I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

Hi John,

that certainly doesn't sound like correct behaviour. I've just tried it on a couple of v9 installation on linux and Windows, and they both include SET AUTHREC commands in the dump whether or not I include the -x all -t all options.

I couldn't find any v9 or v9.1 fixes that specifically talk about SET AUTHREC not being produced by dmpmqcfg, but there were quite a number of fixes that did related to dmpmqcfg.

Can you try it with the latest fix pack and see if it still happens?

Regards,

------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-20
+61 (0) 414 615 334
------------------------------

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer
------------------------------

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
------------------------------

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

If there were such a new authority (which I don't actually see why there should be personally). Wouldn't it show up in the error logs if Mr Kaufman didn't have them?

------------------------------
John Hawkins
CTO
Lightwell
------------------------------

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

Matt did not make any distinction between CD and LTS when he described the version difference, just 8 and 9.
So should not the answer be, run it all as privileged user and you don't have to worry?

------------------------------
FJ Brandelik
------------------------------

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

I have to agree that limiting access to authority data would be an excellent capability.

However, in my testing with different platforms and release levels of MQ up to the latest CD release, the only permission needed was DSP authority on the QMGR object.

That is, anyone with an authority like:
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('neil') AUTHADD(CONNECT,DSP)
is able to see all authority records.

The are also able to find all queue names using DIS QL, DIS QR etc, but are not able to find all queues in general with DIS Q. They also can't find the names of other objects (like SERVICE or PROCESS objects), just queues with the specific type. This feels like a bug. Why can they see queues, but not topics?

Regards,


------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-20
+61 (0) 414 615 334
------------------------------

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

Hi Morag,

I want to thank everyone for their input on helping me attempt to resolve this issue.

I was receiving an error which I now have discovered is an issue with FP 9 for MQ v9.0.0.9:
 dmpmqcfg.exe -m PBCD3SFAS > D:\Kaufman_MQ\PBCD3SFAS\PBCD3SFAS.mqsc:


------------------------------
John Kaufman
------------------------------

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

That's good news - could you point us to the IBM issue ?

------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

A quick google of IT30409 reveals https://www.ibm.com/support/pages/apar/IT30409

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
------------------------------

Original Message:
Sent: Fri July 10, 2020 04:33 AM
From: John Hawkins
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

That's good news - could you point us to the IBM issue ?

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

Damn-it - "must wake up before looking at forums" ;-)Cheers Morag - hope you're well !

------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Fri July 10, 2020 04:35 AM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

A quick google of IT30409 reveals https://www.ibm.com/support/pages/apar/IT30409

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Fri July 10, 2020 04:33 AM
From: John Hawkins
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

That's good news - could you point us to the IBM issue ?

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------

:-D

No worries John - I have been awake for many more hours than you - getting towards bedtime here in fact, so I have managed to wake up by now! I think you may not be the only one half-asleep as I think @John Kaufman may have intended to provide that link and instead posted a link to this thread.

We are both well, thank you. How is the South coast these days?

Take Care!

​​​

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
------------------------------

Original Message:
Sent: Fri July 10, 2020 04:46 AM
From: John Hawkins
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Damn-it - "must wake up before looking at forums" ;-)Cheers Morag - hope you're well !

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Fri July 10, 2020 04:35 AM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

A quick google of IT30409 reveals https://www.ibm.com/support/pages/apar/IT30409

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Fri July 10, 2020 04:33 AM
From: John Hawkins
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

That's good news - could you point us to the IBM issue ?

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Tue July 07, 2020 05:57 PM
From: Morag Hughson
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I'm curious about this change in the MQ security model between V8 and V9. It sounds like there is a new type of authorization you can grant yourself - to protect authority data - which is great! I'm struggling to find where this is described? I imagine it might be a new object type (-t) value on setmqaut, a bit like -t rqmname, for example -t authority, but I don't see any new types. I also don't see any description of protecting authority data in any of the descriptions of authority flags. Could you provide a bit more information about this?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited

Original Message:
Sent: Tue July 07, 2020 07:42 AM
From: Matthias Jungbauer
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

Hi John,
due to changes in the security model of MQ9 cloning from MQ8 to 9 might not work as you expect it.
Exporting AUTHREC  still works
You may have to grant yourself permissions to access AUTH data.

dspmqver
Name: IBM MQ
Version: 9.1.4.0

dmpmqcfg
...
SET AUTHREC +
PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
GROUP('mqm@W10FINTECH') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)

Usage: dmpmqcfg [-m QMgrName] [-n ObjName] [-t ObjType]
[-x ExportType] [-o Format] [-a] [-z]
[-s MsgSeqNo] [-q ReplyQName] [-r RemoteQMgrName]
[-u UserId] [-w NumSecs]
[-c default|-c DEFINE CHANNEL..]

-a Dump all attributes.
-c Client connection:
default, DEFINE CHANNEL(chlname) CHLTYPE(CLNTCONN) ...
-m Queue manager name.
-n Object name or a generic object name.
-o Format: mqsc, 1line, 2line, setmqaut, grtmqmaut, setmqspl.
-q Reply-to queue name, default SYSTEM.DEFAULT.MODEL.QUEUE.
-r Remote queue manager name (queued mode).
-s Reset channel message sequence number.
-t Object type:
all, authinfo, channel, clntconn, comminfo, listener,
mqttchl, namelist, process, queue, qmgr, service, topic.
-u UserId. If specified, a password is requested.
-w Timeout number of seconds
-x Export type:
all, authrec, chlauth, object, policy, sub.
-z Suppress warnings.

------------------------------
Matthias Jungbauer

Original Message:
Sent: Thu July 02, 2020 03:36 PM
From: John Kaufman
Subject: MQ 8 dmpmqcfg vs MQ 9 dmpmqcfg

I am in the process of "cloning" a queue manager on MQ v9 server using dmpmqcfg.

In MQ v8, dmpmqcfg.exe -m QMgr > fileName creates the entire backup of the queue manager including the 
SET AUTHREC:

SET AUTHREC +
PROFILE('queue name') +
PRINCIPAL('access group') +
OBJTYPE(QUEUE) +
AUTHADD(BROWSE,DSP,GET,INQ,PUT)

Running the same command in MQ v9 does not export these SET AUTH records.

I've even tried 
dmpmqcfg.exe -m QMgr -x all -t all > fileName and get the same information without the SET AUTH records.

Has dmpmqcfg changed between MQ 8 and MQ 9 that is no longer provides a complete dump of the queue manager any longer or are there options I need to include for the dmpmqcfg in MQ 9?

Thanks,

John Kaufman

------------------------------
John Kaufman
Systems Engineer IV

------------------------------