Below commands done for Authorization in Unix + MQ9. Want to review(is this a correct approach or not?) as well as How below commands can be achieved in Windows server?
setmqaut -m TLSTEST.QM -t qmgr -p clientadmin +connect +dsp +inq
setmqaut -m TLSTEST.QM -t queue -p clientadmin -n '**' +put +get +browse +dsp +inq
runmqsc TLSTEST.QM
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
ALTER QMGR CHLAUTH(DISABLED)
REFRESH SECURITY TYPE(CONNAUTH)
Update on 29-Mar-2017
is setmqaut can be used as only to required is fine as below ,instead of '**'?
setmqaut -m TLSTEST.QM -t qmgr -p clientadmin +connect +dsp +inq
setmqaut -m TLSTEST.QM -t queue -p clientadmin -n RECEIVE +put +get +browse +dsp +inq
setmqaut -m TLSTEST.QM -t queue -p clientadmin -n SEND +put +get +browse +dsp +inq
below commands are required for me , because my jms-client will not pass user details on connection request.Is good approach to pass as below in client code or externalize these values?
MQEnvironment.userID = "mqm";
MQEnvironment.password = "password";
runmqsc TLSTEST.QM
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
ALTER QMGR CHLAUTH(DISABLED)
REFRESH SECURITY TYPE(CONNAUTH)
The commands you provided in your question would work equally as well in windows as they do in Unix.
NOTE The commands you propose turn off security which is not a good thing to do and also authorized the user "clientadmin" to all queues on the queue manager including SYSTEM* queues which allows that user to leverage MQ administrative authority.
Commands from your 29-Mar-2017 update look fine for providing specific permissions to queues SEND and RECEIVE.
In my opinion it would be a good approach to externalize the values for userID and password so that you do not need to recompile things if these change in the future.
Having an application connect as mqm is not a good approach since mqm has full administrative authority.
Setting CHLAUTH(DISABLED) does not prevent password checking it just turns off the normal out of the box CHLAUTH rules which prevent MQ admins from connecting to SVRCONN channels, as well as preventing usage of SYSTEM.* channels.
Setting CHCKCLNT(OPTIONAL) from the default of CHCKCLNT(REQDADM) configures MQ to check that a password is valid only if a password is supplied to MQ.
The default value CHCKCLNT(REQDADM) is the same as CHCKCLNT(OPTIONAL) with the additional requirement that that accounts with MQ admin authority are required to supply a valid password. Accounts without MQ admin authority are not required to present a valid password but if a password is supplied it must be valid.
If your configuration only works with CHCKCLNT(OPTIONAL) it would indicate that you are connecting as an account that has MQ admin authority.
There is a security issue with setting MQ to not enforce that a valid password is sent unless you use SSLCIPH and SSLPEER to restrict a SVRCONN to allow only specific client certs to connect and you make sure all other channels are locked down. The default CHLAUTH rules lock down all channels by not allowing users with MQ admin authority to connect, and they block connections to all SYSTEM* channels.
Setting SSLCAUTH(OPTIONAL) configures MQ to not require that the client have a certificate, if the client does have a certificate MQ will validate it is trusted, and if you have a SSLPEER set will make sure the client certificate DN value matches.
SSLCAUTH(REQUIRED) configures MQ to require that the client have a cert. You would also want to pair this with the channels SSLPEER setting to ensure the cert is the one that you expect not just a cert that is trusted by the queue manager, you also want to set the MCAUSER to a low privileged user.
Setting CHLAUTH(DISABLED) likely is making the SYSTEM.* channels insecure.
If you have no other mitigating controls the configuration presented is insecure.
Related
Is it possible to use qload utility to connect to remote queue manager.
I am not able to connect currently and has anyone tried and connected, if so how?
QLoad version : 1.9
I cant see any documentation on how to connect to remote queue manager.
I also tried set MQSERVER variable from command line before executing the command.
qload -m <QM> -i <Queue> -f <filename>
QLOAD Program by Paul Clarke [ V1.9 Build:Jun 19 2012 ]
MQCONN on object '<QM>' returned 2058 QMgr name error..
Invoke QLOAD as follows to use the client libraries.
qload -m <QM> -i <Queue> -l mqic -f <filename>
The -l flag allows to chose the library to be used, mqic vs mqm. The default if the flag is omitted is to use mqm. You can read documentation for a rather more up-to-date version of qload here.
Alternatively, if you want to continue to use the mqm library, you can set the MQ_CONNECT_TYPE environment variable, as described here to make a client connection using the mqm library.
