This guide started off on how to access a local QM on Linux using MQ Explorer.Then it morphed into a great little article on my experiences. In this article I cover how to allow connections from MQ Explorer and to secure what WMQ objects can be accessed. I thought it was about time I documented it. I always seem to forget all the parts required.
http://www-01.ibm.com/software/integration/wmq/explorer/
Upload to server and unzip
Run Setup.bin
Complete install, then install a JRE. To keep thing s simple you can install the WMQ JRE. I suppose you must have either trial version of WMQ or a full-version otherwise why would you be installing MQ Explorer to access a local Queue Manager?
Result:
| [root@localhost wmq75_install]# rpm -ivh MQSeriesJRE-7.5.0-0.x86_64.rpm Preparing… ########################################### [100%] 1:MQSeriesJRE ########################################### [100%] |
Locate the download by following links on:
then navigate to /op/ibm/WebSphere_MQ_Explorer
Once MQ Explorer is running:
2538 (09EA) (RC2538): MQRC_HOST_NOT_AVAILABLE
Explanation
An MQCONN call was issued from a client to connect to a queue manager but the attempt to allocate a conversation to the remote system failed. Common causes of this reason code are:
- The listener has not been started on the remote system.
- The connection name in the client channel definition is incorrect.
- The network is currently unavailable.
This is usually due to the Channels defined.
| DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) 1 : DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) AMQ8014: WebSphere MQ channel created. END |
Access is not permitted. You are not authorised to perform this operation (AMQ4306)
This should not be fixed with:
ALTER CHL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(‘mqm’)
Specifying MCAUSER on the SVRCONN channel means that any application that connects using that channel will have the authority of the user specified on the channel, not the user id sent by the client application. If you specified mqm, which is mq’s adminstration user on unix/linux, this means any application connecting using that channel will have full authority on the queue manager.
The most common cause is that you are on a Windows machine and connecting as as specific user. most likely a domain user something like <Machine name>\<user name>
On my laptop (Windows Professional 7) I added my user account to the mqm goup on my Windows machine. We know that on Linux mqm group has access to the QM objects.
Note: Refresh security on queue manager once the SVRCONN channel types is added to the QM.
Next we also need to ensure that the user is given access
Viewing the logs, when trying to use MQ Explorer locally on the Linux machine. This can help use see what’s happening?
cd /var/mqm/qmgrs/TEST2/errors
| 02/05/2013 09:50:25 AM – Process(9716.12) User(mqm) Program(amqrmppa) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ9776: Channel was blocked by userid EXPLANATION: The inbound channel ‘SYSTEM.ADMIN.SVRCONN’ was blocked from address ‘127.0.0.1’ because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were ‘MCAUSER(mqm) CLNTUSER(mqm)’. ACTION: Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records. 02/05/2013 09:50:25 AM – Process(9716.12) User(mqm) Program(amqrmppa) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ9999: Channel ‘SYSTEM.ADMIN.SVRCONN’ to host ‘localhost (127.0.0.1)’ ended abnormally. EXPLANATION: The channel program running under process ID 9716 for channel ‘SYSTEM.ADMIN.SVRCONN’ ended abnormally. The host name is ‘localhost (127.0.0.1)’; in some cases the host name cannot be determined and so is shown as ‘????’. ACTION: Look at previous error messages for the channel program in the error logs to determine the cause of the failure. Note that this message can be excluded completely or suppressed by tuning the “ExcludeMessage” or “SuppressMessage” attributes under the “QMErrorLog” stanza in qm.ini. Further information can be found in the System Administration Guide. —– amqrmrsa.c : 898 ——————————————————– |
There are several options at this point:
- If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the mqm group on the UNIX machine, again using the O/S facilities to do so. In this case there is no further action required.
- An alternative method of giving full privileges is to set the MCAUSER attribute on the SVRCONN channel created at step 4 above to mqm. Do this by adding MCAUSER(‘mqm’) to the above runmqsc command. Again, no further action is required.
- If restricted access to MQ objects is required, further commands are necessary as below
We want to use option 3 as it is best for enterprise security. (use options 1 and 2, if security is of no concern)
Grant specific authority over MQ objects to the required userID
Issue these setmqaut commands to grant minimal authority to the userID:
We need to create and equivalent user on the linux box to match the Widows user
My windows user is called SteveRobinson, and I cannot have a username in Linux that contains spaces. So what do I do now? Well create a group called mqexplorer on my Windows desktop, add <myuser> “Steve Robinson” to this group. then modify mqauth to allow access form anyone in this group.
