| Author |
Message
|
| ankurlodhi |
 Posted: Fri Sep 16, 2011 6:36 am Post subject: |
 |
|
Master
Joined: 19 Oct 2010
Posts: 266
|
i know its not a very gud idea to set the value to mqm but for sometime it can solve the problem,
but thinking other than this, it may be u can give authority to mqm group so when a member who is the member of mqm group can put message on the queue. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Sep 16, 2011 6:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Yes, it can temporarily solve the problem.
But it removes the ability to solve the problem permanently.
And in general, anything that is an application queue should have application-specific permissions, and all application users should be authorized into an application-specific role and NOT put into the mqm group for any reason.
The only users that should be in MQM are a) the mqm/musr_mqadmin user, b) the os level root user, c) specific mq administration ids.
And even c) is questionable. c) should be better handled through proper mq security to allow specific users who are properly authorized to connect to secured channels that do have mcauser(mqm) or those same specific user ids are capable of sudo/su/login as mqm user instead. (although ideally in a manner that produces a log of the time and the actions taken) |
|
| Back to top |
|
|
| dprogwmb |
| Posted: Fri Sep 16, 2011 6:44 am Post subject: Problem SOLVED!!! |
|
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
| dprogwmb wrote: |
| ankurlodhi wrote: |
alter the queue you are trying to put message on and set the mcauser valuve to mqm (remember its a string value so when you mention it do it with '' quotes )
then try and tell what u get. |
Thanks for your answer ankurlodhi!!
I tried using MQ Explorer v7, setting MCAUser to user "admin" CHANNEL1 (SVRCONN), and I'm also getting the same error... "2035" in client side.
Some definitions:
User "admin" , is the user where the MQ client runs ... in machine A (Win XP)....
Machine B,is where runs the MQ server (also Win XP)...
Any other -"constructive"- suggestion? |
Problem solved  
I created the user "admin" from the client in the win xp server, and added the user "admin" to the group mqm... and then set on the CHANNEL1 (SVRCONN) on MCA User the user admin... and worked fine . Was it a bad solution? Any conclusion opinion? REGARDS EVERYBODY. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Fri Sep 16, 2011 6:49 am Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
i agree with jeff, that it should be specific,
so rather than going for a perticular user, do it to a group, and please do let us know what setmqaut command you are giving. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 7:02 am Post subject: Re: Problem SOLVED!!! |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| dprogwmb wrote: |
| I created the user "admin" from the client in the win xp server, and added the user "admin" to the group mqm... and then set on the CHANNEL1 (SVRCONN) on MCA User the user admin... and worked fine . Was it a bad solution? Any conclusion opinion? REGARDS EVERYBODY. |
It is a bad solution because you put the user in the MQM group.
That user now has full administrative privileges to the entire queue manager. And because you've set that user name as the MCAUSER, anyone who establishes a network connection to the mq listener and knows the name of the SVRCONN can now have full administrative access to the queue manager.
So remove the admin user from the mqm group, REFRESH SECURITY, and then issue setmqaut commands for 'admin' on the qmgr machine until you can connect and open your queue.
And then think about securing the channel. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 7:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ankurlodhi wrote: |
| it may be u can give authority to mqm group so when a member who is the member of mqm group can put message on the queue. |
This sort of comment will not impress the Nobel committee.
A fundamental principle of WMQ is that any member of the mqm group can do anything to the WMQ software. So you can't "give" authority to mqm group to put a message to a queue; that group already has it. Likewise you can't take it away. This is why putting mqm in a MCAUser is so dangerous; anyone using that channel can do anything they want to the queue manager. This includes putting messages to any queue, and indeed creating/deleting queues as they see fit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 7:07 am Post subject: Re: Problem SOLVED!!! |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dprogwmb wrote: |
| Was it a bad solution? Any conclusion opinion? |
It's a bad solution. Anyone who uses that channel can administer any aspect of the queue manager without restranint. See my explaination above, and my anaology above about fixing a problem with the lock on a door by removing the door completely.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Fri Sep 16, 2011 7:07 am Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
u did well to go that far but indirectly u did the same thing which i told u with setting the mca user to mqm,
ur close to solution, u just need to push some more buttons. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 7:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ankurlodhi wrote: |
| u did well to go that far but indirectly u did the same thing which i told u with setting the mca user to mqm, |
Which is still not a good thing. Access directly or indirectly to mqm simply by estabilishing a connection is a serious security hole.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Sep 16, 2011 7:41 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ankurlodhi wrote: |
| ...u just need to push some more buttons. |
You are certainly pushing some...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Sep 16, 2011 4:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
Don't press the "put everyone in mqm group" button.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
