As of version 7.1 of MQ, the default security configuration is more restrictive and as such will probably need to be modified further before you can get a successful connection via a channel that has mcauser('mqm').

Refer to the WebSphere MQ documentation for further information if you still want to use the ‘mqm’ user. It is recommended that you create a new user for LAMAXU to user and apply the OAM authorities as described below.

Please replace the values below with the correct ones for your installation.

{qmgr} Queue Manager Name
{User} The MQ user being used by Lamaxu

Enable Queue Manager Monitoring and Statistics

For LAMAXU to work, the MONQ and MONCHL properties on the queue manager MUST be set to MEDIUM or higher to enable MQ to publish the Status and event information.

Use the MQSC commands below to modify the queue manager configuration and restart the LAMAXU agent.

ALTER QMGR CHLEV(ENABLED) +
MONCHL(MEDIUM) +
MONQ(MEDIUM) +
PERFMEV(ENABLED) +
STATCHL(MEDIUM) +
STATQ(ON) +
STATINT(60) +
FORCE

Define the Lamaxu Channel

For the purposes of this example the username 'lamaxu' has been used.

DEFINE CHANNEL('LAMAXU.CHANNEL') CHLTYPE(SVRCONN) MCAUSER('lamaxu')

MQ8/9 Unauthenticated Setup

To disable the security on the SVRCONN channels execute the following runmqsc commands below.
Note: This should only be performed in DEV for testing purposes.

ALTER AUTHINFO('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
ALTER QMGR CHLAUTH(DISABLED)

MQ8/9 Authenticated Setup

To enable username/password authentication on the queue manager, the changes below need to be made to the queue manager configuration.
Note: The CHLAUTH(DISABLED) command below is required to disable the IP address filtering on CLIENT channels that MQ has enabled by default.  Disabling CHLAUTH does not disable username/password checks.

The commands below are MQ 'runmqsc' commands that need to be executed by an MQ privileged user, like the 'mqm' user. 

ALTER QMGR CONNAUTH(USE.PW) CHLAUTH(DISABLED)
ALTER AUTHINFO(USE.PW) +
AUTHTYPE(IDPWOS) +
FAILDLAY(10) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED)
REFRESH SECURITY TYPE(CONNAUTH)

Setmqaut OAM Commands

OAM Configuration for Objects

The Lamaxu agent needs to be granted access to the following queue manager objects to enable it work.

setmqaut -m {qmgr} -t qmgr -p {User} +connect +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -p {User} +put +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -p {User} +get +dsp
setmqaut -m {qmgr} -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue –p {User} +get +dsp +inq
setmqaut -m {qmgr} -n "**" -t queue -p {User} +inq +dsp
setmqaut -m {qmgr} -n "**" -t topic -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t channel -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t authinfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t clntconn -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t comminfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t listener -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t namelist -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t process -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t service -p {User} +dsp

OAM Configuration for Events, Accounting and Statistics

The Lamaxu agent needs to be granted access to the following queue manager event queues to enable it work.

setmqaut -m {qmgr} -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.CONFIG.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.LOGGER.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PERFM.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PUBSUB.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.QMGR.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.STATISTICS.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.ACCOUNTING.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ROUTE.QUEUE -t queue -p {User} +get +dsp +inq +browse

AUTHREC OAM Authorities

The following OAM authorities can be used in situations where it's not possible to execute the usual 'setmqaut' command, such as the MQ appliance.
You must perform a search and replace of {userName} with your MQ Service user name.

Download script

** OAM Configuration for EVENTS and Activity Trace
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.CHANNEL.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.COMMAND.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.CONFIG.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.LOGGER.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.PERFM.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.PUBSUB.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.STATISTICS.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.ACCOUNTING.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.TRACE.ROUTE.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
** OAM Configuration for Objects
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,PUT,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.MQEXPLORER.REPLY.MODEL') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,GET,INQ)
*
SET AUTHREC +
 GROUP('{userName}') +
 OBJTYPE(QMGR) +
 AUTHADD(CONNECT,INQ)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,INQ)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(TOPIC) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(CHANNEL) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(AUTHINFO) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(CLNTCONN) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(COMMINFO) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(LISTENER) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(NAMELIST) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(PROCESS) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(SERVICE) +
 AUTHADD(DSP)

ZOS RACF Commands for Events, Accounting and Statistics

You must perform a search and replace of {USER} with your MQ Service user name and {QMGR} with the name of the MQ queue manager.

Generic Display

PE {QMGR}.DISPLAY.* CLASS(MQCMDS) ID({USER}) ACCESS(READ)

Event Queues

PE {QMGR}.SYSTEM.ADMIN.CHANNEL.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.COMMAND.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.CONFIG.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.PERFM.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.QMGR.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.ACTIVITY.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.TRACE.ROUTE.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)

Model and Command Queues

PE {QMGR}.SYSTEM.COMMAND.REPLY.MODEL CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.DEFAULT.MODEL.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.CHANNEL.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.AMQ.MQEXPLORER.* CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.MQEXPLORER.REPLY.MODEL CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)

Statistics

PE {QMGR}.RESET.* CLASS(MQCMDS) ID({USER}) ACCESS(CONTROL) 
PE {QMGR}.QUEUE.* CLASS(MQADMIN) ID({USER}) ACCESS(CONTROL)
SETR GENERIC(MQCMDS) REFRESH 
SETR GENERIC(MQADMIN) REF
SETR RACLIST(MQADMIN) REF

MQ command

REFRESH SECURITY

Multi-Instance Queue Managers

To monitor a multi-instance queue manager, enter a comma separated list of hosts into the 'Host Name' field as shown below. The list can consist of an IP address or DNS host name.
Port number must remain the same for all hosts.


 


Queue Manager SSL Configuration

Lamaxu versions greater than 1.0.5.9 are required in order to use SSL Connections to the MQ queue manager.

Open a web browser and navigate to the Lamaxu Admin page.

Example, http://localhost:8085/admin/dashboard/#/mq/admin (the default username and password is admin/password)

Navigate to the 'Queue Managers' tab and enter the required Cipher Suite into the Cipher input box. Note the Cipher Suite used needs to match the Cipher Spec on the MQ channel.

To Import a Trust Certificate

 keytool -importcert -file mycert.txt -keystore truststore.jks -alias mycert

Where mycert.txt is is your trust certificate.

The default password for the truststore.jks file is 'changeit'

Recommended CipherSpecs and Equivalent CipherSuites 

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm 

MQ CipherSpec
Equivalent CipherSuite (Oracle JRE)
Protocol
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS v1
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS v1.2
TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS v1
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS v1.2

Defining a Private Keystore for Mutual SSL 

To use Mutual certificate authentication, enter the keystore Filename and Keystore Password, of the keystore with the private key, in the in the Agent Config. The password can be obfuscated here as well.

 

Password Obfuscation

On Linux

/opt/queuemetrix/lamaxu.{version}/bin/obfuscate.sh password
Obfuscated password is: {obf}hZSGhoKah5E=

On Windows

The command below will obfuscate the password 'password'.

C:\Program Files (x86)\QueueMetrix\LAMAXU\bin>obfuscate.bat password
Obfuscated password is: {obf}hZSGhoKah5E=


  • No labels