Creating the new Windows sgroup
We also need to create a matching group on Linux
| groupadd mqexplorer |
| setmqaut -m TEST2 -t qmgr -g mqexplorer +connect +inq +dsp setmqaut -m TEST2 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g mqexplorer +inq +browse +get setmqaut -m TEST2 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g mqexplorer +inq +put |
The purpose of these commands is:
1. Grant authority to access the qmgr
2. Grant authority to the client channel to get the command server reply messages
3. Grant authority to put messages onto the command server input queue
When we try to access we get the following error
| 2/05/2013 10:37:13 AM – Process(8945.70) User(mqm) Program(amqzlaa0) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ5653: The user ‘steve’ is not defined. EXPLANATION: The system call getpwnam(“steve”) failed with errno -1. ACTION: Create the user ‘steve’ and retry the operation. |
I guess MQ Explorer (Windows) is using the first part of my Windows user name. Let’s create a Linux user called steve and set the password as steve and add to mqexplorer group and see what happens.
| useradd -g mqexplorer steve |
| AMQ8077: Entity ‘steve robins’ has insufficient authority to access object ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: inq ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group. |
Ok, it is getting confused, so lets now manually tell MQ explorer to use steve
MQ Explorer cannot administer the queue manager because the user is not authorised to open the queue ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. (AMQ4401)
MQ Explorer cannot administer the queue manager because the user is not authorised to open the queue ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. (AMQ4401)
Severity: 10 (Warning)
Explanation: MQ Explorer uses the queue to administer this queue manager.
Response: Allow MQ Explorer to open the queue and retry.
| 02/05/2013 10:53:49 AM – Process(8945.74) User(mqm) Program(amqzlaa0) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ8077: Entity ‘steve ‘ has insufficient authority to access object ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: inq ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group. |
| setmqaut -m TEST2 -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -g mqexplorer +inq +browse +get +dsp |
Try again connecting from MQ Explorer on windows
OK we no successful connected, but lets try now with removing the QM named user
| AMQ8077: Entity ‘steve robins’ has insufficient authority to access object ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: inq ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group. —– amqzfubx.c : 624 ——————————————————– 02/05/2013 10:53:49 AM – Process(8945.74) User(mqm) Program(amqzlaa0) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ8077: Entity ‘steve ‘ has insufficient authority to access object ‘SYSTEM.MQEXPLORER.REPLY.MODEL’. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: inq ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group. —– amqzfubx.c : 624 ——————————————————– |
Summary
Basically if your user id on Windows is a non acceptable Linux format ( 8 chars), then you need to create a user on Linux and then assign setmqauth security on objects either by using principle name or group name (Linux user must be in group). Then we name the use in the Connect to QM wizard and when MQExplorer connects it uses that user.
Note: Below are the commands for setting access to MQ objects for a named user as opposed to group
setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get
setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put
There is no point in adding users to groups in Windows unless IBM WebSphere MQ is installed on windows.
As I have always mentioned in other articles WMQ security is based on users and groups and you just have to think a bit harder when it comes to remote access from a Windows client.
Using the tips and tricks above, you will see that you will find you can connect, but you will be limited in what you can administer. As I mentioned earlier you can open up security. This article was more about connecting with the least amount of access, without creating a security hole. Often in moist cases we give full access and leave it that. But when you do want to secure WMQ for MQ Explorer access, then this is a great little article to help you get ideas.
Appendix
If you are interested in a clever security exit, you can use BlockIP to lock and even audit access to a QM.
http://www.mrmq.dk/index.htm?BlockIP2.htm
Block IP
You can also use blockip open source security exit tool to secure WMQ.
Installation
Download block IP from the site mentioned below in the appendix section
Upload the appropriate version for you system. My example is Linux 64 bit
Linux (Intel 64 bit)
Just untar BLOCKIP2.TAR from Linux_x86_64 subdir in /var/mqm/exits64, and you’re almost ready to go.
cd /var/mqm/exits64
tar -xvf BlockIP2.tar
You will need to change the owner using root authority:
| chown mqm:mqm /var/mqm/exits64/BlockIP2 chmod 550 /var/mqm/exits64/BlockIP2 |
Alter the channel
alt chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) +
scyexit(‘BlockIP2(BlockExit)’)
Example Log for access denied
cd /var/mqm/qmgrs/TEST2/errors
tail -f AMQERR01.LOG
Result:
| 02/05/2013 09:45:42 AM – Process(9716.11) User(mqm) Program(amqrmppa) Host(localhost.localdomain) Installation(Installation1) VRMF(7.5.0.0) QMgr(TEST2) AMQ9536: Channel ended by an exit. EXPLANATION: Channel program ‘SYSTEM.ADMIN.SVRCONN’ was ended by exit ‘BlockIP2(BlockExit)’. ACTION: None. —– amqrexta.c : 3297 ——————————————————- |
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21250706
3 Responses to MQ Explorer Security Examples
Leave a Reply
You must be logged in to post a comment.
