ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » RACF MQADMIN hlq.CONTEXT

Post new topic  Reply to topic
 RACF MQADMIN hlq.CONTEXT « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Fri Jan 15, 2010 5:58 am    Post subject: RACF MQADMIN hlq.CONTEXT Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

A have a grumpy CHIN


Code:

17:34:27  CSQM138I ?X1 CSQMSCHI CHANNEL INITIATOR STARTING
17:34:27  ICH408I USER(MQX1CHIN) GROUP(TECHIMS ) NAME(MQSERIES STARTED TAS)
17:34:27    MQX1.CONTEXT.SYSTEM.CLUSTER.TRANSMIT.QUEUE CL(MQADMIN )
17:34:27    INSUFFICIENT ACCESS AUTHORITY
17:34:27    FROM MQX1.CONTEXT.** (G)
17:34:27    ACCESS INTENT(CONTROL)  ACCESS ALLOWED(NONE   )
17:34:27  ICH408I USER(MQX1CHIN) GROUP(TECHIMS ) NAME(MQSERIES STARTED TAS)
17:34:27    MQX1.CONTEXT.SYSTEM.CHANNEL.SYNCQ CL(MQADMIN )
17:34:27    INSUFFICIENT ACCESS AUTHORITY
17:34:27    FROM MQX1.CONTEXT.** (G)
17:34:27    ACCESS INTENT(CONTROL)  ACCESS ALLOWED(NONE   )



MQ 7 on z/OS 1.10

A portion of my script as I continue to learn RACF for MQ:


Code:

000056,**********************************************************************
000057,*ALLOW EVERYONE TO USE CONTEXT SECURITY FOR ALL QUEUES               *
000058,*PREVENT ANYONE FROM USING CONTEXT SECURITY TO THE COMMAND QUEUES    *
000059,*THEN ALLOW THE MQ ADMIN GROUP THIS ACCESS TO THE COMMAND QUEUES     *
000060,**********************************************************************
000061,RDEF MQADMIN MQX1.CONTEXT.** -
000062,     UACC(CONTROL) AUDIT(ALL(ALTER))
000063,RDEF MQADMIN MQX1.CONTEXT.SYSTEM.COMMAND.INPUT -
000064,     UACC(NONE) AUDIT(ALL(READ))
000065,RDEF MQADMIN MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE -
000066,     UACC(NONE) AUDIT(ALL(READ))
000067,PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TECHMQ) -
000068,       ACCESS(UPDATE)
000069,PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN) -
000070,       ID(TECHMQ) ACCESS(UPDATE)
.
.
.
000107,**********************************************************************
000108,*REFRESH RACF TO PICK UP OUR CHANGES                                 *
000109,**********************************************************************
000110,SETROPTS REFRESH RACLIST(MQCONN) GENERIC(MQCONN)
000111,SETROPTS REFRESH RACLIST(MQADMIN) GENERIC(MQADMIN)
000112,SETROPTS REFRESH RACLIST(MQCMDS) GENERIC(MQCMDS)
000113,SETROPTS REFRESH RACLIST(MQQUEUE) GENERIC(MQQUEUE)
000114,**********************************************************************
000115,*LASTLY LIST ALL THE CLASSES AFTER WE MADE OUR CHANGES               *
000116,**********************************************************************
000117,RLIST MQCONN *
000118,RLIST MQADMIN *
000119,RLIST MQCMDS *
000120,RLIST MQQUEUE *


I think my lines 61 and 62 worked in my script, here is the output:

Code:

 READY
 **********************************************************************
 IKJ56621I INVALID COMMAND NAME SYNTAX
 READY
 *ALLOW EVERYONE TO USE CONTEXT SECURITY FOR ALL QUEUES               *
 IKJ56621I INVALID COMMAND NAME SYNTAX
 READY
 *PREVENT ANYONE FROM USING CONTEXT SECURITY TO THE COMMAND QUEUES    *
 IKJ56621I INVALID COMMAND NAME SYNTAX
 READY
 *THEN ALLOW THE MQ ADMIN GROUP THIS ACCESS TO THE COMMAND QUEUES     *
 IKJ56621I INVALID COMMAND NAME SYNTAX
 READY
 **********************************************************************
 IKJ56621I INVALID COMMAND NAME SYNTAX
 READY
 RDEF MQADMIN MQX1.CONTEXT.**      UACC(CONTROL) AUDIT(ALL(ALTER))
 ICH10102I MQX1.CONTEXT.** ALREADY DEFINED TO CLASS MQADMIN.
 READY
 RDEF MQADMIN MQX1.CONTEXT.SYSTEM.COMMAND.INPUT      UACC(NONE) AUDIT(ALL(READ))
 ICH10102I MQX1.CONTEXT.SYSTEM.COMMAND.INPUT ALREADY DEFINED TO CLASS MQADMIN.
 READY
 RDEF MQADMIN MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE      UACC(NONE) AUDIT(ALL(READ))
 ICH10102I MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE ALREADY DEFINED TO CLASS MQADMIN.
1READY
 PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TECHMQ)        ACCESS(UPDATE)
 READY
 PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN)        ID(TECHMQ) ACCESS(UPDATE)
 READY


