| Author |
Message
|
| mqmatt |
 Posted: Tue Feb 28, 2006 2:31 am Post subject: |
 |
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
| wmqiadmin wrote: |
We have same problem connecting Win2003 Toolkit to Win2003 Config Mgr. I tried to run mqsicreateaclentry cmd on configmgr, its giving me timeout error. "Config mgr unable to response in stipulated time."
Did any buddy had this problem. Please guide me.
thanks |
Check the system event log for errors (e.g. make sure that the CM is running).
Also check that your user has the authority to put to SYSTEM.BROKER.CONFIG.QUEUE and read from SYSTEM.BROKER.CONFIG.REPLY. You might also like to check the depths of these two queues; when the CM is not processing messages (and there are no terminated Config Manager Proxy applications) both should be empty.
Hope this helps
-Matt |
|
| Back to top |
|
 |
| damianharvey |
| Posted: Thu Mar 16, 2006 1:02 pm Post subject: |
|
|
Acolyte
Joined: 05 Aug 2003
Posts: 59
Location: Sydney, Australia
|
The mqsicreateaclentry fixed this problem for us. Additionally you may need to increase the timeout values in your toolkit (Windows->Preferences->Broker Administration->Configuration Manager Proxy)
The command I ran gives access to the Config Manager Proxy:
mqsicreateaclentry name_of_cfm -u username -a -x F -p |
|
| Back to top |
|
|
| hal |
| Posted: Sat Apr 08, 2006 3:36 pm Post subject: SYSTEM.BKR.CONFIG MCAUSER not set in Message Broker 6.0.0.1 |
|
|
Acolyte
Joined: 07 Dec 2005
Posts: 67
Location: New York City, New York
|
Just applied WebSphere Message Broker Fix Pack 6.0.0.1. The SYSTEM.BKR.CONFIG server connection channel MCAUSER attribute is no longer being assigned a value during configuration manager creation.
From
http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27007481
IY80614 SYSTEM.BKR.CONFIG CHANNEL INCORRECTLY HAS MCAUSER ATTRIBUTE SET |
|
| Back to top |
|
|
| shrek |
| Posted: Wed Aug 09, 2006 2:29 pm Post subject: |
|
|
Acolyte
Joined: 19 Feb 2005
Posts: 61
Location: Gudivada,India
|
How to overcome this issue?
C:\Program Files\IBM\WebSphere Business Message Broker 6>mqsicreateaclentry -u localusr -a -x F -b BROKER1
BIP8214E: Object not found
The Configuration Manager repository object for which this ACL is being created does not exist.
Ensure that you have specified the correct object name (for example broker name), type and that the object has been defined to the Configuration Manager.
C:\Program Files\IBM\WebSphere Business Message Broker 6>
I have Fixpack 6.0.2 applied.
Thanks. |
|
| Back to top |
|
|
| shrek |
| Posted: Wed Aug 09, 2006 3:30 pm Post subject: |
|
|
Acolyte
Joined: 19 Feb 2005
Posts: 61
Location: Gudivada,India
|
| I noticed that listener on the queue manager is not running. Once I started the listener..things are smooth. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Wed Aug 30, 2006 9:22 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| _dave_ wrote: |
Hi,
I am assuming that all your workbenches are v6 of the Message Brokers Toolkit.
Your steps are almost correct, the following is how it *should* work ...
1) Your step is correct - alternatively if you don't want to create these users, you can set the MCAUser
of SYSTEM.BKR.CONFIG to a (local) user who has MQ auths to connect to the QM and put/get
SYSTEM.BROKER.CONFIG.QUEUE and SYSTEM.BROKER.CONFIG.REPLY.
This will mean that from an MQ point of view, any connections coming in via that channel will
be authorised as the user you set. This obviously has security implications, so if this is a
concern, you may wish to also use Security Exits/SSL to further secure the connection.
2) The ACL entries for each user need to be created. You can either use -a which will check only
the username or -m <machine or domain name>. If you have unique usernames, there is no real advantage
of using -m, but if you have the same username on different machines/domains then you can use -m to give
them different authorisations.