I am using Linux based snmp (net-snmp) in my Linux device. To receive snmp trap on Linux host machine, I have configured snmptrapd in /etc/snmp/snmptrapd.conf file as below (After stopping snmpd daemon)
createUser user MD5 "password123" DES "encrypt123"
authuser log user authPriv
Above configuration allow me to receive snmp trap on Linux host machine when I execute below command from my Linux device
snmptrap -Ci -v3 -u user -a MD5 -A password123 -x DES -X encrypt123 -l authPriv 10.103.0.110 '' Test-MIB::statusChangeNotification Test-MIB::statusChangeAlarm s 'status change'
Now if I execute above snmptrap command with same user and SHA/DES configuration (as below) then in that case snmptrap command is failing with "snmpinform: Authentication failure (incorrect password, community or key)" error message. (snmptrapd is stopped and started after SHA/DES configuration as above.)
snmptrap -Ci -v3 -u user -a SHA -A password123 -x DES -X encrypt123 -l authPriv 10.103.0.110 '' Test-MIB::statusChangeNotification Test-MIB::statusChangeAlarm s 'status change'
Can anybody suggest possible reason behind this error?
Does snmptap command maintain usmUser table which not allow same user entry with different authentication type?
Is there any way to reset usmUser table?
Is there any additional configuration required?
Have you tried removing the quotation marks from both your username and password in the snmptrapd.conf?
It should not work. This is absolutely expected behavior. The user configuration should match on both sides (trap sender and trap receiver).
The SHA1 and MD5 are totally different auth protocols. They do produce different hash codes for the same input data.
I have tried saveqmgr and dmpmqcfg. i cannot get expected output.
dmpmqcfg -m qm.apple -t all -a -x all -o setmqaut
I am using MQ_7.5 version. Which command is used to take backup of MQ Message queue in linux
You can use a command similar to the following to backup the details of a specific queue (TEST.QUEUE in this example). The output will include both the DEFINE Q command along with SET AUTHREC commands to restore any OAM permissions granted to that specific queue. Note that this command will not backup OAM for any other queue or wild carded permissions.
dmpmqcfg -m qm.apple -n TEST.QUEUE -t queue -a -x all -o 1line
To backup the data in the queue you can use the MO03 SupportPac (aka QLOAD) from IBM. This SupportPac from IBM has been withdrawn because at v8 of the product it was integrated and renamed to dmpmqmsg. For versions of MQ prior to v8 you can still download the MQ03 SupportPac at the above link. The original author of the SupportPac also now maintains a version of the program called QLOAD.
Example command below will backup a queue called TEST.QUEUE with out removing the messages from the queue (change the -i to capital -I to also remove them from the queue).
qload -m qm.apple -i TEST.QUEUE -f TEST.QUEUE.qload
Output will show how many messages were read and written, example output is below:
Read - Files: 0 Messages: 3 Bytes: 4
Written - Files: 1 Messages: 3 Bytes: 4
Example command below will put the messages from the file back onto the queue.
qload -m qm.apple -f TEST.QUEUE.qload -o TEST.QUEUE
I am facing above error while connecting to queue manager. Let me first explain you what I'm doing.
I have created a new user on Linux machine(test) and then created a server connection channel(xystest.SVRCONN) with MCAUSER as test on XHUB queue manager.
Later i have granted access with the below commands.
setmqaut -m XHUB -t qmgr -p test +connect
setmqaut -m XHUB -n '**' -t q -p test +dsp +inq
setmqaut -m XHUB -n '**' -t channel -p test +dsp
When i try connecting to XHUB using the xystest.SVRCONN I am facing above error.
Can you please help me in understand where i have made mistake while allowing test user to access WMQ ?
I think you should add +inq +dsp permissions for the queue manager too:
setmqaut -m XHUB -t qmgr -p test +connect +inq +dsp
Seems, you are facing authorization error.
WebSphere MQ does not dynamically pick up new users or groups until queue manager been restarted or the Refresh Security of the queue manager. run MQSC command runmqsc XHUB and do REFRESH SECURITY. I hope you made sure, the newly created group is part of mqm group.
The suggestion to refresh security is a valid one so if you have already done that, then try these tips for troubleshooting your authority error:
Set MQSAUTHERRORS to generate WMQ FDC file which will show the error.
Use the MQS_REPORT_NOAUTH environment variable to create an entry in the QMGR error logs to show reason for security failures.
Once you have FDC and/or Log error to show why the authority is failing, you can determine what additional security you may need and then use setmqaut accordingly.
I have a script which is performing a MySQL dump, and I want it to send an email if and when it fails. How can I make the sending of the email use TLS with a username/password, a special port, and an alternate SMTP host?
Try sendEmail: http://caspian.dotconf.net/menu/Software/SendEmail/ it allows you to specify an SMTP server and port using the -s flag. TLS can be enabled using -o tls=yes and a username and password can be set using -o username=... and -o password=... respectively.