I then go look at the output of RLIST for MQADMIN MQX1.CONTEXT

Code:

 CLASS      NAME
 -----      ----
 MQADMIN    MQX1.CONTEXT.** (G)
 
 GROUP CLASS NAME
 ----- ----- ----
 GMQADMIN
 
 LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
 -----  --------   ----------------  -----------  -------
  00    @TSMT00         NONE              ALTER    NO
 
 INSTALLATION DATA
 -----------------
 NONE
 
 APPLICATION DATA
 ----------------
 NONE
 
 AUDITING
 --------
 FAILURES(READ)
 
1NOTIFY
 ------
 NO USER TO BE NOTIFIED



CLASS      NAME
 -----      ----
 MQADMIN    MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE
 
 GROUP CLASS NAME
 ----- ----- ----
 GMQADMIN
 
 LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
 -----  --------   ----------------  -----------  -------
  00    @TSMT00         NONE              ALTER    NO
 
 INSTALLATION DATA
 -----------------
 NONE
 
 APPLICATION DATA
 ----------------
 NONE
 
 AUDITING
 --------
 FAILURES(READ)
 
 NOTIFY
 ------
 NO USER TO BE NOTIFIED
 
 
 
 CLASS      NAME
 -----      ----
 MQADMIN    MQX1.CONTEXT.SYSTEM.COMMAND.INPUT
 
 GROUP CLASS NAME
 ----- ----- ----
 GMQADMIN
 
 LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
 -----  --------   ----------------  -----------  -------
1 00    @TSMT00         NONE              ALTER    NO
 
 INSTALLATION DATA
 -----------------
 NONE
 
 APPLICATION DATA
 ----------------
 NONE
 
 AUDITING
 --------
 FAILURES(READ)
 
 NOTIFY
 ------
 NO USER TO BE NOTIFIED



#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?
#2 The output is a little hard to read due to the "IKJ56621I INVALID COMMAND NAME SYNTAX "errors thrown because off all the comments I have mixed in with the commands. Any trick to have commments mixed in with commands and not have the job complain about each line starting with an "*"?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jan 15, 2010 6:12 am    Post subject: Re: RACF MQADMIN hlq.CONTEXT Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

PeterPotkay wrote:
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?


Ok, not my strong suit but I didn't think RDEFINE changed existing profiles. Now it clearly says that the "profile exists" is an I message and I'd have expected at least a W if I was right (or better still an E) but when I've done what you're doing I've either RDELETE & RDEFINE in a script, or used RALTER.

My 2 cents for what it's worth there

PeterPotkay wrote:
Any trick to have commments mixed in with commands and not have the job complain about each line starting with an "*"?


I just do it like that & don't get errors. I think. Been a little while.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Jan 15, 2010 10:38 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.

RACF commands are really TSO RACF commands; therefore, TSO/E syntax rules for how to insert comments apply.

Comments You can include a comment: v On a line by itself v Before, in the middle of, or after a CLIST statement or TSO/E command.

You define a comment by coding a slash-asterisk (comment delimiter) followed by the descriptive text.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Jan 15, 2010 12:49 pm    Post subject: Re: RACF MQADMIN hlq.CONTEXT Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Vitor wrote:
PeterPotkay wrote:
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?


Ok, not my strong suit but I didn't think RDEFINE changed existing profiles. Now it clearly says that the "profile exists" is an I message and I'd have expected at least a W if I was right (or better still an E) but when I've done what you're doing I've either RDELETE & RDEFINE in a script, or used RALTER.


