|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
RACF MQADMIN hlq.CONTEXT |
« View previous topic :: View next topic » |
Author |
Message
|
PeterPotkay |
Posted: Fri Jan 15, 2010 5:58 am Post subject: RACF MQADMIN hlq.CONTEXT |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
A have a grumpy CHIN
Code: |
17:34:27 CSQM138I ?X1 CSQMSCHI CHANNEL INITIATOR STARTING
17:34:27 ICH408I USER(MQX1CHIN) GROUP(TECHIMS ) NAME(MQSERIES STARTED TAS)
17:34:27 MQX1.CONTEXT.SYSTEM.CLUSTER.TRANSMIT.QUEUE CL(MQADMIN )
17:34:27 INSUFFICIENT ACCESS AUTHORITY
17:34:27 FROM MQX1.CONTEXT.** (G)
17:34:27 ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE )
17:34:27 ICH408I USER(MQX1CHIN) GROUP(TECHIMS ) NAME(MQSERIES STARTED TAS)
17:34:27 MQX1.CONTEXT.SYSTEM.CHANNEL.SYNCQ CL(MQADMIN )
17:34:27 INSUFFICIENT ACCESS AUTHORITY
17:34:27 FROM MQX1.CONTEXT.** (G)
17:34:27 ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE ) |
MQ 7 on z/OS 1.10
A portion of my script as I continue to learn RACF for MQ:
Code: |
000056,**********************************************************************
000057,*ALLOW EVERYONE TO USE CONTEXT SECURITY FOR ALL QUEUES *
000058,*PREVENT ANYONE FROM USING CONTEXT SECURITY TO THE COMMAND QUEUES *
000059,*THEN ALLOW THE MQ ADMIN GROUP THIS ACCESS TO THE COMMAND QUEUES *
000060,**********************************************************************
000061,RDEF MQADMIN MQX1.CONTEXT.** -
000062, UACC(CONTROL) AUDIT(ALL(ALTER))
000063,RDEF MQADMIN MQX1.CONTEXT.SYSTEM.COMMAND.INPUT -
000064, UACC(NONE) AUDIT(ALL(READ))
000065,RDEF MQADMIN MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE -
000066, UACC(NONE) AUDIT(ALL(READ))
000067,PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TECHMQ) -
000068, ACCESS(UPDATE)
000069,PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN) -
000070, ID(TECHMQ) ACCESS(UPDATE)
.
.
.
000107,**********************************************************************
000108,*REFRESH RACF TO PICK UP OUR CHANGES *
000109,**********************************************************************
000110,SETROPTS REFRESH RACLIST(MQCONN) GENERIC(MQCONN)
000111,SETROPTS REFRESH RACLIST(MQADMIN) GENERIC(MQADMIN)
000112,SETROPTS REFRESH RACLIST(MQCMDS) GENERIC(MQCMDS)
000113,SETROPTS REFRESH RACLIST(MQQUEUE) GENERIC(MQQUEUE)
000114,**********************************************************************
000115,*LASTLY LIST ALL THE CLASSES AFTER WE MADE OUR CHANGES *
000116,**********************************************************************
000117,RLIST MQCONN *
000118,RLIST MQADMIN *
000119,RLIST MQCMDS *
000120,RLIST MQQUEUE * |
I think my lines 61 and 62 worked in my script, here is the output:
Code: |
READY
**********************************************************************
IKJ56621I INVALID COMMAND NAME SYNTAX
READY
*ALLOW EVERYONE TO USE CONTEXT SECURITY FOR ALL QUEUES *
IKJ56621I INVALID COMMAND NAME SYNTAX
READY
*PREVENT ANYONE FROM USING CONTEXT SECURITY TO THE COMMAND QUEUES *
IKJ56621I INVALID COMMAND NAME SYNTAX
READY
*THEN ALLOW THE MQ ADMIN GROUP THIS ACCESS TO THE COMMAND QUEUES *
IKJ56621I INVALID COMMAND NAME SYNTAX
READY
**********************************************************************
IKJ56621I INVALID COMMAND NAME SYNTAX
READY
RDEF MQADMIN MQX1.CONTEXT.** UACC(CONTROL) AUDIT(ALL(ALTER))
ICH10102I MQX1.CONTEXT.** ALREADY DEFINED TO CLASS MQADMIN.
