQQUEUE class for which the owner of M2D1MSTR is not allowed. You need UPDATE for this profile
_________________
Marcin Grabinski <>< |
|
| Back to top |
|
|
| marian |
| Posted: Tue Apr 08, 2003 12:50 am Post subject: |
|
|
Newbie
Joined: 07 Apr 2003
Posts: 4
|
Yes, I have the profile but accesss should be granted to owner of the started task M2D1MSTR and not to name of the started task. Owner of the stated task is STCPROC and user STCPROC had access ALTER to prolile M2D1.QR.M1TSSV.** and he couldn't put msg to the queue. So, I think, somethink is not OK in your explanation.
Marian |
|
| Back to top |
|
|
| mgrabinski |
| Posted: Tue Apr 08, 2003 2:03 am Post subject: |
|
|
Master
Joined: 16 Oct 2001
Posts: 246
Location: Katowice, Poland
|
My previous answer was too quick, I didn't read your question properly. I'm sorry for that.
Your application is running in CICS. So the user is being checked is not the owner of M2D1MSTR but the CICS user (the owner of the CICS region started task) and/or the transaction user (depending on your access levels to M2D1.RESLEVEL)
When you set access level for qmgr.RESLEVEL to ALTER or CONTROL, no security checks are made for the user with such access. This why setting ALTER for STCPROC to M2D1.RESLEVEL resulted in no security violation.
_________________
Marcin Grabinski <>< |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Tue Apr 08, 2003 11:34 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Sounds strange.....
Are you 100% shure it's running under user=STCPROC and not under the default started user ?
Normally ICH408I includes who did it, and therefore gives you a clueue.
By the way are MQQUEUE and the other RACF-resources RACLISTED ?
Second pls ask your security officer to list the class(MQQUEUE) M2D1.QR.M1TSSV.** and look on the accesslist.
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| mgrabinski |
| Posted: Tue Apr 08, 2003 9:33 pm Post subject: |
|
|
Master
Joined: 16 Oct 2001
Posts: 246
Location: Katowice, Poland
|
| Quote: |
Normally ICH408I includes who did it, and therefore gives you a clueue.
|
Not always. When you have a started task with an owner who is not in the RACF started procedures table (as it seems to be in Marian's case), ICH408I will not tell you the user nor group.
_________________
Marcin Grabinski <>< |
|
| Back to top |
|
|
| marian |
| Posted: Wed Apr 09, 2003 4:28 am Post subject: |
|
|
Newbie
Joined: 07 Apr 2003
Posts: 4
|
I am sure that started task has user STCPROC -IEF695I START M2D1MSTR WITH JOBNAME M2D1MSTR IS ASSIGNED TO USER STCPROC , GROUP STCGRP
Class MQQUEUE is in RACLIST and the list of user access to profile:
MQQUEUE M2D1.QR.M1TSSV.** G HGNTADM UPDATE
MQQUEUE M2D1.QR.M1TSSV.** U SECRAD1 ALTER
MQQUEUE M2D1.QR.M1TSSV.** G SSVTI UPDATE
MQQUEUE M2D1.QR.M1TSSV.** U STCPROC ALTER
MQQUEUE M2D1.QR.M1TSSV.** G SYSPC UPDATE
MQQUEUE M2D1.QR.M1TSSV.** G SYSPQ ALTER
The list is the same as before the profile M2D1.RESLEVEL has been created (STCPROC has access ALTER). CICS has userid CICSHTA0 - IEF695I START CICSHTA0 WITH JOBNAME CICSHTA0 IS ASSIGNED TO USER CICSHTA0, GROUP CICST. User CICSHTA0 is also a member of group HGNTADM, so CICSHTA0 has access UPDATE to profile..
Marian |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Apr 09, 2003 10:42 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Well,
then there are alway the last wormhole: SAFTRACE.
If you(or your RACF-adm) run a SAFTRACE on the QMGR, you will be able to see what happens, and actually how, and why. This is a GTF-trace and TRACE in RACF on Z/OS).
By the way depending on the RESLEVEL the user running the CICS transaction e.g. the userid f.x. me will have also to have autority to access the queue. If the CICS-transaction is started by CKTI, the it's the user who started CKTI (typicly the CICS-userid).
So the question is which userid started your CICS transaction ?
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| marian |
| Posted: Wed Apr 09, 2003 11:23 pm Post subject: |
|
|
Newbie
Joined: 07 Apr 2003
Posts: 4
|
| Trx CKTI has started userid SYSPMZH, member of the group SYSPC (access update to profile) and user trx started userid NPAT8000 member of the group SSVTI (access UPDATE to profile). So, everythink should be OK, but it wasn't!!! |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Mon Apr 14, 2003 1:16 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
|
| Back to top |
|
|
|
|