Its says its already there because I keep running the same script over and over as I fix little things in the script. Would be good to get confirmation if a profile already exists with acces of ABC and you try to change it to DEF, is it going to be ABC when you are done, or will it change to DEF. Guess I gotta expirement. Plus we are meeting with the RACF folks next week. I suppose this is more a RACF question than an MQ question.

RALTER eh? Maybe that is the key if I am going to repeatedly run this script and need to handle changes to existing profiles as a fine tune my script. Yeck, the script would have to be RDEFINEs paired with RALTERs to handle all situations.


Bruce,
/* didn't work. It appears to indicate the end of the step to the job and it ends before executing anything.

Near the top of my JCL...

Code:

000012,//STEP1    EXEC PGM=IKJEFT01
000013,//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
000014,//SYSTSPRT DD SYSOUT=*
000015,//SYSUDUMP DD SYSOUT=*
000016,//SYSPRINT DD SYSOUT=*
000017,//SYSTSIN  DD *
000018,/******************************************************
000019,/*FIRST LIST ALL THE CLASSES BEFORE WE CHANGE ANYTHING               *
000020,/*********************************************************************
000021,RLIST MQADMIN *
000022,RLIST MQCONN *
000023,RLIST MQCMDS *
000024,RLIST MQQUEUE *
000025,/*****************************************************
000026,/*INSURE ALL THE SWITCHES THAT DISABLE MQ SECURITY ARE NOT DEFINED   *
000027,/*****************************************************
000028,RDELETE MQADMIN MQX1.NO.SUBSYS.SECURITY
000029,RDELETE MQADMIN MQX1.NO.CONNECT.CHECKS
.
.
.


My output for the job:

----+----1----+----2----+----3----+----4----+---
1READY
END
******************************** Bottom of Data


If I change it back to starting with *****, it then runs again, but with all those annoying errors.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Jan 15, 2010 1:12 pm    Post subject: Re: RACF MQADMIN hlq.CONTEXT Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.

PeterPotkay wrote:

Bruce,
/* didn't work. It appears to indicate the end of the step to the job and it ends before executing anything.

Ooops. /* starting in position 1 is a data delimiter in JCL. Try starting the /* comment thing in pos 2 or 3 ...
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Jan 15, 2010 1:41 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.

Quote:
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?

A RACF basic: if it's dangerous, set the default access (UACC) to NONE; then grant more than NONE to those that have a business requirement for it.

CONTROL access to ssid.CONTEXT.qname allows any offending application to set all context fields in the MQMD. Few/no user-written apps need this ability. Danger Will Robinson, danger.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Jan 15, 2010 2:02 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Still doesn't like it. //* is the way to comment the JCL, but that doesn't work inside a step. Inside the step the only thing I got to work is ***, but with the noise in the output.


I did find this:
http://publib.boulder.ibm.com/infocenter/zos/v1r9/topic/com.ibm.zos.r9.icha200/parmlib.htm#wq381

Quote:

Comments in the RACF parameter library
You can include comments in the RACF parameter library only when they follow a command on a line. If you include a comment on a line without a command, RACF issues an error message. Comments are delimited by /* and */ characters.

Blank lines are not supported in the RACF parameter library.



For example:
Code:

000016,//SYSPRINT DD SYSOUT=*
000017,//SYSTSIN  DD *
000018,RLIST MQADMIN *                  /************************************/
000019,RLIST MQCONN *                   /* FIRST LIST ALL THE CLASSES BEFORE*/
000020,RLIST MQCMDS *                   /* WE CHANGE ANYTHING               */
000021,RLIST MQQUEUE *                  /************************************/


Not ideal, but I get to comment my job AND don't have to deal with the errors in the output.


Now, If I could only figure out the answer to my question #1 above.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Jan 15, 2010 2:07 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

bruce2359 wrote:
Quote:
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?

A RACF basic: if it's dangerous, set the default access (UACC) to NONE; then grant more than NONE to those that have a business requirement for it.

CONTROL access to ssid.CONTEXT.qname allows any offending application to set all context fields in the MQMD. Few/no user-written apps need this ability. Danger Will Robinson, danger.


I understand where you are coming from. We will UACC NONE the command queues. But I don't have a requirement to prevent context being set/passed on application queues. What do I care if an app wants to change the context of a message its putting to IT'S queue? Plus, I don't have a list of all the users and groups, so I couldn't explicitly grant the access like that if I wanted too. (Its a political FUBAR situation if you catch my drift.)