READY
RDEF MQADMIN MQX1.CONTEXT.SYSTEM.COMMAND.INPUT UACC(NONE) AUDIT(ALL(READ))
ICH10102I MQX1.CONTEXT.SYSTEM.COMMAND.INPUT ALREADY DEFINED TO CLASS MQADMIN.
READY
RDEF MQADMIN MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE UACC(NONE) AUDIT(ALL(READ))
ICH10102I MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE ALREADY DEFINED TO CLASS MQADMIN.
1READY
PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TECHMQ) ACCESS(UPDATE)
READY
PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN) ID(TECHMQ) ACCESS(UPDATE)
READY |
I then go look at the output of RLIST for MQADMIN MQX1.CONTEXT
Code: |
CLASS NAME
----- ----
MQADMIN MQX1.CONTEXT.** (G)
GROUP CLASS NAME
----- ----- ----
GMQADMIN
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 @TSMT00 NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
1NOTIFY
------
NO USER TO BE NOTIFIED
CLASS NAME
----- ----
MQADMIN MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE
GROUP CLASS NAME
----- ----- ----
GMQADMIN
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 @TSMT00 NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
CLASS NAME
----- ----
MQADMIN MQX1.CONTEXT.SYSTEM.COMMAND.INPUT
GROUP CLASS NAME
----- ----- ----
GMQADMIN
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
1 00 @TSMT00 NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED |
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no?
#2 The output is a little hard to read due to the "IKJ56621I INVALID COMMAND NAME SYNTAX "errors thrown because off all the comments I have mixed in with the commands. Any trick to have commments mixed in with commands and not have the job complain about each line starting with an "*"? _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
Vitor |
Posted: Fri Jan 15, 2010 6:12 am Post subject: Re: RACF MQADMIN hlq.CONTEXT |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
PeterPotkay wrote: |
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no? |
Ok, not my strong suit but I didn't think RDEFINE changed existing profiles. Now it clearly says that the "profile exists" is an I message and I'd have expected at least a W if I was right (or better still an E) but when I've done what you're doing I've either RDELETE & RDEFINE in a script, or used RALTER.
My 2 cents for what it's worth there
PeterPotkay wrote: |
Any trick to have commments mixed in with commands and not have the job complain about each line starting with an "*"? |
I just do it like that & don't get errors. I think. Been a little while. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Jan 15, 2010 10:38 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
RACF commands are really TSO RACF commands; therefore, TSO/E syntax rules for how to insert comments apply.
Comments You can include a comment: v On a line by itself v Before, in the middle of, or after a CLIST statement or TSO/E command.
You define a comment by coding a slash-asterisk (comment delimiter) followed by the descriptive text. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
PeterPotkay |
Posted: Fri Jan 15, 2010 12:49 pm Post subject: Re: RACF MQADMIN hlq.CONTEXT |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
Vitor wrote: |
PeterPotkay wrote: |
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no? |
Ok, not my strong suit but I didn't think RDEFINE changed existing profiles. Now it clearly says that the "profile exists" is an I message and I'd have expected at least a W if I was right (or better still an E) but when I've done what you're doing I've either RDELETE & RDEFINE in a script, or used RALTER.
|
Its says its already there because I keep running the same script over and over as I fix little things in the script. Would be good to get confirmation if a profile already exists with acces of ABC and you try to change it to DEF, is it going to be ABC when you are done, or will it change to DEF. Guess I gotta expirement. Plus we are meeting with the RACF folks next week. I suppose this is more a RACF question than an MQ question.
RALTER eh? Maybe that is the key if I am going to repeatedly run this script and need to handle changes to existing profiles as a fine tune my script. Yeck, the script would have to be RDEFINEs paired with RALTERs to handle all situations.
Bruce,
/* didn't work. It appears to indicate the end of the step to the job and it ends before executing anything.
Near the top of my JCL...
