Hi Ralph,

I’d be happy to volunteer for that.

Regards,

Neil
--
Neil Casey
Senior Consultant | Syntegrity Solutions

+61 414 615 334 neil.casey-VLLIzlmz+***@public.gmane.org
Syntegrity Solutions Pty Ltd | Level 23 | 40 City Road | Southgate | VIC 3006
Analyse >> Integrate >> Secure >> Educate
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Thanks Ralph,

it’s great that the issue has now been recognised and is under investigation.

In the mean time, while testing out the issues with amqoamd and dmpmqcfg that T.Rob described, I found that both the runmqsc command DIS AUTHREC and the command line utility dmpmqaut seem to correctly dump all of the authorisation state. They just don’t format the output as setmqaut commands.

With that in mind, I wrote a script. It’s in bash and uses awk, and was tested under linux, but should run on any *nix platform (including cygwin for those stuck with Windows hosted queue managers). For specific non-GNU platforms, you may have to alter the invocation of awk to nawk or gawk to get the correct results. It should also be straightforward to use sh instead of bash if you don’t have a bash shell available.

The script is pretty basic in that it just does a bit of reformatting of the default output from dmpmqaut in order to produce setmqaut statements. All the work is really done by awk. The awk script is embedded in the bash script.

I did some testing to ensure that the commands it produces are valid, and that they seem to correctly recreate the permissions defined to the queue manager. There is of course no warranty of correctness associated with the code.

The embedded awk script expects to receive something like:
- - - - - - - -
profile: **
object type: queue
entity: testuser
entity type: group
authority: get browse put inq dsp

which comes from the dmpmqaut command in the script. It turns this into a normal setmqaut statement:
setmqaut -m TEST -n '**' -t queue -g testuser +browse +get +inq +put +dsp

One issue with the code is that it reproduces the authorisation list produced by dmpmqaut. That means that if a profile grants +allmqi, then +allmqi appears in the output. This is different to amqoamd -s, which changes +allmqi to the correct list of permissions for the current version of MQ. As T.Rob has said in the past in his MQ security presentations, +allmqi is a bad idea because it might not mean the same thing after an upgrade that it does now. You could end up granting more permission than expected.

However, if any of you are looking for something simple and cheap to back up your queue manager authorisations, here’s an option. You can call it anything you like. My version is called 'dumpauth’.

=====
#!/bin/bash
# dump auth recs into setmqaut format

# Takes 1 parameter (the queue manager)
# The queue manager must be running

# Will automatically exclude all profiles for the
# 'mqm' group

# Copyright: Neil Casey, Syntegrity Solutions, 2014.
# Permission is granted to use and/or modify this source without restriction.
# No warranties or assurances of any kind are made with respect
# to this script.

function printusage()
{
echo "usage: $0 QMGR"
}

if [ ! $# -eq 1 ] ; then
echo "Invalid invocation"
printusage
exit 1
fi

if [ "$1" = "-?" -o "$1" = "--help" ] ; then
printusage
exit
fi

qmgr=$1

dmpmqaut -m NEIL 2>&1 | awk -F ":" "\
BEGIN {OFS=\" \";qt=\"'\"};
/^profile:/ {profile=\$2;gsub(/ /,\"\",profile)};
/^object type:/ {type=\$2; \
gsub(/ /,\"\",type); \
if (type == \"qmgr\") {profile=\"\"} else {profile=\"-n \" qt profile qt } };
/^entity:/ {entity=\$2;gsub(/ /,\"\",entity)};
/^entity type:/ {etype=\$2; \
gsub(/ /,\"\",etype); \
if (etype == \"group\") {entityobj=\"-g \" entity} else {entityobj=\"-p \" entity} };
/^authority:/ {authlist=\$2;
authcount=split(authlist,autharray,/ +/);
authval=\"\"
for (i=2;i<=authcount;i++) {
authval=authval \" +\" autharray[i];}
};
/^- - - - - - - -$/ \
{if ( entity != \"mqm\" ) {print \"setmqaut -m $qmgr\",profile,\"-t\",type,entityobj,authval}};
END {if ( entity != \"mqm\" ) {print \"setmqaut -m $qmgr\",profile,\"-t\",type,entityobj,authval}};
"
=====

Save it, make the file executable, and run it with:
./dumpauth QMGRNAME

BTW, watch out for “smart quotes” that a unix shell won’t understand. I think I avoided them, but it’s hard to be certain.




Neil
--
Neil Casey
Senior Consultant | Syntegrity Solutions

+61 414 615 334 neil.casey-VLLIzlmz+***@public.gmane.org
Syntegrity Solutions Pty Ltd | Level 23 | 40 City Road | Southgate | VIC 3006
Analyse >> Integrate >> Secure >> Educate
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Hi Neil,

Its great to see there are still some awk programmers out there. Its my "go to"
language for the harder string and file processing stuff in UNIX shell scripting.

Cheers,
Glenn Baddeley
Senior Integration Software Engineer
Coles Supermarkets Australia Pty Ltd

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

X-Originating-IP: 184.154.225.7
X-SpamExperts-Domain: siteground247.com
X-SpamExperts-Username: 184.154.225.7
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: SB/global_tokens (0.00330981535768)
X-Recommended-Action: accept
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2014.3.27.233015
X-PMX-Spam: Gauge= Probability=9%, Report='
AT_TLD 0.1, REPLYTO_FROM_DIFF_ADDY 0.1, FROM_NAME_ONE_WORD 0.05, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1500_1599 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, FORGED_MUA_OUTLOOK 0, URI_ENDS_IN_HTML 0, WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __HAS_REPLYTO 0, __HAS_X_MAILER 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NS
, __USER_AGENT_MS_GENERIC 0'
Sender: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
In-Reply-To: <17145_1395876595_1395876595_LISTSERV%201403270029511618.0133-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
Precedence: list
List-Help: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>,
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?body=INFO%20MQSERIES>
List-Unsubscribe: <mailto:MQSERIES-unsubscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Subscribe: <mailto:MQSERIES-subscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Owner: <mailto:MQSERIES-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Archive: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2014.3.27.234215
Archived-At: <http://permalink.gmane.org/gmane.network.mq.devel/17625>

Of course, you can count me in Ralph. I will give it a thorough workout.


Kind regards,
-- T.Rob

T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB
https://ioptconsulting.com
https://twitter.com/tdotrob
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES