Discussion:
QSG security
Gordon, Rob
2014-09-09 22:44:18 UTC
Permalink
Running WMQ 7.0.1 on z/OS 1.13 with CA-Top Secret. I'm having problems getting QSG security to work. We have no security profile switches set and I interpret this as enabling both QMGR and QSG-level security since none of the "NO" profiles are found.

We have a QSG called QGB0 which contains a QMGR named TAB0. A TSS rule was created to grant UPDATE access to QGB0.some.queue.name but when the programmer tests it, she incurs an MQRC 2035 (not authorized) error and the TSS violation report shows the queue name as TAB0.some.queue.name, and there is no rule that grants access to TAB0.some.queue.name. She's running a batch job that connects directly to the QMGR to do this.

I've opened a service request with IBM and they're puzzled also. Can anyone offer something I need to do to get QSG security working? When I display the security switches with CSQOREXX everything looks good to me; it looks like QSG security is in place (3rd line down).

SUBSYSTEM: ON, 'QGB0.NO.SUBSYS.SECURITY' not found
QMGR: ON, 'QGB0.NO.QMGR.CHECKS' not found
QSG: ON, 'QGB0.NO.QSG.CHECKS' not found
CONNECTION: ON, 'QGB0.NO.CONNECT.CHECKS' not found
COMMAND: ON, 'QGB0.NO.CMD.CHECKS' not found
CONTEXT: ON, 'QGB0.NO.CONTEXT.CHECKS' not found
ALTERNATE USER: ON, 'QGB0.NO.ALTERNATE.USER.CHECKS' not found
PROCESS: ON, 'QGB0.NO.PROCESS.CHECKS' not found
NAMELIST: ON, 'QGB0.NO.NLIST.CHECKS' not found
QUEUE: ON, 'QGB0.NO.QUEUE.CHECKS' not found
TOPIC: ON, 'QGB0.NO.TOPIC.CHECKS' not found
COMMAND RESOURCES: ON, 'QGB0.NO.CMD.RESC.CHECKS' not found

It must be something stupid but I'll be darned if I can see it.

Rob




Use of email is inherently insecure. Confidential information,
including account information, and personally identifiable
information, should not be transmitted via email, or email
attachment. The information in this email may contain confidential
and/or privileged information and is intended only for the use of
the individual/entity named above. Any disclosure, copying,
distribution or use of this information is strictly prohibited. If
you have received this communication in error, please notify the
sender immediately and destroy any record of this email.

RBS Citizens, N.A. is an affiliate of RBS Citizens Financial Group,
Inc.

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Ard van der Leeuw
2014-09-10 05:27:01 UTC
Permalink
Well, one would start with the silliest suggestions.... is the queuemanager
actually part of the QSG? Could there be a reason you think it is, but it
actually failed to join?

Ard

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
Dinesh Thakur
2014-09-11 01:47:42 UTC
Permalink
Hi Rob,

Could you ask the developer to use QSG Name instead of Qmgr name while connecting to MQ and see if it changes the behavior ?

