You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

As of version 7.1 of MQ, the default security configuration is more restrictive and as such will probably need to be modified further before you can get a successful connection via a channel that has mcauser('mqm').

Refer to the WebSphere MQ documentation for further information if you still want to use the ‘mqm’ user. It is recommended that you create a new user for LAMAXU to user and apply the OAM authorities as described below.

Please replace the values below with the correct ones for your installation.

{qmgr} Queue Manager Name
{User} The MQ user being used by Lamaxu

Enable Queue Manager Monitoring and Statistics

The MONQ and MONCHL must be set to MEDIUM or higher to enable MQ to publish the Status and event information.

Use the MQSC commands below to modify the queue manager configuration and restart the LAMAXU agent.

ALTER QMGR CHLEV(ENABLED) +
MONCHL(MEDIUM) +
MONQ(MEDIUM) +
PERFMEV(ENABLED) +
STATCHL(MEDIUM) +
STATQ(ON) +
FORCE

Define the Lamaxu Channel

For the purposes of this example the username 'lamaxu' has been used.

DEFINE CHANNEL('LAMAXU.CHANNEL') CHLTYPE(SVRCONN) MCAUSER('lamaxu')

MQ8/9 Unauthenticated Setup

To disable the security on the SVRCONN channels execute the following runmqsc commands below.

Note: this should only be performed in DEV for testing purposes.

ALTER AUTHINFO('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
ALTER QMGR CHLAUTH(DISABLED)

MQ8/9 Authenticated Setup

To enable username/password authentication on the queue manager, the changes below need to be made to the queue manager configuration.

 

NOTE: The CHLAUTH(DISABLED) command below is required to disable the IP address filtering on CLIENT channels that MQ has enabled by default.  Disabling CHLAUTH does not disable username/password checks. I suspect this may the cause of your issues.

 

The commands below are MQ 'runmqsc' commands that need to be executed by an MQ privileged user, like the 'mqm' user. 

ALTER QMGR CONNAUTH(USE.PW) CHLAUTH(DISABLED)
ALTER AUTHINFO(USE.PW) +
AUTHTYPE(IDPWOS) +
FAILDLAY(10) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED)
REFRESH SECURITY TYPE(CONNAUTH)

Setmqaut OAM Commands

OAM Configuration for Objects

The Lamaxu agent needs to be granted access to the following queue manager objects to enable it work.

setmqaut -m {qmgr} -t qmgr -p {User} +connect +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -p {User} +put +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -p {User} +get +dsp
setmqaut -m {qmgr} -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue –p {User} +get +dsp +inq
setmqaut -m {qmgr} -n "**" -t queue -p {User} +inq +dsp
setmqaut -m {qmgr} -n "**" -t topic -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t channel -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t authinfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t clntconn -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t comminfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t listener -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t namelist -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t process -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t service -p {User} +dsp

OAM Configuration for Events, Accounting and Statistics

The Lamaxu agent needs to be granted access to the following queue manager event queues to enable it work.

setmqaut -m {qmgr} -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.CONFIG.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.LOGGER.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PERFM.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PUBSUB.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.QMGR.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.STATISTICS.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.ACCOUNTING.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ROUTE.QUEUE -t queue -p {User} +get +dsp +inq +browse

MQSC OAM Authorities

Unable to render {include} The included page could not be found.

ZOS RACF Commands for Events, Accounting and Statistics

PE {QMGR}.RESET.* CLASS(MQCMDS) ID({USER}) ACCESS(CONTROL) 
PE {QMGR}.QUEUE.* CLASS(MQADMIN) ID({USER}) ACCESS(CONTROL) 
SETR GENERIC(MQCMDS) REFRESH 
SETR GENERIC(MQADMIN) REF
SETR RACLIST(MQADMIN) REF

MQ command

REFRESH SECURITY


  • No labels