Code: |
000012,//STEP1 EXEC PGM=IKJEFT01
000013,//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
000014,//SYSTSPRT DD SYSOUT=*
000015,//SYSUDUMP DD SYSOUT=*
000016,//SYSPRINT DD SYSOUT=*
000017,//SYSTSIN DD *
000018,/******************************************************
000019,/*FIRST LIST ALL THE CLASSES BEFORE WE CHANGE ANYTHING *
000020,/*********************************************************************
000021,RLIST MQADMIN *
000022,RLIST MQCONN *
000023,RLIST MQCMDS *
000024,RLIST MQQUEUE *
000025,/*****************************************************
000026,/*INSURE ALL THE SWITCHES THAT DISABLE MQ SECURITY ARE NOT DEFINED *
000027,/*****************************************************
000028,RDELETE MQADMIN MQX1.NO.SUBSYS.SECURITY
000029,RDELETE MQADMIN MQX1.NO.CONNECT.CHECKS
.
.
.
|
My output for the job:
----+----1----+----2----+----3----+----4----+---
1READY
END
******************************** Bottom of Data
If I change it back to starting with *****, it then runs again, but with all those annoying errors. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Jan 15, 2010 1:12 pm Post subject: Re: RACF MQADMIN hlq.CONTEXT |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
PeterPotkay wrote: |
Bruce,
/* didn't work. It appears to indicate the end of the step to the job and it ends before executing anything. |
Ooops. /* starting in position 1 is a data delimiter in JCL. Try starting the /* comment thing in pos 2 or 3 ... _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Jan 15, 2010 1:41 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
Quote: |
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no? |
A RACF basic: if it's dangerous, set the default access (UACC) to NONE; then grant more than NONE to those that have a business requirement for it.
CONTROL access to ssid.CONTEXT.qname allows any offending application to set all context fields in the MQMD. Few/no user-written apps need this ability. Danger Will Robinson, danger. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
PeterPotkay |
Posted: Fri Jan 15, 2010 2:02 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
Still doesn't like it. //* is the way to comment the JCL, but that doesn't work inside a step. Inside the step the only thing I got to work is ***, but with the noise in the output.
I did find this:
http://publib.boulder.ibm.com/infocenter/zos/v1r9/topic/com.ibm.zos.r9.icha200/parmlib.htm#wq381
Quote: |
Comments in the RACF parameter library
You can include comments in the RACF parameter library only when they follow a command on a line. If you include a comment on a line without a command, RACF issues an error message. Comments are delimited by /* and */ characters.
Blank lines are not supported in the RACF parameter library.
|
For example:
Code: |
000016,//SYSPRINT DD SYSOUT=*
000017,//SYSTSIN DD *
000018,RLIST MQADMIN * /************************************/
000019,RLIST MQCONN * /* FIRST LIST ALL THE CLASSES BEFORE*/
000020,RLIST MQCMDS * /* WE CHANGE ANYTHING */
000021,RLIST MQQUEUE * /************************************/
|
Not ideal, but I get to comment my job AND don't have to deal with the errors in the output.
Now, If I could only figure out the answer to my question #1 above. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
PeterPotkay |
Posted: Fri Jan 15, 2010 2:07 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
bruce2359 wrote: |
Quote: |
#1 Why is UACC set to NONE for MQX1.CONTEXT.** ? It should be CONTROL, no? |
A RACF basic: if it's dangerous, set the default access (UACC) to NONE; then grant more than NONE to those that have a business requirement for it.
CONTROL access to ssid.CONTEXT.qname allows any offending application to set all context fields in the MQMD. Few/no user-written apps need this ability. Danger Will Robinson, danger. |
I understand where you are coming from. We will UACC NONE the command queues. But I don't have a requirement to prevent context being set/passed on application queues. What do I care if an app wants to change the context of a message its putting to IT'S queue? Plus, I don't have a list of all the users and groups, so I couldn't explicitly grant the access like that if I wanted too. (Its a political FUBAR situation if you catch my drift.)
My goal right now is to prevent administrative access to the QM. Allowing context for application queues does not contradict that.
Soooo, given that, any ideas why my UACC CONTROL ain't sticking? _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
Vitor |
Posted: Fri Jan 15, 2010 2:26 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
PeterPotkay wrote: |
Soooo, given that, any ideas why my UACC CONTROL ain't sticking? |
Try RALTER. Then try the RACF experts. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Jan 15, 2010 4:08 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
Quote: |
What do I care if an app wants to change the context of a message its putting to IT'S queue? |
The CONTEXT(NONE) prevents an application from changing the userid, application id, and all of the other MQMD context fields; thus preventing an application to take on another security identity.