WebSphere Application Server 8.5.5.x – Advanced Security Course
The WebSphere Application Server 8.5.5.x – Advanced Security Concepts course provides the student with a detailed example-based guide which takes the student through how to configure Global Security for a Standalone Repository for the express purpose of connecting WAS to Microsoft AD, and enabling Full Single Sign on. This course covers how to set up Windows 2012 Server as a Primary Domain Controller and enabled a Windows 8.1 workstation as part of the full-enabling and testing of a fully functioning SSO solution. Included in this course are Jython and shell scripts and even a Java Web Application that is used to prove that SSO is indeed working as intended
WebSphere Message Broker 8 Administration
Here the student learns through examples, one step at a time, the power of WebSphere Message Broker 8.0 an advanced ESB product from IBM.
WAS 8.5.5.x Essential Security Course
Only $149.99 Learn how to configure SSL for both WAS and IBM HTTP Server. Learn SSL insights not previously made available. Implement LDAP configurations using open source products. Automate Global Security configuration using Jython
WAS 8.5.5 Application Client Cookbook
This course was produced because I had many members of the public asking for support on how to connect an Application Client (Java client) to a secure WebSphere Application Server.
2015 ALL Courses – Bargain Bucket
This page provides the facility to purchase an elite membership, which grants you full access to all products published before and during 2015. You get perpetual access and access to the current courses.
WebSphere 8.5.5 Automation Course
WAS 8.5.5 Automation Course Do you need to save time automating manual WAS tasks? Have you ever wondered how to automate IBM Installation Manager? Ever needed to automate the installation of WAS 8.5.5.x and automate Upgrades and Roll-backs? The WebSphere Application Server 8.5.5.x Automation Course provides the student with a full set of guides and a set of commercial-grade automation scripts with detailed worked-examples.All 2014 Courses – Bargain Box
This page provides the facility to purchase an elite membership, which grants you full access to all products published before 2015. You get perpetual access and access to the current courses. As of 2014, there are 9 courses.
WebSphere Application Server 8.5 Administration course
WAS 8.5 Administration Course This course provides the student with the necessary skills to handle all sorts of administrative tasks on WebSphere Application Server Network Deployment version 8.5. The course material is practical and “hands-on” and covers a wide range of topics derived from industry experience. We have designed this course to include all the necessary instructions to install the product, try out various administrative tasks and can be used easily to refresh your knowledge after the course has been attended. The course also contains over 900 pages of “How To” guides and more than 300 Power Point slides along with Labs, resources and questions and answers.
WebSphere Portal 8 Administration Basics Course
IBM Portal 8 Administration Course
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.helphome.doc%2Fwmq_helphome.html
Authorization to use the WebSphere MQ Explorer
Any user can use the WebSphere MQ Explorer, however certain authorities are required to connect, access, and manage queue managers.
To perform local administrative tasks using the WebSphere MQ Explorer, a user is required to have the necessary authority to perform the administrative tasks. If the user is a member of the mqm group, the user has authority to perform all local administrative tasks.
To connect to a remote queue manager and perform remote administrative tasks using the WebSphere MQ Explorer, the user executing the WebSphere MQ Explorer is required to have the following authorities:
CONNECT authority on the target queue manager object
INQUIRE authority on the target queue manager object
DISPLAY authority to the target queue manager object
INQUIRE authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
DISPLAY authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
INPUT authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
OUTPUT authority to the queue, SYSTEM.ADMIN.COMMAND.QUEUE
Authority to perform the action selected
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.doc%2Fmq50095_.htm
What you can do with the WebSphere MQ Explorer?
With the WebSphere® MQ Explorer, you can:
Create and delete a queue manager (on your local machine only).
Start and stop a queue manager (on your local machine only).
Define, display, and alter the definitions of WebSphere MQ objects such as queues and channels.
Browse the messages on a queue.
Start and stop a channel.
View status information about a channel, listener, queue, or service objects.
View queue managers in a cluster.
Check to see which applications, users, or channels have a particular queue open.
Create a new queue manager cluster using the Create New Cluster wizard.
Add a queue manager to a cluster using the Add Queue Manager to Cluster wizard.
Manage the authentication information object, used with Secure Sockets Layer (SSL) channel security.
Create and delete channel initiators, trigger monitors, and listeners.
Start or stop the command servers, channel initiators, trigger monitors, and listeners.
Set specific services to start up automatically when a queue manager is started.
Modify the properties of queue managers.
Change the local default queue manager.
Invoke the ikeyman GUI to manage secure sockets layer (SSL) certificates, associate certificates with queue managers, and configure and setup certificate stores (on your local machine only).
Create JMS objects from WebSphere MQ objects, and WebSphere MQ objects from JMS objects.
Create a JMS Connection Factory for any of the currently supported types.
Modify the parameters for any service, such as the TCP port number for a listener, or a channel initiator queue name.
Start or stop the service trace.
You perform administration tasks using a series of Content Views and Property dialogs.
Content View
A Content View is a panel that can display the following:
Attributes, and administrative options relating to WebSphere MQ itself.
Attributes, and administrative options relating to one or more related objects.
Attributes, and administrative options for a cluster.
[…] http://www.themiddlewareshop.com/2013/02/05/mq-explorer-security-examples-2/ […]