05 Feb 2013
February 5, 2013

MQ Explorer Security Examples

February 5, 2013 Blog, WebSphere, WebSphere MQ 3 Comments

This guide started off on how to access a local QM on Linux using MQ Explorer.Then it morphed into a great little article on my experiences. In this article I cover how to allow connections from MQ Explorer and to secure what WMQ objects can be accessed. I thought it was about time I documented it. I always seem to forget all the parts required.

http://www-01.ibm.com/software/integration/wmq/explorer/

Upload to server and unzip

Run Setup.bin

Complete install, then install a JRE. To keep thing s simple you can install the WMQ JRE. I suppose you must have either trial version of WMQ or a full-version otherwise why would you be installing MQ Explorer to access a local Queue Manager?

Result:

[root@localhost wmq75_install]# rpm -ivh MQSeriesJRE-7.5.0-0.x86_64.rpm

Preparing… ########################################### [100%]

1:MQSeriesJRE ########################################### [100%]

Locate the download by following links on:

then navigate to /op/ibm/WebSphere_MQ_Explorer

Once MQ Explorer is running:

2538 (09EA) (RC2538): MQRC_HOST_NOT_AVAILABLE

Explanation

An MQCONN call was issued from a client to connect to a queue manager but the attempt to allocate a conversation to the remote system failed. Common causes of this reason code are:

  • The listener has not been started on the remote system.
  • The connection name in the client channel definition is incorrect.
  • The network is currently unavailable.

This is usually due to the Channels defined.

DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)

1 : DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)

AMQ8014: WebSphere MQ channel created.

END

Access is not permitted. You are not authorised to perform this operation (AMQ4306)

This should not be fixed with:

ALTER CHL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(‘mqm’)

Specifying MCAUSER on the SVRCONN channel means that any application that connects using that channel will have the authority of the user specified on the channel, not the user id sent by the client application. If you specified mqm, which is mq’s adminstration user on unix/linux, this means any application connecting using that channel will have full authority on the queue manager.

The most common cause is that you are on a Windows machine and connecting as as specific user. most likely a domain user something like <Machine name>\<user name>

On my laptop (Windows Professional 7) I added my user account to the mqm goup on my Windows machine. We know that on Linux mqm group has access to the QM objects.

Note: Refresh security on queue manager once the SVRCONN channel types is added to the QM.

Next we also need to ensure that the user is given access

Viewing the logs, when trying to use MQ Explorer locally on the Linux machine. This can help use see what’s happening?

cd /var/mqm/qmgrs/TEST2/errors

02/05/2013 09:50:25 AM – Process(9716.12) User(mqm) Program(amqrmppa)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ9776: Channel was blocked by userid

EXPLANATION:

The inbound channel ‘SYSTEM.ADMIN.SVRCONN’ was blocked from address ‘127.0.0.1’

because the active values of the channel were mapped to a userid which should

be blocked. The active values of the channel were ‘MCAUSER(mqm) CLNTUSER(mqm)’.

ACTION:

Contact the systems administrator, who should examine the channel

authentication records to ensure that the correct settings have been

configured.

The ALTER QMGR CHLAUTH switch is used to control whether channel

authentication records are used. The command DISPLAY CHLAUTH can be used to

query the channel authentication records.

02/05/2013 09:50:25 AM – Process(9716.12) User(mqm) Program(amqrmppa)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ9999: Channel ‘SYSTEM.ADMIN.SVRCONN’ to host ‘localhost (127.0.0.1)’ ended

abnormally.

EXPLANATION:

The channel program running under process ID 9716 for channel

‘SYSTEM.ADMIN.SVRCONN’ ended abnormally. The host name is ‘localhost

(127.0.0.1)’; in some cases the host name cannot be determined and so is shown

as ‘????’.

ACTION:

Look at previous error messages for the channel program in the error logs to

determine the cause of the failure. Note that this message can be excluded

completely or suppressed by tuning the “ExcludeMessage” or “SuppressMessage”

attributes under the “QMErrorLog” stanza in qm.ini. Further information can be

found in the System Administration Guide.

—– amqrmrsa.c : 898 ——————————————————–

There are several options at this point:

  1. If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the mqm group on the UNIX machine, again using the O/S facilities to do so. In this case there is no further action required.
  2. An alternative method of giving full privileges is to set the MCAUSER attribute on the SVRCONN channel created at step 4 above to mqm. Do this by adding MCAUSER(‘mqm’) to the above runmqsc command. Again, no further action is required.
  3. If restricted access to MQ objects is required, further commands are necessary as below

We want to use option 3 as it is best for enterprise security. (use options 1 and 2, if security is of no concern)

Grant specific authority over MQ objects to the required userID

Issue these setmqaut commands to grant minimal authority to the userID:

We need to create and equivalent user on the linux box to match the Widows user

My windows user is called SteveRobinson, and I cannot have a username in Linux that contains spaces. So what do I do now? Well create a group called mqexplorer on my Windows desktop, add <myuser> “Steve Robinson” to this group. then modify mqauth to allow access form anyone in this group.

