| Author |
Message
|
| jhaake |
 Posted: Mon Apr 17, 2006 12:32 pm Post subject: Minimal inquiry/browse authentications |
 |
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Yes, this is yet again another 2035 error question (ansd yes I've been searching previous 2035 questions without success in solving my own).
local execution of following are working fine as user "xyz"
/opt/mqm/samp/bin/amqsput JCH1 SCMDEV01_QMGR
/opt/mqm/samp/bin/amqsget JCH1 SCMDEV01_QMGR
remotly going through a channel with mcauser set to blank and user code 'mqm" GET and PUT of course work fine.
remotely as user 'xyz' going through the same svrconn channel and get 2035.
user 'xyz' has connect auth to qmgr and 'get/put/browse/inq' to queue, what other authentications do I need? SYSTEM queues auths?
The main question being what are the minimal authorizations for a very basic browse/query user to MQ?
Thx |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Mon Apr 17, 2006 12:58 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
turn on authority events for this QM, and it will tell you exactly what you are missing via event messages in the SYSTEM.ADMIN.QMGR.EVENT queue. On Windows QMs, this is also captured in the event viewer and in the MQ error logs.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jhaake |
| Posted: Tue Apr 18, 2006 5:34 am Post subject: Thanks Peter |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Thanks a lot for pointing me in the direction of events.
Not that I really yet understand what I'm doing.
Here's what I've found:
# /opt/mqm/samp/bin/amqsaiem SYSTEM.ADMIN.QMGR.EVENT SCMDEV01_QMGR
Sample Event Monitor (times out after 30 secs)
Waiting for an event
Handle:150714800 Size:9
Index: Selector: Value:
0 -8 (0)
1 -2 (7)
2 -1 (0)
3 -3 (44)
4 -4 (1)
5 -5 (1)
6 -6 (1)
7 -7 (2222)
8 2015 'SCMDEV01_QMGR' 0
How do I know how to interpret these numbers?
Also
There seems to be a long delay (seconds) between my security error (2035) and the event actually showing up in SYSTEM.ADMIN.QMGR.EVENT |
|
| Back to top |
|
|
| jhaake |
| Posted: Tue Apr 18, 2006 11:43 am Post subject: |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
What?!?!?
It seems the events I'm seeing have nothing to do with the 2035 error I'm getting from the remote application.
I can't say that I know how to view Events very well yet, but I know that when I'm getting the 2035 error on the remote system there are no security events happening !!!
Before you ask, let me say I've got the following events enabled on the qmgr (and qmgr cycled):
AUTHOREV(ENABLED)
INHIBTEV(DISABLED) LOCALEV(ENABLED)
REMOTEEV(ENABLED) PERFMEV(DISABLED)
STRSTPEV(ENABLED)
What am I missing? I'm really feeling ignorant here. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 18, 2006 11:46 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
the only way I have ever looked at event messages have been via the free MO71 Support Pack. When you look at an Event message, it automatically displays it for you in a readable format.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jhaake |
| Posted: Tue Apr 18, 2006 12:05 pm Post subject: |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Thanks again Peter.
I've been trying to get MO71 working (yes, I'm on the MQ learning curve). I installed MQ Client on Windows (is there a MO71 for linux?) and installed MO71 without a problem, but when I run it doesn't think I have MQ installed (missing MQM.dll). Well, my MQ client doesn't have any MQM.dll file. I'm kind of stuck on that one too !!!
I thought I knew quite a bit about MQ (I even have a couple clusters running) till I started this remote client business. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Apr 18, 2006 12:07 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Look at MO01 instead.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 18, 2006 12:13 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Mo01 is definitly more specific to what you need right now, check it out. (thx Jeff).
I would recomend you get MO71 working anyway if you deal with MQ in any capactity. Lots of good stuff in there. Whe you add a QM to MO71, make sure you check off the Client checkbox under Location Settings. If you have MQ CLient installed, that should do the trick (probably reboot after the install to be safe).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jhaake |
| Posted: Tue Apr 18, 2006 1:14 pm Post subject: |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Wow, thanks for telling me about MO01 !!! Hasn't changed what I'm seeing though:
On the MQ server (linux) side:
# /tmp/q -iSYSTEM.ADMIN.QMGR.EVENT -m SCMDEV01_QMGR -w100
MQSeries Q Program by Paul Clarke [ V4.3 Build:Jun 9 2004 ]
Connecting ...connected to 'SCMDEV01_QMGR '.
