ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Authorization issues in MQ6 on W3K

Post new topic  Reply to topic Goto page 1, 2  Next
 Authorization issues in MQ6 on W3K « View previous topic :: View next topic » 
Author Message
gs
PostPosted: Mon Sep 10, 2007 6:52 am    Post subject: Authorization issues in MQ6 on W3K Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

Hi,

We're having major authorization issues with 3 MQ6 setups on W2k3.
After a fresh reboot of the server, doing a "refresh security" on the queue manager works fine for a while. After that neither I nor anybody else has the authority to access MQ.
The first time it happens I can solve it by manually adding myself via Tivoli but the second time nothing helps except a reboot.

Every failed access attempt creates a couple of warnings in the event log saying: "WebSphere MQ encountered the following network error: The RPC server is unavailable."

I've tried various suggestions from forums including updating COM security settings, DNS cache issues etc but nothing resolves the issue.

Any ideas?

thanks


dspmqver:
Name: WebSphere MQ
Version: 6.0.1.1
CMVC level: p600-101-060504
BuildType: IKAP - (Production)

windows:
Windows Server 2003 / SP1
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Sep 10, 2007 6:59 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Are the MQ services running under a domain user id? They should run under a local one.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
gs
PostPosted: Tue Sep 11, 2007 12:40 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

Both MQ Services and the QM is running as a local mq specific user.

We had AD user problems while starting MQ6 with strmqm causing the QM to crash after logout. strmqm caused the QM to run as the logged in AD user and crashed with a couple of cryptic FDC's. However, this is resolved.
Back to top
View user's profile Send private message
gs
PostPosted: Tue Sep 11, 2007 12:41 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

Oops, disregard the W3K in the thread subject. It's W2k3 server of course.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Sep 11, 2007 2:43 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

I suppose you use amqmdain to start your qmgr. This avoids the user logging out crashing qmgr problem...

Apart from that did you follow all the authorization steps in the quick install for windows? You might want to rerun the installation wizard ...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
jefflowrey
PostPosted: Tue Sep 11, 2007 3:29 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Are you at the latest fixpack?
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
gs
PostPosted: Thu Sep 13, 2007 1:56 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

Thanks a lot for your feedback. It seems now that a 5.3 version previously was on the machine. 6.0 was then installed without a reboot after the 5.3 uninstallation. We'll uninstall 6.0, reboot and install it again.

Worth to mention is that the software was installed with company specific install packages giving us little control or feeback with the installation.
Back to top
View user's profile Send private message
gs
PostPosted: Fri Sep 14, 2007 5:14 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

We unfortunately have no control over fixpack installations as we follow company install packages. There are apparently no similar problems in other parts of the company.

To me this sounds like the mq process/user account doesn't have access to the AD in order to look up accounts. However, everything looks ok in the DCOM config for the MQ service and things obviously work for a while.

While I can't access the queue manager, a dmpmqaut results in "WebSphere MQ was unable to display an error message 7047. AMQ7047".

"strmqm -c <QMNAME>" solves the problem, but only temporarily for a limited amount of time.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Fri Sep 14, 2007 5:40 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Is it possible that someone has decided to muck around with SYSTEM.* queues, perhaps deleting ones that they feel are "unneeded" or "create security exposures"?

strmqm -c should only recreate the default objects. That should only fix security issues if someone is deleting or mangling default objects.

Unless I'm wrong.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
gs
PostPosted: Fri Sep 14, 2007 5:50 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

Nah, I don't think so as the queue manager was created from scratch just after the mq installation.

Actually I'm not sure what "strmqm -c actually" does. Documentation says recreate/refresh system objects but what does this mean practically?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 14, 2007 7:00 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

gs wrote:
Nah, I don't think so as the queue manager was created from scratch just after the mq installation.

Actually I'm not sure what "strmqm -c actually" does. Documentation says recreate/refresh system objects but what does this mean practically?


recreate / modify all queues, processes etc starting with SYSTEM.
These objects will then have the default values.
They are used by the qmgr as a template to create all the other objects you define.

Some are used by the qmgr in V6 to store authority information, and just plainly to function.

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gs
PostPosted: Fri Sep 14, 2007 7:16 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden

The more I dig into this, the more confused I get..

As I said "strmqm -c" solved the problem temporarily. Just an hour ago, I created a new test QM to see if that one worked regarding authority, which it did. After having tried this the original QM suddenly started working without ANY interaction with it(!).

Thanks everyone for looking into this.
Someone told be there was a problem with the combination MQ6/VMWare but what are your thoughts on this?
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Fri Sep 14, 2007 7:44 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

gs wrote:
Someone told be there was a problem with the combination MQ6/VMWare but what are your thoughts on this?


Ask them to be specific.

I imagine they won't be able to. They may say something like "well, I tried it this one time, and it didn't work. I didn't spend a lot of time trying to figure out why. It worked outside VM, so I figure that must have been the issue".
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Sep 14, 2007 7:25 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

http://www-1.ibm.com/support/docview.wss?rs=171&context=SSFKSJ&context=SSWHKB&q1=mq+vmware&uid=swg21244533&loc=en_US&cs=utf-8&lang=en

Code:

Problem
You install MQ v5.3 or v6.0 on a VMWARE partition running Windows® 2003 SP1. When you try to create a Queue Manager using the "crtmqm -q QMNAME" or "crtmqm QMNAME" command you receive the following:

AMQ8101: WebSphere MQ error (893) has occurred 
 
Solution
Add the logged in userId directly to the local 'mqm' group for the VMWARE guest OS. 


The post on the list serve that I found this on said they thought it was related to VMWare not being able to query the nested domain group's members, that you had to add the individual IDs from that domain group individualy into the local mqm group. They weren't 100% sure though.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Sat Sep 15, 2007 3:55 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981



That sounds suspiciously like a poorly diagnosed network/network configuration problem, and not a fundamental issue with VMWare + MQ.

I haven't had problems with the combination, myself.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » Authorization issues in MQ6 on W3K
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.