Creating the new Windows sgroup

We also need to create a matching group on Linux

groupadd mqexplorer
setmqaut -m TEST2 -t qmgr -g mqexplorer +connect +inq +dsp

setmqaut -m TEST2 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g mqexplorer +inq +browse +get

setmqaut -m TEST2 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g mqexplorer +inq +put

The purpose of these commands is:
1. Grant authority to access the qmgr
2. Grant authority to the client channel to get the command server reply messages
3. Grant authority to put messages onto the command server input queue

When we try to access we get the following error

2/05/2013 10:37:13 AM – Process(8945.70) User(mqm) Program(amqzlaa0)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ5653: The user ‘steve’ is not defined.

EXPLANATION:

The system call getpwnam(“steve”) failed with errno -1.

ACTION:

Create the user ‘steve’ and retry the operation.

I guess MQ Explorer (Windows) is using the first part of my Windows user name. Let’s create a Linux user called steve and set the password as steve and add to mqexplorer group and see what happens.

useradd -g mqexplorer steve
AMQ8077: Entity ‘steve robins’ has insufficient authority to access object

‘SYSTEM.MQEXPLORER.REPLY.MODEL’.

EXPLANATION:

The specified entity is not authorized to access the required object. The

following requested permissions are unauthorized: inq

ACTION:

Ensure that the correct level of authority has been set for this entity against

the required object, or ensure that the entity is a member of a privileged

group.

Ok, it is getting confused, so lets now manually tell MQ explorer to use steve

MQ Explorer cannot administer the queue manager because the user is not authorised to open the queue ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. (AMQ4401)

MQ Explorer cannot administer the queue manager because the user is not authorised to open the queue ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. (AMQ4401)

Severity: 10 (Warning)

Explanation: MQ Explorer uses the queue to administer this queue manager.

Response: Allow MQ Explorer to open the queue and retry.

02/05/2013 10:53:49 AM – Process(8945.74) User(mqm) Program(amqzlaa0)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ8077: Entity ‘steve ‘ has insufficient authority to access object

‘SYSTEM.MQEXPLORER.REPLY.MODEL’.

EXPLANATION:

The specified entity is not authorized to access the required object. The

following requested permissions are unauthorized: inq

ACTION:

Ensure that the correct level of authority has been set for this entity against

the required object, or ensure that the entity is a member of a privileged

group.

setmqaut -m TEST2 -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -g mqexplorer +inq +browse +get +dsp

Try again connecting from MQ Explorer on windows

OK we no successful connected, but lets try now with removing the QM named user

AMQ8077: Entity ‘steve robins’ has insufficient authority to access object

‘SYSTEM.MQEXPLORER.REPLY.MODEL’.

EXPLANATION:

The specified entity is not authorized to access the required object. The

following requested permissions are unauthorized: inq

ACTION:

Ensure that the correct level of authority has been set for this entity against

the required object, or ensure that the entity is a member of a privileged

group.

—– amqzfubx.c : 624 ——————————————————–

02/05/2013 10:53:49 AM – Process(8945.74) User(mqm) Program(amqzlaa0)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ8077: Entity ‘steve ‘ has insufficient authority to access object

‘SYSTEM.MQEXPLORER.REPLY.MODEL’.

EXPLANATION:

The specified entity is not authorized to access the required object. The

following requested permissions are unauthorized: inq

ACTION:

Ensure that the correct level of authority has been set for this entity against

the required object, or ensure that the entity is a member of a privileged

group.

—– amqzfubx.c : 624 ——————————————————–

Summary

Basically if your user id on Windows is a non acceptable Linux format ( 8 chars), then you need to create a user on Linux and then assign setmqauth security on objects either by using principle name or group name (Linux user must be in group). Then we name the use in the Connect to QM wizard and when MQExplorer connects it uses that user.

Note: Below are the commands for setting access to MQ objects for a named user as opposed to group

setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp

setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get

setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put

There is no point in adding users to groups in Windows unless IBM WebSphere MQ is installed on windows.

As I have always mentioned in other articles WMQ security is based on users and groups and you just have to think a bit harder when it comes to remote access from a Windows client.

Using the tips and tricks above, you will see that you will find you can connect, but you will be limited in what you can administer. As I mentioned earlier you can open up security. This article was more about connecting with the least amount of access, without creating a security hole. Often in moist cases we give full access and leave it that. But when you do want to secure WMQ for MQ Explorer access, then this is a great little article to help you get ideas.

