Any chance that is related to the CHLAUTH records introduced @ V7.1 ?


Arthur Schanz
Distributed Computing Spec
Messaging and File Transfer
701 East Byrd Street
Richmond, VA 23219

Email: Arthur.Schanz-***@public.gmane.org
        




-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Oddo, Fred
Sent: Tuesday, July 23, 2013 11:25 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was the upgrade.
On the other hand, I'm sure we've all experienced users calling saying something once worked and now doesn't work, only to find out it never worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Hi Fred,

If an existing QMgr is upgraded this should not happen. However, if the
QMgr is deleted and recreated, or the apps/users moved from a 7.0.1 to a 7.5
QMgr, the new QMgr will have CHLAUTH enabled by default. This means that a
newly minted QMgr with a running listener will allow no remote access. It
will be necessary to explicitly provision access for admins and access for
non-admin apps and users, and the requirements for each differ.

There are some presentations posted at http://t-rob.net/links from IMPACT.
This became effective in v7.1 so anything at that level or later would
apply. I think I've even synced one with Morag's voice from the conference
and stuck on YouTube.

For anyone who wants to learn more about CHLAUTH, it's a good excuse to
register for MQTC. I like to think of MQTC as the community rallying around
the T&M conference to revive it from the dead. Except it isn't at all like
Frankenstein or a zombie. Well, my presentations might possibly resemble
Frankenstein or zombies, depending on how much sleep I get the night before.

-- T.Rob
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

No it was just an upgrade...
Always great to hear from you.

Thanks..

-----Original Message-----
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of T.Rob
Sent: Tuesday, July 23, 2013 10:37 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: Change from V701 to V75: security

Hi Fred,

If an existing QMgr is upgraded this should not happen. However, if the QMgr is deleted and recreated, or the apps/users moved from a 7.0.1 to a 7.5 QMgr, the new QMgr will have CHLAUTH enabled by default. This means that a
newly minted QMgr with a running listener will allow no remote access. It
will be necessary to explicitly provision access for admins and access for non-admin apps and users, and the requirements for each differ.

There are some presentations posted at http://t-rob.net/links from IMPACT.
This became effective in v7.1 so anything at that level or later would apply. I think I've even synced one with Morag's voice from the conference and stuck on YouTube.

For anyone who wants to learn more about CHLAUTH, it's a good excuse to register for MQTC. I like to think of MQTC as the community rallying around the T&M conference to revive it from the dead. Except it isn't at all like Frankenstein or a zombie. Well, my presentations might possibly resemble Frankenstein or zombies, depending on how much sleep I get the night before.

-- T.Rob
To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

No, we did not implement chlauth in this particular queue manager.
But now you have me curiosity. What have you experienced relative to CHLAUTH ?

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Schanz, Arthur
Sent: Tuesday, July 23, 2013 10:37 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Change from V701 to V75: security

Any chance that is related to the CHLAUTH records introduced @ V7.1 ?


Arthur Schanz
Distributed Computing Spec
Messaging and File Transfer
701 East Byrd Street
Richmond, VA 23219

Email: Arthur.Schanz-***@public.gmane.org
        




-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Oddo, Fred
Sent: Tuesday, July 23, 2013 11:25 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was the upgrade.
On the other hand, I'm sure we've all experienced users calling saying something once worked and now doesn't work, only to find out it never worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Can you shed some more light on people complaining losing access?

Were these people accessing your MQ through MQ Explorer (client or binding
mode) or other applications (client or binding mode)?
Security changes were introduced in V710, but only activated automatically
when recreating Queue Managers, migrated Queue Managers should not have been
affected.

Michael
www.mqsystems.com

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Oddo, Fred
Sent: dinsdag 23 juli 2013 17:25
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was
the upgrade.
On the other hand, I'm sure we've all experienced users calling saying
something once worked and now doesn't work, only to find out it never
worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

One security change we ran across from going to v701 to v71 is that one of our java applications that was using XA functionality needed an extra dsp grant for accessing the queue manager. In 701, that dsp grant was not needed. The response we got back from the IBM support was that v71 is more restrictive and to apply the dsp grant, which resolved the issue.

Thanks,
Tim

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Oddo, Fred
Sent: Tuesday, July 23, 2013 10:25 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was the upgrade.
On the other hand, I'm sure we've all experienced users calling saying something once worked
and now doesn't work, only to find out it never worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Yes. Thank you. T. Rob said the same thing.

In one case, one person stated they had put access to a queue and I had to reinstate it.
Another person started getting connection errors and I had to give the id connect auth
to the qmgr.

The connect issue was via windows explorer and I am reasonably sure they connected
before. The put access was from an application but I don't know if they were using client
channel or just a straight application connect. Either way, it's a relative new application
and I'm not sure if the put auth was really there before. It just two issues now and I'm
trying to make sure it's just smoke and not a fire.





-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Michael Dag
Sent: Tuesday, July 23, 2013 10:35 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Change from V701 to V75: security

Can you shed some more light on people complaining losing access?

Were these people accessing your MQ through MQ Explorer (client or binding
mode) or other applications (client or binding mode)?
Security changes were introduced in V710, but only activated automatically when recreating Queue Managers, migrated Queue Managers should not have been
affected.

Michael
www.mqsystems.com

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Oddo, Fred
Sent: dinsdag 23 juli 2013 17:25
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was the upgrade.
On the other hand, I'm sure we've all experienced users calling saying something once worked and now doesn't work, only to find out it never worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Thanks tim... no this was pretty vanilla stuff... connect & put...

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Tuesday, July 23, 2013 11:30 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Change from V701 to V75: security

One security change we ran across from going to v701 to v71 is that one of our java applications that was using XA functionality needed an extra dsp grant for accessing the queue manager. In 701, that dsp grant was not needed. The response we got back from the IBM support was that v71 is more restrictive and to apply the dsp grant, which resolved the issue.

Thanks,
Tim

-----Original Message-----
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Oddo, Fred
Sent: Tuesday, July 23, 2013 10:25 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Change from V701 to V75: security

Riding on the coat tail of " Change from V701 to V75 regarding queues "....
Is anyone aware of invalidated OAM security after migrating to v75 ?

A few people have complained of losing access and the common denominator was the upgrade.
On the other hand, I'm sure we've all experienced users calling saying something once worked and now doesn't work, only to find out it never worked. Anyway, I just wanted to verify...



























Fred Oddo
DTCC Controlled Non-Confidential (Green)


<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES