Discussion:
MQ Z/OS and ACF2 - Security error on TOPICs
Yeske, Judy
2013-01-25 13:18:49 UTC
Permalink
Hello,

Is anyone out there in z/OS MQland running with ACF2 instead of RACF ? We have an environment that is and I'm not at all familiar with it - I'm a RACF girl. I'm running into a Security error and need some assistance. Here's the error:

ACF04056 ACCESS TO RESOURCE MQTU.TOPIC.SYSTEM.BASE.TOPIC TYPE RMQA BY
MQTUCHIN NOT AUTHORIZED
+CSQX467E MQTU CSQXREPO Repository error for topic AM,
MQCC=2 MQRC=2035 (MQRC_NOT_AUTHORIZED)

I requested the Security folks here create rule MQTU.TOPIC.SYSTEM.BASE.TOPIC in the MXTOPIC class, giving the MQTUCHIN READ, WRITE and ALLOC authority. They came back stating they created MQT*.TOPIC.SYSTEM.BASE.TOPIC as using a wildcard in the MQ name as that is their standard (we have 3 MQT* systems running). They completed this and I refreshed security on MQTU. However, I'm getting the same security error. With RACF, the error message is so much more descriptive - with ACF2, not so much.

What is TYPE RMQA ? Did I put this rule in the correct security class ?

Any help you can provide is greatly appreciated. This is causing our SYSTEM.CLUSTER.COMMAND.QUEUE to be get-inhibited.

Thanks,

Judy A. Yeske :)
MF Infrastructure - Transactional, Messaging, Database (TMD) Technical Services
Tel: 603-245-3828
E-mail: Judy.Yeske-gaR6cFh0+tIPwJ1gum1jzwC/***@public.gmane.org
* Please consider the environment before printing this e-mail




To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Jason Space
2013-01-25 16:42:36 UTC
Permalink
Judy,

I'm not familiar with MQ TOPICS, we've never had use for them. (Are they for
pub/sub and messages get put to them?) - I guess I need to see how to
define a topic. Knowing that would help in making sure it's in the correct
resource class.

1.) Could it be possible it needs to be in MQQ class?????
2.) Did the ACF2 admins issue a rebuild so the rule is active. If they failed to
do that, then ACF2 doesn't know about the rule. This happens in my shop
once in a while.

Here's what I'd check, usually the MQA resource is MQ Administration and
the "R" in front is a resident rule in ACF2, (I think)

From ACF2 you could issue:

SET C(GSO)
LIST LIKE(CLASMAP.-)

In there you should see something like this:
**** / CLASMAP.MQADMIN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(62) MUSID() RESOURCE(MQADMIN) RSRCTYPE(MQA)

**** / CLASMAP.MQCMDS LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(22) MUSID() RESOURCE(MQCMDS) RSRCTYPE(MQC)

**** / CLASMAP.MQCONN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(10) MUSID() RESOURCE(MQCONN) RSRCTYPE(MQK)

**** / CLASMAP.MQNLIST LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQNLIST) RSRCTYPE(MQN)

**** / CLASMAP.MQPROC LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQPROC) RSRCTYPE(MQP)

**** / CLASMAP.MQQUEUE LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQQUEUE) RSRCTYPE(MQQ)

You could also issue (This will list all resource types defined):
SET C(GSO)
LIST INFODIR

I don't think there is a WRITE or ALLOC in ACF2. That should probably be
SERVICE(READ,UPDATE, DELETE)

Can you (or your ACF2 sysprogs) get the following:

SET RES(MQA)
LIST LIKE(MQT-)

Show what is actually defined to MQTU.TOPIC.SYSTEM.BASE.TOPIC would be
help for me to see.

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Jason Space
2013-01-25 16:37:45 UTC
Permalink
Judy,

I'm not familiar with MQ TOPICS, we've never had use for them. (Are they
for pub/sub and messages get put to them?) - I guess I need to see how to
define a topic. Knowing that would help in making sure it's in the correct
resource class.