$,D?0SCMDEV01_QMGR
And during the 100 seconds I run remote app:
//////////////// MQSeries Tester Started ////////////////
Hostname: rhscmdev01
Queue Manager: SCMDEV01_QMGR
Port: 1414
Channel: JCH.SVRCONN
Queue: JCH1
Command: get
MQJE001: Completion Code 2, Reason 2035
------------------------------------------
MQ Exception:
Completion code: 2
Reason code: 2035
Exception Source: com.ibm.mq.MQQueueManager@11262c37
------------------------------------------
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2035
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:905)
at com.ibm.mq.MQManagedConnectionJ11.getConnection(MQManagedConnectionJ11.java:366)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:180)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:754)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:688)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:417)
at com.sterlingjewelers.util.MQ_Tester.connect(MQ_Tester.java:453)------------------------------------------
at com.sterlingjewelers.util.MQ_Tester.doQueueGet(MQ_Tester.java:266)
at com.sterlingjewelers.util.MQ_Tester.main(MQ_Tester.java:45)
There was never any events written to SYSTEM.ADMIN.QMGR.EVENT.
?!?!? |
|
| Back to top |
|
|
| EddieA |
| Posted: Tue Apr 18, 2006 4:46 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
The event you posted above is Queue Manager Active, which is written when the QM starts up.
| Quote: |
| MQRC_Q_MGR_ACTIVE (2222, X'8AE') |
I've notice in the past that only some Authority events get logged either as an Event Message, or in the QM error logs. There must be a rhyme or reason to it, but I've never looked to try and find one.
I'm guessing from the class that threw the error, that it's a Connection problem, and not a Queue issue.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| jhaake |
| Posted: Wed Apr 19, 2006 12:35 pm Post subject: problem continues |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Not much new here ... but with BlockIP2 exit in place on the channel.
<b>Output from client app:</b>
//////////////// MQSeries Tester Started ////////////////
Hostname: rhscmdev01
Queue Manager: SCMDEV01_QMGR
Port: 1414
Channel: JCH.SVRCONN
Queue: JCH1
Command: get
MQJE001: Completion Code 2, Reason 2035
<b>Output in BlockIP2 log:</b>
2006-04-19|16:22:44|Connection accepted, Channel [JCH.SVRCONN] ConName [103.1.1.116] Pattern [*;] Flags [BlockMqmUsers=Y ] User [jhaake]
<b>Output from dspmqaut:</b>
# dspmqaut -m SCMDEV01_QMGR -t qmgr -p jhaake
Entity jhaake has the following authorizations for object SCMDEV01_QMGR:
connect
I am completely stumped. I don't know anything else to grant to the principle/group ... thus is there any other <b>minimum</b> authentication I need to be granting? The principle jhaake connects wonderfully from local applications and can access the queue in question. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Apr 19, 2006 12:40 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What tool are you trying to use to browse?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jhaake |
| Posted: Wed Apr 19, 2006 12:56 pm Post subject: |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
| My client application is a simple java program. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 19, 2006 4:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And it looks like you are running with IPBlock2.
Did you do a sanity check and verify that you can access the qmgr with amqsputc and amqsgetc from that same remote machine?
In other words does that remote machine get blocked by IPBlock2 ?
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jhaake |
| Posted: Thu Apr 20, 2006 5:24 am Post subject: |
|
|
Novice
Joined: 17 Apr 2006
Posts: 13
|
Keep in mind I've never made remote connections before except for SNDR and RCVR channels.
From my PC (with MQ client installed):
C:\Program Files\IBM\WebSphere MQ\bin>amqsputc JCH1 SCMDEV01_QMGR
Sample AMQSPUT0 start
MQCONN ended with reason code 2058
How is my PC and the client software supposed to know where SCMDEV01_QMGR is located? (How many different questions am I allowed to ask in the same thread??  ) |
|
| Back to top |
|
|
|
|