Regards,
Dinesh

Sent from my iPhone
Running WMQ 7.0.1 on z/OS 1.13 with CA-Top Secret. I’m having problems getting QSG security to work. We have no security profile switches set and I interpret this as enabling both QMGR and QSG-level security since none of the “NO” profiles are found.
We have a QSG called QGB0 which contains a QMGR named TAB0. A TSS rule was created to grant UPDATE access to QGB0.some.queue.name but when the programmer tests it, she incurs an MQRC 2035 (not authorized) error and the TSS violation report shows the queue name as TAB0.some.queue.name, and there is no rule that grants access to TAB0.some.queue.name. She’s running a batch job that connects directly to the QMGR to do this.
I’ve opened a service request with IBM and they’re puzzled also. Can anyone offer something I need to do to get QSG security working? When I display the security switches with CSQOREXX everything looks good to me; it looks like QSG security is in place (3rd line down).
SUBSYSTEM: ON, 'QGB0.NO.SUBSYS.SECURITY' not found
QMGR: ON, 'QGB0.NO.QMGR.CHECKS' not found
QSG: ON, 'QGB0.NO.QSG.CHECKS' not found
CONNECTION: ON, 'QGB0.NO.CONNECT.CHECKS' not found
COMMAND: ON, 'QGB0.NO.CMD.CHECKS' not found
CONTEXT: ON, 'QGB0.NO.CONTEXT.CHECKS' not found
ALTERNATE USER: ON, 'QGB0.NO.ALTERNATE.USER.CHECKS' not found
PROCESS: ON, 'QGB0.NO.PROCESS.CHECKS' not found
NAMELIST: ON, 'QGB0.NO.NLIST.CHECKS' not found
QUEUE: ON, 'QGB0.NO.QUEUE.CHECKS' not found
TOPIC: ON, 'QGB0.NO.TOPIC.CHECKS' not found
COMMAND RESOURCES: ON, 'QGB0.NO.CMD.RESC.CHECKS' not found
It must be something stupid but I’ll be darned if I can see it.
Rob
Use of email is inherently insecure. Confidential information, including account information, and personally identifiable information, should not be transmitted via email, or email attachment. The information in this email may contain confidential and/or privileged information and is intended only for the use of the individual/entity named above. Any disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this communication in error, please notify the sender immediately and destroy any record of this email.
RBS Citizens, N.A. is an affiliate of RBS Citizens Financial Group, Inc.
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Bruce Lerner
2014-09-11 16:50:26 UTC
Permalink
Generally, you should implement QSG security rules OR qmgr security rules, but not both.

For testing purposes, turn ON bypass for ONE of these, and observe the results. If no change, turn ON the other, and observe the results.

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Bob Juch
2014-09-11 17:27:37 UTC
Permalink
Perhaps Top Secret does things differently from RACF, but actually the way
it's working is the way I'd expect it to work.

If it doesn't happen when the connect is to the QSG name that's your answer.
Running WMQ 7.0.1 on z/OS 1.13 with CA-Top Secret. I’m having problems
getting QSG security to work. We have no security profile switches set and
I interpret this as enabling both QMGR and QSG-level security since none of
the “NO” profiles are found.
We have a QSG called QGB0 which contains a QMGR named TAB0. A TSS rule
was created to grant UPDATE access to QGB0.some.queue.name but when the
programmer tests it, she incurs an MQRC 2035 (not authorized) error and the
TSS violation report shows the queue name as TAB0.some.queue.name, and
there is no rule that grants access to TAB0.some.queue.name. She’s
running a batch job that connects directly to the QMGR to do this.
I’ve opened a service request with IBM and they’re puzzled also. Can
anyone offer something I need to do to get QSG security working? When I
display the security switches with CSQOREXX everything looks good to me; it
looks like QSG security is in place (3rd line down).
SUBSYSTEM: ON, 'QGB0.NO.SUBSYS.SECURITY' not found
QMGR: ON, 'QGB0.NO.QMGR.CHECKS' not found
QSG: ON, 'QGB0.NO.QSG.CHECKS' not found
CONNECTION: ON, 'QGB0.NO.CONNECT.CHECKS' not found
COMMAND: ON, 'QGB0.NO.CMD.CHECKS' not found
CONTEXT: ON, 'QGB0.NO.CONTEXT.CHECKS' not found
ALTERNATE USER: ON, 'QGB0.NO.ALTERNATE.USER.CHECKS' not found
PROCESS: ON, 'QGB0.NO.PROCESS.CHECKS' not found
NAMELIST: ON, 'QGB0.NO.NLIST.CHECKS' not found
QUEUE: ON, 'QGB0.NO.QUEUE.CHECKS' not found
TOPIC: ON, 'QGB0.NO.TOPIC.CHECKS' not found
COMMAND RESOURCES: ON, 'QGB0.NO.CMD.RESC.CHECKS' not found
It must be something stupid but I’ll be darned if I can see it.
Rob
Use of email is inherently insecure. Confidential information, including
account information, and personally identifiable information, should not be
transmitted via email, or email attachment. The information in this email
may contain confidential and/or privileged information and is intended only
for the use of the individual/entity named above. Any disclosure, copying,
distribution or use of this information is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
and destroy any record of this email.
RBS Citizens, N.A. is an affiliate of RBS Citizens Financial Group, Inc.
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Loading...