Appendix

If you are interested in a clever security exit, you can use BlockIP to lock and even audit access to a QM.

http://www.mrmq.dk/index.htm?BlockIP2.htm

Block IP

You can also use blockip open source security exit tool to secure WMQ.

Installation

Download block IP from the site mentioned below in the appendix section

Upload the appropriate version for you system. My example is Linux 64 bit

Linux (Intel 64 bit)

Just untar BLOCKIP2.TAR from Linux_x86_64 subdir in /var/mqm/exits64, and you’re almost ready to go.

cd /var/mqm/exits64

tar -xvf BlockIP2.tar

You will need to change the owner using root authority:

chown mqm:mqm /var/mqm/exits64/BlockIP2
chmod 550 /var/mqm/exits64/BlockIP2 

Alter the channel

alt chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) +

scyexit(‘BlockIP2(BlockExit)’)

Example Log for access denied

cd /var/mqm/qmgrs/TEST2/errors

tail -f AMQERR01.LOG

Result:

02/05/2013 09:45:42 AM – Process(9716.11) User(mqm) Program(amqrmppa)

Host(localhost.localdomain) Installation(Installation1)

VRMF(7.5.0.0) QMgr(TEST2)

AMQ9536: Channel ended by an exit.

EXPLANATION:

Channel program ‘SYSTEM.ADMIN.SVRCONN’ was ended by exit ‘BlockIP2(BlockExit)’.

ACTION:

None.

—– amqrexta.c : 3297 ——————————————————-

References:

http://www.webspheretools.com/sites/webspheretools.nsf/bycategory!openview&restricttocategory=websphere%20mq&count=5000

http://www.websphereusergroup.org/middlewarenews/blog/2012/06/19/requirements_for_remote_administration_using_the_websphere_mq_explorer_-_middleware_news

http://www-01.ibm.com/support/docview.wss?uid=swg21250706

Facebooktwittergoogle_plusredditpinterestlinkedinmail
3 Responses to MQ Explorer Security Examples
  1. http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.helphome.doc%2Fwmq_helphome.html

    Authorization to use the WebSphere MQ Explorer

    Any user can use the WebSphere MQ Explorer, however certain authorities are required to connect, access, and manage queue managers.

    To perform local administrative tasks using the WebSphere MQ Explorer, a user is required to have the necessary authority to perform the administrative tasks. If the user is a member of the mqm group, the user has authority to perform all local administrative tasks.
    To connect to a remote queue manager and perform remote administrative tasks using the WebSphere MQ Explorer, the user executing the WebSphere MQ Explorer is required to have the following authorities:

    CONNECT authority on the target queue manager object
    INQUIRE authority on the target queue manager object
    DISPLAY authority to the target queue manager object
    INQUIRE authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
    DISPLAY authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
    INPUT authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
    OUTPUT authority to the queue, SYSTEM.ADMIN.COMMAND.QUEUE
    Authority to perform the action selected

  2. http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.doc%2Fmq50095_.htm

    What you can do with the WebSphere MQ Explorer?

    With the WebSphere® MQ Explorer, you can:

    Create and delete a queue manager (on your local machine only).
    Start and stop a queue manager (on your local machine only).
    Define, display, and alter the definitions of WebSphere MQ objects such as queues and channels.
    Browse the messages on a queue.
    Start and stop a channel.
    View status information about a channel, listener, queue, or service objects.
    View queue managers in a cluster.
    Check to see which applications, users, or channels have a particular queue open.
    Create a new queue manager cluster using the Create New Cluster wizard.
    Add a queue manager to a cluster using the Add Queue Manager to Cluster wizard.
    Manage the authentication information object, used with Secure Sockets Layer (SSL) channel security.
    Create and delete channel initiators, trigger monitors, and listeners.
    Start or stop the command servers, channel initiators, trigger monitors, and listeners.
    Set specific services to start up automatically when a queue manager is started.
    Modify the properties of queue managers.
    Change the local default queue manager.
    Invoke the ikeyman GUI to manage secure sockets layer (SSL) certificates, associate certificates with queue managers, and configure and setup certificate stores (on your local machine only).
    Create JMS objects from WebSphere MQ objects, and WebSphere MQ objects from JMS objects.
    Create a JMS Connection Factory for any of the currently supported types.
    Modify the parameters for any service, such as the TCP port number for a listener, or a channel initiator queue name.
    Start or stop the service trace.

    You perform administration tasks using a series of Content Views and Property dialogs.

    Content View
    A Content View is a panel that can display the following:

    Attributes, and administrative options relating to WebSphere MQ itself.
    Attributes, and administrative options relating to one or more related objects.
    Attributes, and administrative options for a cluster.


[top]

Leave a Reply