1.) Could it be possible it needs to be in MQQ class?????
2.) Did the ACF2 admins issue a rebuild so the rule is active. If they
failed to do that, then ACF2 doesn't know about the rule. This happens in
my shop once in a while.

Here's what I'd check, usually the MQA resource is MQ Administration and
the "R" in front is a resident rule in ACF2, (I think)

From ACF2 you could issue:

SET C(GSO)
LIST LIKE(CLASMAP.-)

In there you should see something like this:
**** / CLASMAP.MQADMIN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(62) MUSID() RESOURCE(MQADMIN) RSRCTYPE(MQA)

**** / CLASMAP.MQCMDS LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(22) MUSID() RESOURCE(MQCMDS) RSRCTYPE(MQC)

**** / CLASMAP.MQCONN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(10) MUSID() RESOURCE(MQCONN) RSRCTYPE(MQK)

**** / CLASMAP.MQNLIST LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQNLIST) RSRCTYPE(MQN)

**** / CLASMAP.MQPROC LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQPROC) RSRCTYPE(MQP)

**** / CLASMAP.MQQUEUE LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQQUEUE) RSRCTYPE(MQQ)

You could also issue (This will list all resource types defined):
SET C(GSO)
LIST INFODIR

I don't think there is a WRITE or ALLOC in ACF2. That should probably be
SERVICE(READ,UPDATE, DELETE)

Can you (or your ACF2 sysprogs) get the following:

SET RES(MQA)
LIST LIKE(MQT-)

Show what is actually defined to MQTU.TOPIC.SYSTEM.BASE.TOPIC would be
help for me to see.





From: "Yeske, Judy" <***@LIBERTYMUTUAL.COM>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Date: 01/25/2013 08:48 AM
Subject: MQ Z/OS and ACF2 - Security error on TOPICs
Sent by: MQSeries List <***@LISTSERV.MEDUNIWIEN.AC.AT>



Hello,

Is anyone out there in z/OS MQland running with ACF2 instead of RACF ? We
have an environment that is and I’m not at all familiar with it – I’m a
RACF girl. I’m running into a Security error and need some assistance.
Here’s the error:

ACF04056 ACCESS TO RESOURCE MQTU.TOPIC.SYSTEM.BASE.TOPIC TYPE RMQA BY
MQTUCHIN NOT AUTHORIZED
+CSQX467E MQTU CSQXREPO Repository error for topic AM,
MQCC=2 MQRC=2035 (MQRC_NOT_AUTHORIZED)

I requested the Security folks here create rule
MQTU.TOPIC.SYSTEM.BASE.TOPIC in the MXTOPIC class, giving the MQTUCHIN
READ, WRITE and ALLOC authority. They came back stating they created
MQT*.TOPIC.SYSTEM.BASE.TOPIC as using a wildcard in the MQ name as that is
their standard (we have 3 MQT* systems running). They completed this and
I refreshed security on MQTU. However, I’m getting the same security
error. With RACF, the error message is so much more descriptive – with
ACF2, not so much.

What is TYPE RMQA ? Did I put this rule in the correct security class ?

Any help you can provide is greatly appreciated. This is causing our
SYSTEM.CLUSTER.COMMAND.QUEUE to be get-inhibited.

Thanks,

Judy A. Yeske J
MF Infrastructure - Transactional, Messaging, Database (TMD) Technical
Services
Tel: 603-245-3828
E-mail: ***@LibertyMutual.Com
P Please consider the environment before printing this e-mail





List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Yeske, Judy
2013-01-28 13:46:15 UTC
Permalink
Hi Jason,

Thank you for your response. I opened an ETR with IBM and they suggested I create profiles MQTU.PUBLISH.SYSTEM.BASE.TOPIC and MQUT.SUBSCRIBE.SYSTEM.BASE.TOPIC in the MXTOPIC class. I found this in the 7.1 Info Center but didn’t associate these profiles with the ACF error pointing to MQTU.TOPIC.SYSTEM.BASE.TOPIC.

I’ve submitted a request to our Security folks to have these rules created – I’ll let you know how I make out.

