Potkay, Peter M (CTO Architecture + Engineering)
2013-07-08 13:44:37 UTC
Please vote for my Request For Enhancement (RFE) if you think it would be a good idea for the WMB Broker to record in its log the User ID that initiated an Administrative change.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=36857
We have our WMB 8 Broker set up with a secure SVRCONN channel for Toolkit or MB Explorer users. The channel is protected by a security exit (Capitalware's MQAUSX) to authenticate users so that only intended users can connect over this channel. The exit blocks privileged user ID such as 'mqm' or the service account used to run the Broker. The MCAUSER is blank - we did not want all users to be seen by the Broker as a common shared ID.
This works well. Individual users, based on their membership in an appropriate group on the WMB server, have access to do what I intend and nothing else. However, the WMB Broker is not recording the User ID of the person that made the change. Below is a snippet from my Broker's log that shows me asking via the Toolkit to stop a message flow. Great details - except who did it!
Jul 3 10:32:21 MyServername WebSphere Broker v8002[26111]: (MyBroker.default)[4]BIP2155I: About to 'stop ' the deployed resource 'MyMessageFlow' of type '.CMF'. : MyBroker.b05c3b80-3d01-0000-0080-931702b70ed9: /build/slot1/S800_P/src/DataFlowEngine/ImbDeployedResourceGroup.cpp: 2651: ImbDeployedResourceGroup::stopDataFlowResource: :
Jul 3 10:32:24 MyServername WebSphere Broker v8002[26111]: (MyBroker.default)[4]BIP2271I: Deployed resource 'MyMessageFlow' (uuid='6da07f83-3d01-0000-0080-f73865dde3c9',type='.CMF') successfully stopped. : MyBroker.b05c3b80-3d01-0000-0080-931702b70ed9: /build/slot1/S800_P/src/DataFlowEngine/ImbDeployedResourceGroup.cpp: 2665: ImbDeployedResourceGroup::stopDataFlowResource: :
I opened a PMR to ask if I was missing some basic configuration step. I was a bit surprised this info was not in the log. But IBM confirmed this functionality is presently not in the Broker and to open an RFE. I think the Broker has access to this information - it would be the user ID in the MQMD of the MQ message produced by the Toolkit or MB Explorer. I understand that this ID is going to be the effective ID that the channel is running under - it could be a hard coded MCAUSER value, it could be a value set by a Security Exit or by a CHLAUTH rule. Or it could be the actual end user ID. Regardless of what ID it is I think it would be beneficial to record this ID in the WMB log entry for that administrative change. This would be very helpful for problem resolution scenarios.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=36857
We have our WMB 8 Broker set up with a secure SVRCONN channel for Toolkit or MB Explorer users. The channel is protected by a security exit (Capitalware's MQAUSX) to authenticate users so that only intended users can connect over this channel. The exit blocks privileged user ID such as 'mqm' or the service account used to run the Broker. The MCAUSER is blank - we did not want all users to be seen by the Broker as a common shared ID.
This works well. Individual users, based on their membership in an appropriate group on the WMB server, have access to do what I intend and nothing else. However, the WMB Broker is not recording the User ID of the person that made the change. Below is a snippet from my Broker's log that shows me asking via the Toolkit to stop a message flow. Great details - except who did it!
Jul 3 10:32:21 MyServername WebSphere Broker v8002[26111]: (MyBroker.default)[4]BIP2155I: About to 'stop ' the deployed resource 'MyMessageFlow' of type '.CMF'. : MyBroker.b05c3b80-3d01-0000-0080-931702b70ed9: /build/slot1/S800_P/src/DataFlowEngine/ImbDeployedResourceGroup.cpp: 2651: ImbDeployedResourceGroup::stopDataFlowResource: :
Jul 3 10:32:24 MyServername WebSphere Broker v8002[26111]: (MyBroker.default)[4]BIP2271I: Deployed resource 'MyMessageFlow' (uuid='6da07f83-3d01-0000-0080-f73865dde3c9',type='.CMF') successfully stopped. : MyBroker.b05c3b80-3d01-0000-0080-931702b70ed9: /build/slot1/S800_P/src/DataFlowEngine/ImbDeployedResourceGroup.cpp: 2665: ImbDeployedResourceGroup::stopDataFlowResource: :
I opened a PMR to ask if I was missing some basic configuration step. I was a bit surprised this info was not in the log. But IBM confirmed this functionality is presently not in the Broker and to open an RFE. I think the Broker has access to this information - it would be the user ID in the MQMD of the MQ message produced by the Toolkit or MB Explorer. I understand that this ID is going to be the effective ID that the channel is running under - it could be a hard coded MCAUSER value, it could be a value set by a Security Exit or by a CHLAUTH rule. Or it could be the actual end user ID. Regardless of what ID it is I think it would be beneficial to record this ID in the WMB log entry for that administrative change. This would be very helpful for problem resolution scenarios.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html