Thanks Ralph,
its great that the issue has now been recognised and is under investigation.
In the mean time, while testing out the issues with amqoamd and dmpmqcfg that T.Rob described, I found that both the runmqsc command DIS AUTHREC and the command line utility dmpmqaut seem to correctly dump all of the authorisation state. They just dont format the output as setmqaut commands.
With that in mind, I wrote a script. Its in bash and uses awk, and was tested under linux, but should run on any *nix platform (including cygwin for those stuck with Windows hosted queue managers). For specific non-GNU platforms, you may have to alter the invocation of awk to nawk or gawk to get the correct results. It should also be straightforward to use sh instead of bash if you dont have a bash shell available.
The script is pretty basic in that it just does a bit of reformatting of the default output from dmpmqaut in order to produce setmqaut statements. All the work is really done by awk. The awk script is embedded in the bash script.
I did some testing to ensure that the commands it produces are valid, and that they seem to correctly recreate the permissions defined to the queue manager. There is of course no warranty of correctness associated with the code.
The embedded awk script expects to receive something like:
- - - - - - - -
profile: **
object type: queue
entity: testuser
entity type: group
authority: get browse put inq dsp
which comes from the dmpmqaut command in the script. It turns this into a normal setmqaut statement:
setmqaut -m TEST -n '**' -t queue -g testuser +browse +get +inq +put +dsp
One issue with the code is that it reproduces the authorisation list produced by dmpmqaut. That means that if a profile grants +allmqi, then +allmqi appears in the output. This is different to amqoamd -s, which changes +allmqi to the correct list of permissions for the current version of MQ. As T.Rob has said in the past in his MQ security presentations, +allmqi is a bad idea because it might not mean the same thing after an upgrade that it does now. You could end up granting more permission than expected.
However, if any of you are looking for something simple and cheap to back up your queue manager authorisations, heres an option. You can call it anything you like. My version is called 'dumpauth.
=====
#!/bin/bash
# dump auth recs into setmqaut format
# Takes 1 parameter (the queue manager)
# The queue manager must be running
# Will automatically exclude all profiles for the
# 'mqm' group
# Copyright: Neil Casey, Syntegrity Solutions, 2014.
# Permission is granted to use and/or modify this source without restriction.
# No warranties or assurances of any kind are made with respect
# to this script.
function printusage()
{
echo "usage: $0 QMGR"
}
if [ ! $# -eq 1 ] ; then
echo "Invalid invocation"
printusage
exit 1
fi
if [ "$1" = "-?" -o "$1" = "--help" ] ; then
printusage
exit
fi
qmgr=$1
dmpmqaut -m NEIL 2>&1 | awk -F ":" "\
BEGIN {OFS=\" \";qt=\"'\"};
/^profile:/ {profile=\$2;gsub(/ /,\"\",profile)};
/^object type:/ {type=\$2; \
gsub(/ /,\"\",type); \
if (type == \"qmgr\") {profile=\"\"} else {profile=\"-n \" qt profile qt } };
/^entity:/ {entity=\$2;gsub(/ /,\"\",entity)};
/^entity type:/ {etype=\$2; \
gsub(/ /,\"\",etype); \
if (etype == \"group\") {entityobj=\"-g \" entity} else {entityobj=\"-p \" entity} };
/^authority:/ {authlist=\$2;
authcount=split(authlist,autharray,/ +/);
authval=\"\"
for (i=2;i<=authcount;i++) {
authval=authval \" +\" autharray[i];}
};
/^- - - - - - - -$/ \
{if ( entity != \"mqm\" ) {print \"setmqaut -m $qmgr\",profile,\"-t\",type,entityobj,authval}};
END {if ( entity != \"mqm\" ) {print \"setmqaut -m $qmgr\",profile,\"-t\",type,entityobj,authval}};
"
=====
Save it, make the file executable, and run it with:
./dumpauth QMGRNAME
BTW, watch out for smart quotes that a unix shell wont understand. I think I avoided them, but its hard to be certain.
Neil
--
Neil Casey
Senior Consultant | Syntegrity Solutions
+61 414 615 334 neil.casey-VLLIzlmz+***@public.gmane.org
Syntegrity Solutions Pty Ltd | Level 23 | 40 City Road | Southgate | VIC 3006
Analyse >> Integrate >> Secure >> Educate
Post by Ralph BatemanAs promised the APAR that you need to watch for is IT00612.
My intention is that we will deliver the "2 line" output and that AUTHRECs
support that is missing on MQ 7.5
I will update further once it is available. I'm also very interested if
there is anyone that wants to give it a "test drive" before we make it
available in a fixpack.
Any takers?
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html