Some questions about security & MCAUSER

[gertvangaever]

Hello,

I have some questions about security on an MQServer.

1. The users that are referred to, are they LOCAL users or DOMAIN users? (I guess they are local users)
2. When connecting from a certain client to an MQSeries Queue manager, what user/password is used? How to define it?

3.I have here the following situation:
We have 5 servers with a Queue manager on each of it (SC1 - SC5). I can connect to the queue managers SC2 to SC5, with my client PC. When I look at the administrators group & mqm group on the servers (which is also a PDC, hence my first question), I am a member of the administrators group and the mqm group is empty. So I'd guess, since I'm a member of the administrators group on that server, I should be able to connect to ALL the queue managers, ALSO to SC1, to which I can not connect at the moment (error message 4036 'you are not authorized to perform this operation'). Am I missing something here?

4. Another question is about MCAUSER:
When I connect from a client, using a server connection channel that has an MCAUSER (say, MQMCAUser), does it connact by the MQMCAUser then? So anyone that knows the name of that server connection channel can connect, even without knowing any password, or being member of the mqm or administrators group, whatsoever?? I guess that is rather UNSAFE??

Thanks!!
Gert

 

[mqonnet]

1) Local.
2) Your logon id on the client system is passed in by default. You can change it within your app using ALTERNATEUSERID.
3) When you connect to the server system using a client, your logon id is passed over. If you DO NOT have a userid defined on the server system, then you would get a 2035. You would get this even when this userid on server has not been granted appropriate authority.
4) You got it. Thats the reason its advisible to leave MCAUSER attribute blank and grant appropriate auths to those whom you wish to allow to access this channel and mq objects.

Hope this helps.



Cheers
KK

 

[gertvangaever]

Tnx!!

Just to let you know; I'm using MQSeries in a windows environment?

The answer to Q2 was in fact different. The reason was that on SC1 the MCAUSER wasn't filled in, and the user with which I'm connected had no rights

I have another problem.
I have an mqseries 5.1 queue manager here on a windows server. I have put 'BEPUU\Domain MQM' in the MQM local group. Now I try to run an administrator tool (admin console in windows, to administer mqseries) as BEPUU\GVG, who is a member of 'BEPUU\DOmain MQM'...
But, I can't connect... Why is this?
Does MQSeries have a problem with the groups, or maybe with the space in the group? I can't trial & error, because this is a very critical system!

Another qmall question is the following: in MQ 5.3, is it necessary for the user/group to be a member of the local mqm group, or is it enough to be a member of the local administrator group? Is this also in MQ 5.1, maybe???

Tnx
Gert

 

[gertvangaever]

Tnx!!

Just to let you know; I'm using MQSeries in a windows environment?

The answer to Q2 was in fact different. The reason was that on SC1 the MCAUSER wasn't filled in, and the user with which I'm connected had no rights

I have another problem.
I have an mqseries 5.1 queue manager here on a windows server. I have put 'BEPUU\Domain MQM' in the MQM local group. Now I try to run an administrator tool (admin console in windows, to administer mqseries) as BEPUU\GVG, who is a member of 'BEPUU\DOmain MQM'...
But, I can't connect... Why is this?
Does MQSeries have a problem with the groups, or maybe with the space in the group? I can't trial & error, because this is a very critical system!

Another small question is the following: in MQ 5.3, is it necessary for the user/group to be a member of the local mqm group, or is it enough to be a member of the local administrator group? Is this also in MQ 5.1, maybe???

Tnx
Gert