Some downstream application, process, or security component, may depend on the real userid of the creator of the message being in the MQMD. The desired and usual behavior of MQ apps is to request that the qmgr save context on MQGET from an input queue; then pass this context to an output queue message.
[edited] _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
gbaddeley |
Posted: Fri Jan 15, 2010 10:04 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003 Posts: 2527 Location: Melbourne, Australia
|
bruce2359 wrote: |
The CONTEXT(NONE) prevents an application from changing the userid, application id, and all of the other MQMD context fields; thus preventing an application to take on another security identity.
Some downstream application, process, or security component, may depend on the real userid of the creator of the message being in the MQMD. The desired and usual behavior of MQ apps is to request that the qmgr save context on MQGET from an input queue; then pass this context to an output queue message.
|
Ideally MQ apps do not need to set the context fields in the MQMD, or pass their values from one MQMD to another, and therefore require elevated MQ security authorities to do this. These fields identify the originator of a message and are important for integrity and auditability. I have yet to see a compelling reason why they need to be changed, where some other technique (ie. include the info in the message data) can be used to meet app design requirements. _________________ Glenn |
|
Back to top |
|
|
PeterPotkay |
Posted: Sat Jan 16, 2010 4:59 am Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
My goal right now is to prevent non authorized administrative access to the QM. That's it. I'm dealing with very old QMs that never had any security. I don't disagree with your comments about the whys of Context security (exact same concept for MQ regardless of platform), but I am not tackling anything right now that will delay me reaching my goal of locking down the administration of the QM, or that will cause application outages if I don't get quite right. That's why I'm ignoring the application queues right now. I'll get them in Phase II of this effort. Remember I'm also learning RACF as it relates to MQ as I do this, so I don't want to bite off more than I can chew and end up doing nothing.
gbaddeley wrote: |
Ideally MQ apps do not need to set the context fields in the MQMD, or pass their values from one MQMD to another.... |
Ideally and reality are sometimes miles apart , especially when back filling security into systems that never properly had it and had years and years to let it run like that.
Given that all the app queues start with ABC.*, I'll do this instead. Will this work? Not sure about the double overlapping UACCs. I intend it to mean that no one can do context on any queue, but anyone can do it for the application queues, and then I allow my team to do it for the command queues. I realize I still have to address the CHIN's specific context needs now that UACC is NONE for all queues.
Code: |
RDEF MQADMIN MQX1.CONTEXT.** UACC(NONE) AUDIT(ALL(READ))
RDEF MQADMIN MQX1.CONTEXT.ABC.** UACC(CONTROL) AUDIT(ALL(ALTER))
PERMIT MQX1.CONTEXT.SYSTEM.COMMAND.INPUT CLASS(MQADMIN) ID(TheMQAdmins) ACCESS(UPDATE)
PERMIT MQX1.CONTEXT.SYSTEM.ADMIN.COMMAND.QUEUE CLASS(MQADMIN) ID(TheMQAdmins) ACCESS(UPDATE)
|
Back to the original question...Vitor, I'll try that RALTER and see what happens. Glenn, do you know if a profile already exists with setting XYZ and I use the RDEFINE command and set it to ABC, will it change? Or do I have to use RALTER? I am running this script over and over as I experiment and learn RACF with MQ. But as I go forward I will need it to properly set my intended values, whether the profile already existed with a different level or not. Hope I don't have to pair up RDEFINE witth RALTER for each command. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
bruce2359 |
Posted: Sat Jan 16, 2010 5:39 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
RDEFINE creates new profiles; RALTER alters existing profiles.
Back to the OP and your grumpy CHIN address space: the CHIN (MCA) does require CONTEXT(CONTROL) authority to put messages into destination queues on behalf of, and with the MQMD identity of, the creator of the message. This is consistent with MCAs on midrange platforms.
Congrats on your RACF journey. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
zpat |
Posted: Sat Jan 16, 2010 6:34 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001 Posts: 5856 Location: UK
|
To allow the use of /* as comments in column 1, use this JCL
//SYSTSIN DD DATA,DLM=##
Then end the input stream with ## (instead of /*) |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|