My goal right now is to prevent administrative access to the QM. Allowing context for application queues does not contradict that.

Soooo, given that, any ideas why my UACC CONTROL ain't sticking?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jan 15, 2010 2:26 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

PeterPotkay wrote:
Soooo, given that, any ideas why my UACC CONTROL ain't sticking?


Try RALTER. Then try the RACF experts.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Jan 15, 2010 4:08 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.

Quote:
What do I care if an app wants to change the context of a message its putting to IT'S queue?

The CONTEXT(NONE) prevents an application from changing the userid, application id, and all of the other MQMD context fields; thus preventing an application to take on another security identity.

Some downstream application, process, or security component, may depend on the real userid of the creator of the message being in the MQMD. The desired and usual behavior of MQ apps is to request that the qmgr save context on MQGET from an input queue; then pass this context to an output queue message.
[edited]
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Fri Jan 15, 2010 10:04 pm    Post subject: Reply with quote

Jedi Knight

Joined: 25 Mar 2003
Posts: 2527
Location: Melbourne, Australia

bruce2359 wrote:
The CONTEXT(NONE) prevents an application from changing the userid, application id, and all of the other MQMD context fields; thus preventing an application to take on another security identity.

Some downstream application, process, or security component, may depend on the real userid of the creator of the message being in the MQMD. The desired and usual behavior of MQ apps is to request that the qmgr save context on MQGET from an input queue; then pass this context to an output queue message.


Ideally MQ apps do not need to set the context fields in the MQMD, or pass their values from one MQMD to another, and therefore require elevated MQ security authorities to do this. These fields identify the originator of a message and are important for integrity and auditability. I have yet to see a compelling reason why they need to be changed, where some other technique (ie. include the info in the message data) can be used to meet app design requirements.
_________________
Glenn
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sat Jan 16, 2010 4:59 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

My goal right now is to prevent non authorized administrative access to the QM. That's it. I'm dealing with very old QMs that never had any security. I don't disagree with your comments about the whys of Context security (exact same concept for MQ regardless of platform), but I am not tackling anything right now that will delay me reaching my goal of locking down the administration of the QM, or that will cause application outages if I don't get quite right. That's why I'm ignoring the application queues right now. I'll get them in Phase II of this effort. Remember I'm also learning RACF as it relates to MQ as I do this, so I don't want to bite off more than I can chew and end up doing nothing.

gbaddeley wrote:

Ideally MQ apps do not need to set the context fields in the MQMD, or pass their values from one MQMD to another....

Ideally and reality are sometimes miles apart , especially when back filling security into systems that never properly had it and had years and years to let it run like that.


Given that all the app queues start with ABC.*, I'll do this instead. Will this work? Not sure about the double overlapping UACCs. I intend it to mean that no one can do context on any queue, but anyone can do it for the application queues, and then I allow my team to do it for the command queues. I realize I still have to address the CHIN's specific context needs now that UACC is NONE for all queues.
Code:

RDEF MQADMIN MQX1.CONTEXT.** UACC(NONE) AUDIT(ALL(READ))
RDEF MQADMIN MQX1.CONTEXT.ABC.** UACC(CONTROL) AUDIT(ALL(ALTER))
PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TheMQAdmins) ACCESS(UPDATE)
PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN) ID(TheMQAdmins) ACCESS(UPDATE)



Back to the original question...Vitor, I'll try that RALTER and see what happens. Glenn, do you know if a profile already exists with setting XYZ and I use the RDEFINE command and set it to ABC, will it change? Or do I have to use RALTER? I am running this script over and over as I experiment and learn RACF with MQ. But as I go forward I will need it to properly set my intended values, whether the profile already existed with a different level or not. Hope I don't have to pair up RDEFINE witth RALTER for each command.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sat Jan 16, 2010 5:39 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.

RDEFINE creates new profiles; RALTER alters existing profiles.

Back to the OP and your grumpy CHIN address space: the CHIN (MCA) does require CONTEXT(CONTROL) authority to put messages into destination queues on behalf of, and with the MQMD identity of, the creator of the message. This is consistent with MCAs on midrange platforms.

Congrats on your RACF journey.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
zpat
PostPosted: Sat Jan 16, 2010 6:34 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5856
Location: UK

To allow the use of /* as comments in column 1, use this JCL

//SYSTSIN DD DATA,DLM=##

Then end the input stream with ## (instead of /*)
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » RACF MQADMIN hlq.CONTEXT
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.