Pere Guerrero Olmedo
2013-09-03 12:40:25 UTC
Hi,
Maybe this question has been posted before, because there's a lot of literature in the list regarding mcauser, but I didn't find it yet... :(
On my z/OS MQ we have TopSecret instead of Racf and I'm trying to limit the potential access to several queues to external qmgr's.
With SSL I don't have problems I assign the certificate to a user with access to the queues I select but when I'm not using SSL I'm having problems.
I've tried to assign the MCAUSER of the receiver channel to an user with no permissions but when I send a message from an external (non-z/os) qmgr it always arrives to the destination queue.
I've tried with all options of the receiver (DEF,CTX,ONLYMCA and ALTMCA), with no success.
RACF(r) access level Level of checking
NONE Check two user IDs.
READ Check one user ID.
UPDATE Check one user ID.
CONTROL No check.
ALTER No check.
But I would like to know what is the equivalence in CA TopSecret one.
Where do I have to define this access level? In the Acid that starts the Chinit?
It seems always Chinit Acid is used so it always have full permission to access the queues. With the security team, we've tried to add a permit to the chinit Acid for MQADMIN with the option NONE, but it still doesn't work.
List Open Queues - Q0P2 Row 1 of 4
Queue name Disposition Access
Application ASID Application information User ID State
External URID UR type MQ URID
<> PERE ALL Q0P2
PERE QMGR Q0P2 O - - -
Q0P2CHIN CHINIT 00D0 PROVAPEREB MQM NONE
10.121.158.119
D8F0D7F2C3C8C9D5 QMGR
******** End of list ********
I'm pretty sure that in Racf scenarios I can force that the MCAUSER or the Receiver channel can be forced to be used, but it seems I'm not defining something well with TSecret.
Any suggestion?
Thanks in advance
Regards
Pere
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la informaci?n contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene informaci?n confidencial cuyo uso, copia, reproducci?n o distribuci?n est? expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminaci?n sin copiarlo, imprimirlo o utilizarlo de ning?n modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Maybe this question has been posted before, because there's a lot of literature in the list regarding mcauser, but I didn't find it yet... :(
On my z/OS MQ we have TopSecret instead of Racf and I'm trying to limit the potential access to several queues to external qmgr's.
With SSL I don't have problems I assign the certificate to a user with access to the queues I select but when I'm not using SSL I'm having problems.
I've tried to assign the MCAUSER of the receiver channel to an user with no permissions but when I send a message from an external (non-z/os) qmgr it always arrives to the destination queue.
I've tried with all options of the receiver (DEF,CTX,ONLYMCA and ALTMCA), with no success.
RACF(r) access level Level of checking
NONE Check two user IDs.
READ Check one user ID.
UPDATE Check one user ID.
CONTROL No check.
ALTER No check.
But I would like to know what is the equivalence in CA TopSecret one.
Where do I have to define this access level? In the Acid that starts the Chinit?
It seems always Chinit Acid is used so it always have full permission to access the queues. With the security team, we've tried to add a permit to the chinit Acid for MQADMIN with the option NONE, but it still doesn't work.
List Open Queues - Q0P2 Row 1 of 4
Queue name Disposition Access
Application ASID Application information User ID State
External URID UR type MQ URID
<> PERE ALL Q0P2
PERE QMGR Q0P2 O - - -
Q0P2CHIN CHINIT 00D0 PROVAPEREB MQM NONE
10.121.158.119
D8F0D7F2C3C8C9D5 QMGR
******** End of list ********
I'm pretty sure that in Racf scenarios I can force that the MCAUSER or the Receiver channel can be forced to be used, but it seems I'm not defining something well with TSecret.
Any suggestion?
Thanks in advance
Regards
Pere
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la informaci?n contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene informaci?n confidencial cuyo uso, copia, reproducci?n o distribuci?n est? expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminaci?n sin copiarlo, imprimirlo o utilizarlo de ning?n modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html