3) There is now no facility to disable the domain awareness, but by using -a on the CM machine, and
domain/machine information is effectively ignored.
However, there are two problems in the released level of code which affect this area;
a) The MQ userid is incorrectly set to 'user@machine' rather than 'user', so the only real way to
allow the initial request to be put is to use the MCAUSER method described above (or disable MQ security).
b) The toolkit is unable to correctly determine the domain name and therefore sends the machine name.
This can be worked around by starting the toolkit (wmbt.exe) from within an MQSI "Command Console" (it is
a path problem and the console sets up the path correctly).
We hope to fix both of these problems soon via a fix pack. |
i still have this issue with user id from toolkit either having the domain name or the workstation name and i want to define ACLs for a local group and not individual users on my AIX boxes.
any updates on the fix? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 30, 2006 3:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
There is a switch on the mqsicreateaclentry that allows you to strip machine name/domain name from the entry... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Wed Sep 06, 2006 12:33 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
i am not sure if you are referring to the -a option. If you are then it only works with the -u option which is granting permission for individual users.
currently this is how i have it defined.
But i want to deinfe ACLs for a local group and not individual users
which is using the -g option.
this being said, when i connect from toolkit with workstation ID alon with my ID, i am not able to connect.
again, i am not trying to deinfe ACLs for individual users. |
|
| Back to top |
|
|
| iceage |
| Posted: Wed Sep 06, 2006 5:09 pm Post subject: |
|
|
Acolyte
Joined: 12 Apr 2006
Posts: 68
|
|
| Back to top |
|
|
| paustin_ours |
| Posted: Wed Sep 06, 2006 7:29 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
i dont see the defect number mentioned in the post by mqmatt. I looked at problems fixed section of Fixpack1. If you could point me to this, it would be great. i do have fixpack1 on my toolkit by the way.
 |
|
| Back to top |
|
|
| mqmatt |
| Posted: Thu Sep 07, 2006 3:33 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
| This is defect 43131, right? It's definitely in FP01 - it was fixed in January. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Sep 07, 2006 5:02 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
i am not sure as to what i am missing here...
for one thing, i do not see a defect number 43131 in any of the problem fixed links
this is what i am trying to achieve
workstation has only toolkit with fix pack1
broker on AIX, config manager on AIX, aix server has a local group called DEVG.
now on the AIX server i tried defining a ACL
mqsicreateaclentry with -g option for the group.
now when i try to connect from toolkit i cannot connect.
i see that the user ID that is trying to connect is either domain/userid
or when i turn off the domain awareness, it sends workstation/userid.
since with the -g otpion i cannot use a '-a' that would allow users from any machine to connect, i am not able to connect.
when i define ACL for just my ID using -u and -a option, then i am able to connect fine.
i am not using the CMP. i am using the commands on the AIX box.
*************************
is this still an issue??? i see IC47922 as problems fixed in fix pack one, but my setup still doesnt seem to work. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Sep 07, 2006 5:18 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
How many Toolkit users are you realistically talking about?
In other words, are you *sure* you need a group?
If you use a group, then the members of that group must exist in the local security repository and must be named to include the machine/domain name they are coming from.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Thu Sep 07, 2006 5:38 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
there will be quiet a lota toolkit users also we want to have different groups and give diffrent levels of access.
one group that has only view access, the other group that has deploy/full access etc.,
the local group is in AIX, config mgr in AIX. users in group are user1,user2 for example.
toolkit users are in domain environment, domain/user1, domain/user2
or workstaion/user1, workstation/user2
i dont believe i understand you too well,
are you saying the local group members on AIX should be domain users??? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Sep 07, 2006 5:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I'm saying that yes, the NAMES of the users in the AIX group should INCLUDE the domain name.
But, realistically, for your scenario, you SHOULD NOT run your ConfigMgr on AIX.
You should run it on Windows, where it can authenticate the users properly against the proper domains.
And then take proper steps to ensure that your ConfigMgr queue manager is authenticated on the AIX queue manager.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
