Pere Guerrero Olmedo
2013-09-13 08:17:46 UTC
Hi,
To respond who were interested in this post, the problem was the following:
Big Mq installation with security implemented long time ago, no changes made during years and then try to find what profile was giving me the headache.
Finally the problem was:
Chinit user (ACID in TopSecret terms) had defined a group (apart from more than 15 others) which had defined the MQADMIN class with qmgr.RESLEVEL = ALL (ALTER in RACF terms).
That meant MQ never check any security with CHINIT connections, no matter what you had in the MCAUSER field.
I assure you it is much easier to explain than detect it... :)
Once solved I have another problem (fortunately I have a bypass), that is how to change this class in all my QMGRs and how to refresh it.
The thing is Refresh security(*) and RVERIFY commands doesn't work. I really suspect those changes made against the Chinit user cannot be implemented dynamically, and it only can be refreshed by restarting the Started Task. I've been looking for documentation that confirms me this point with no success.
Other changes like refresh security type(SSL) work fine.
Anybody who can confirm me?
Thanks
Regards.
Pere
De: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] En nombre de gshubert-MaERPT+***@public.gmane.org
Enviado el: jueves, 05 de septiembre de 2013 22:20
Para: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Asunto: Re: MCAUSER & Top Secret question
I know with ACF2 we had to allow Alternate UserID to keep from having the CHINIT userid used for other processes. Maybe the same with TopSecret?
Thank you,
Glen Shubert
Associate Director - Operations
T|SYS| - MQSeries Technical Support
email: gshubert-***@public.gmane.org<mailto:gshubert-***@public.gmane.org>
From: Pere Guerrero Olmedo <Pere.Guerrero.Olmedo-***@public.gmane.org<mailto:Pere.Guerrero.Olmedo-***@public.gmane.org>>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd8hNtF/***@public.gmane.orgNIWIEN.AC.AT>
Date: 09/04/2013 10:57 AM
Subject: Re: MCAUSER & Top Secret question
Sent by: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>>
________________________________
Again I didn't express what I want correctly, sorry...
What I see is, it seems Chinit userid is always used instead of MCAUSER, so with SSL I can use the user assigned to the certificate instead of the Chinit one, consequently, in this scenario I can control the access to the queue.
My problem is that something is omitted elsewhere (I suspect in any TopSecret definition) and MCAUSER is being ignored.
I'm checking technotes related to RESLEVEL problems, my frustration but , they always are related to Racf and not TopSecret.
Thanks
Regards
Pere
-----Mensaje original-----
De: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] En nombre de Bruce Lerner
Enviado el: miércoles, 04 de septiembre de 2013 16:32
Para: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Asunto: Re: MCAUSER & Top Secret question
"With SSL I can choose which user is used in the connection, ..."
No. SSL does not determine which MCAUSER is used at either end of the channel. SSL only ensures that channel ends have appropriate SSL certificates. Only MCAUSER affects the MCA's ability or inability to MQOPEN a queue.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
----------------------------------------- The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you
________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To respond who were interested in this post, the problem was the following:
Big Mq installation with security implemented long time ago, no changes made during years and then try to find what profile was giving me the headache.
Finally the problem was:
Chinit user (ACID in TopSecret terms) had defined a group (apart from more than 15 others) which had defined the MQADMIN class with qmgr.RESLEVEL = ALL (ALTER in RACF terms).
That meant MQ never check any security with CHINIT connections, no matter what you had in the MCAUSER field.
I assure you it is much easier to explain than detect it... :)
Once solved I have another problem (fortunately I have a bypass), that is how to change this class in all my QMGRs and how to refresh it.
The thing is Refresh security(*) and RVERIFY commands doesn't work. I really suspect those changes made against the Chinit user cannot be implemented dynamically, and it only can be refreshed by restarting the Started Task. I've been looking for documentation that confirms me this point with no success.
Other changes like refresh security type(SSL) work fine.
Anybody who can confirm me?
Thanks
Regards.
Pere
De: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] En nombre de gshubert-MaERPT+***@public.gmane.org
Enviado el: jueves, 05 de septiembre de 2013 22:20
Para: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Asunto: Re: MCAUSER & Top Secret question
I know with ACF2 we had to allow Alternate UserID to keep from having the CHINIT userid used for other processes. Maybe the same with TopSecret?
Thank you,
Glen Shubert
Associate Director - Operations
T|SYS| - MQSeries Technical Support
email: gshubert-***@public.gmane.org<mailto:gshubert-***@public.gmane.org>
From: Pere Guerrero Olmedo <Pere.Guerrero.Olmedo-***@public.gmane.org<mailto:Pere.Guerrero.Olmedo-***@public.gmane.org>>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd8hNtF/***@public.gmane.orgNIWIEN.AC.AT>
Date: 09/04/2013 10:57 AM
Subject: Re: MCAUSER & Top Secret question
Sent by: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>>
________________________________
Again I didn't express what I want correctly, sorry...
What I see is, it seems Chinit userid is always used instead of MCAUSER, so with SSL I can use the user assigned to the certificate instead of the Chinit one, consequently, in this scenario I can control the access to the queue.
My problem is that something is omitted elsewhere (I suspect in any TopSecret definition) and MCAUSER is being ignored.
I'm checking technotes related to RESLEVEL problems, my frustration but , they always are related to Racf and not TopSecret.
Thanks
Regards
Pere
-----Mensaje original-----
De: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] En nombre de Bruce Lerner
Enviado el: miércoles, 04 de septiembre de 2013 16:32
Para: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Asunto: Re: MCAUSER & Top Secret question
"With SSL I can choose which user is used in the connection, ..."
No. SSL does not determine which MCAUSER is used at either end of the channel. SSL only ensures that channel ends have appropriate SSL certificates. Only MCAUSER affects the MCA's ability or inability to MQOPEN a queue.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
----------------------------------------- The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you
________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html