How can I disable Queue Manager security?

[Scott Davis]

For what I am doing, I don't want my Queue Manager (residing on a
Windows 2000 Server) to reject anyone trying to connect. Currently it
is rejecting any requests coming from users not defined locally. This
is especially silly since I'm trying to connect using a Unix client
with a Unix ID that wouldn't be defined on the Windows machine. In
any case, security (or lack thereof) is NOT an issue or a problem. I
just want to disable this user id check. How can I tell the Queue
Manager to behave thusly.
Thanks in advance for any kind responses.

[Gunter Jeschawitz]

You can disable the OAM.

Look in Websphere MQ System Administration Guide:
Chapter 20: Autorization Service on Windows systems, Page 343 f.

[Scott Davis]

Gunter Jeschawitz <m...@jeschawitz.de> wrote in message news:<opr4any6...@news.software.ibm.com>...

> You can disable the OAM.
>
> Look in Websphere MQ System Administration Guide:
> Chapter 20: Autorization Service on Windows systems, Page 343 f.

Thanks a lot - that's just what I needed!

[Glenn Baddeley]

Scott,

If the remote users are using MQ Client to connect to the Queue Manager,
just alter the SVRCONN channel definition to set the MCAUSER to a userid
which exists on the Windows box and has the required MQ security
authority.

Glenn.

[Scott Davis]

"Glenn Baddeley" <glenn.b...@team.telstra.com> wrote in message news:<c267kk$6jk$1...@mws-stat-syd.cdn.telstra.com.au>...

> Scott,
>
> If the remote users are using MQ Client to connect to the Queue Manager,
> just alter the SVRCONN channel definition to set the MCAUSER to a userid
> which exists on the Windows box and has the required MQ security
> authority.
>
> Glenn.
>

Another excellent idea if users are unwilling to remove the security
service from the Queue Manager. I can add a UI field for this value
in my app, but where/how do I set it?

I have code that currently looks like this...

---

MQOD init_mq_object = {MQOD_DEFAULT} ;
MQCD init_mq_channel_definition = {MQCD_CLIENT_CONN_DEFAULT} ;
MQCNO init_mq_connect_options = {MQCNO_DEFAULT} ;
MQLONG mq_open_options ;

mq_object = init_mq_object ;
mq_connection_descriptor = init_mq_connection_descriptor ;
mq_connect_options = init_mq_connect_options ;

strcpy(mq_object.ObjectName, TEXTA("SomeMessageQueueNameHere")) ;

strncpy(mq_channel_definition.ConnectionName,
TEXTA("SomeHost(SomePort)"), MQ_CONN_NAME_LENGTH) ;
strncpy(mq_channel_definition.ChannelName,
TEXTA("SYSTEM.DEF.SVRCONN"), MQ_CHANNEL_NAME_LENGTH) ;

mq_connect_options.ClientConnPtr = &mq_connection_descriptor ;

mq_open_options = MQOO_INPUT_SHARED + MQOO_FAIL_IF_QUIESCING ;

MQCONNX(TEXTA("SomeQueueManagerNameHere"), &mq_connect_options,
&qm_handle, &mq_return_code, &mq_error_number) ; break ;

MQOPEN(qm_handle, &mq_object, mq_open_options, &mq_handle,
&mq_return_code, &mq_error_number) ;

---

There are quite a few fields in the Channel Definition structure
(MQCD) that look like I can put a username in them:

MCAName
UserIdentifier
MCAUserIdentifier
RemoteUserIdentifier
LongMCAUserIdPtr
LongRemoteUserIdPtr
MCASecurityId
RemoteSecurityId

After reading the docs I am still unsure which one(s) to use.

[Michael]

that way ANYONE can connect to that queue, look at BlockIP2 to put
additional security back on!
For more info and download see http://www.mrmq.dk/index.htm?BlockIP.htm

Michael

"Glenn Baddeley" <glenn.b...@team.telstra.com> wrote in message
news:c267kk$6jk$1...@mws-stat-syd.cdn.telstra.com.au...

[Glenn Baddeley]

Even before my mod anyone could connect to that qmgr, from a bogus
system and masquerade as a valid user on the qmgr system. MQ Client
security is virtually non existant, unless a security exit is used
(some ISV's
provide this soln), IP blocking s/w is used, or WMQ 5.3 SSL is used.

Glenn.