ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » 2035 on cluster Queue

Post new topic  Reply to topic Goto page Previous  1, 2, 3
 2035 on cluster Queue « View previous topic :: View next topic » 
Author Message
JosephGramig
PostPosted: Fri Nov 16, 2007 5:32 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
Well, putting an ID on the MCAUSER of an inbound channel is a very good idea. Especially if you do not have a security exit configured on that channel. Of course, that only gives anonymous access with that particular ID.

You certainly can grant the right authority to an ID on a cluster receiver to do all of what it needs to do.

PeterPotkay said:
Quote:
But if you tag the MCAUSER of the CLUSRCVR with an ID that does not have access to the SYSTEM.* queues (other than the DLQ), the clustered QMs won't be able to send messages to their cluster command queues.


Well, the ID needs allmqi to all the queues except S.A.C.Q and S.D.I.Q.

Just to reiterate about using patterns when granting permission, it is for local objects only. So, it does not apply to any remotely hosted cluster objects.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3
Back to top
View user's profile Send private message AIM Address
PeterPotkay
PostPosted: Fri Nov 16, 2007 7:47 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7723
JosephGramig wrote:
PeterPotkay said:
Quote:
But if you tag the MCAUSER of the CLUSRCVR with an ID that does not have access to the SYSTEM.* queues (other than the DLQ), the clustered QMs won't be able to send messages to their cluster command queues.


Well, the ID needs allmqi to all the queues except S.A.C.Q and S.D.I.Q.

I don't think it needs anything for any of the SYSTEM.DEFAULT.* or the SYSTEM.ADMIN.* queues, least of all the SYSTEM.ADMIN.COMMAND.QUEUE.

But it does need access to SYSTEM.CLUSTER.COMMAND.QUEUE which allows Johhny Blackhat on QM1 to mess with your cluster via QM2's SYSTEM.CLUSTER.COMMAND.QUEUE if the CLUSRCVR on QM2 is tagged with an ID with access to that q, or that channel has a blank MCAUSER but there are no restrictions on QM1's cluster XMITQ.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2, 3 Page 3 of 3

MQSeries.net Forum Index » General IBM MQ Support » 2035 on cluster Queue
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.