Judy

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Jason Space
Sent: Friday, January 25, 2013 11:38 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: MQ Z/OS and ACF2 - Security error on TOPICs

Judy,

I'm not familiar with MQ TOPICS, we've never had use for them. (Are they for pub/sub and messages get put to them?) - I guess I need to see how to define a topic. Knowing that would help in making sure it's in the correct resource class.

1.) Could it be possible it needs to be in MQQ class?????
2.) Did the ACF2 admins issue a rebuild so the rule is active. If they failed to do that, then ACF2 doesn't know about the rule. This happens in my shop once in a while.

Here's what I'd check, usually the MQA resource is MQ Administration and the "R" in front is a resident rule in ACF2, (I think)

From ACF2 you could issue:

SET C(GSO)
LIST LIKE(CLASMAP.-)

In there you should see something like this:
**** / CLASMAP.MQADMIN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(62) MUSID() RESOURCE(MQADMIN) RSRCTYPE(MQA)

**** / CLASMAP.MQCMDS LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(22) MUSID() RESOURCE(MQCMDS) RSRCTYPE(MQC)

**** / CLASMAP.MQCONN LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(10) MUSID() RESOURCE(MQCONN) RSRCTYPE(MQK)

**** / CLASMAP.MQNLIST LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQNLIST) RSRCTYPE(MQN)

**** / CLASMAP.MQPROC LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQPROC) RSRCTYPE(MQP)

**** / CLASMAP.MQQUEUE LAST CHANGED BY xxxxx ON xx/xx/xx-time
ENTITYLN(53) MUSID() RESOURCE(MQQUEUE) RSRCTYPE(MQQ)

You could also issue (This will list all resource types defined):
SET C(GSO)
LIST INFODIR

I don't think there is a WRITE or ALLOC in ACF2. That should probably be SERVICE(READ,UPDATE, DELETE)

Can you (or your ACF2 sysprogs) get the following:

SET RES(MQA)
LIST LIKE(MQT-)

Show what is actually defined to MQTU.TOPIC.SYSTEM.BASE.TOPIC would be help for me to see.





From: "Yeske, Judy" <***@LIBERTYMUTUAL.COM<mailto:***@LIBERTYMUTUAL.COM>>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Date: 01/25/2013 08:48 AM
Subject: MQ Z/OS and ACF2 - Security error on TOPICs
Sent by: MQSeries List <***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>>
________________________________



Hello,

Is anyone out there in z/OS MQland running with ACF2 instead of RACF ? We have an environment that is and I’m not at all familiar with it – I’m a RACF girl. I’m running into a Security error and need some assistance. Here’s the error:

ACF04056 ACCESS TO RESOURCE MQTU.TOPIC.SYSTEM.BASE.TOPIC TYPE RMQA BY
MQTUCHIN NOT AUTHORIZED
+CSQX467E MQTU CSQXREPO Repository error for topic AM,
MQCC=2 MQRC=2035 (MQRC_NOT_AUTHORIZED)

I requested the Security folks here create rule MQTU.TOPIC.SYSTEM.BASE.TOPIC in the MXTOPIC class, giving the MQTUCHIN READ, WRITE and ALLOC authority. They came back stating they created MQT*.TOPIC.SYSTEM.BASE.TOPIC as using a wildcard in the MQ name as that is their standard (we have 3 MQT* systems running). They completed this and I refreshed security on MQTU. However, I’m getting the same security error. With RACF, the error message is so much more descriptive – with ACF2, not so much.

What is TYPE RMQA ? Did I put this rule in the correct security class ?

Any help you can provide is greatly appreciated. This is causing our SYSTEM.CLUSTER.COMMAND.QUEUE to be get-inhibited.

Thanks,

Judy A. Yeske ☺
MF Infrastructure - Transactional, Messaging, Database (TMD) Technical Services
Tel: 603-245-3828
E-mail: ***@LibertyMutual.Com<mailto:***@LibertyMutual.Com>
P Please consider the environment before printing this e-mail



________________________________

List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
Loading...