| Author |
Message
|
| gs |
 Posted: Mon Sep 10, 2007 6:52 am Post subject: Authorization issues in MQ6 on W3K |
 |
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
Hi,
We're having major authorization issues with 3 MQ6 setups on W2k3.
After a fresh reboot of the server, doing a "refresh security" on the queue manager works fine for a while. After that neither I nor anybody else has the authority to access MQ.
The first time it happens I can solve it by manually adding myself via Tivoli but the second time nothing helps except a reboot.
Every failed access attempt creates a couple of warnings in the event log saying: "WebSphere MQ encountered the following network error: The RPC server is unavailable."
I've tried various suggestions from forums including updating COM security settings, DNS cache issues etc but nothing resolves the issue.
Any ideas?
thanks
dspmqver:
Name: WebSphere MQ
Version: 6.0.1.1
CMVC level: p600-101-060504
BuildType: IKAP - (Production)
windows:
Windows Server 2003 / SP1 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Sep 10, 2007 6:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Are the MQ services running under a domain user id? They should run under a local one.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gs |
| Posted: Tue Sep 11, 2007 12:40 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
Both MQ Services and the QM is running as a local mq specific user.
We had AD user problems while starting MQ6 with strmqm causing the QM to crash after logout. strmqm caused the QM to run as the logged in AD user and crashed with a couple of cryptic FDC's. However, this is resolved. |
|
| Back to top |
|
|
| gs |
| Posted: Tue Sep 11, 2007 12:41 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
| Oops, disregard the W3K in the thread subject. It's W2k3 server of course. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 11, 2007 2:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I suppose you use amqmdain to start your qmgr. This avoids the user logging out crashing qmgr problem... 
Apart from that did you follow all the authorization steps in the quick install for windows? You might want to rerun the installation wizard ...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Sep 11, 2007 3:29 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Are you at the latest fixpack?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| gs |
| Posted: Thu Sep 13, 2007 1:56 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
Thanks a lot for your feedback. It seems now that a 5.3 version previously was on the machine. 6.0 was then installed without a reboot after the 5.3 uninstallation. We'll uninstall 6.0, reboot and install it again.
Worth to mention is that the software was installed with company specific install packages giving us little control or feeback with the installation. |
|
| Back to top |
|
|
| gs |
| Posted: Fri Sep 14, 2007 5:14 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
We unfortunately have no control over fixpack installations as we follow company install packages. There are apparently no similar problems in other parts of the company.
To me this sounds like the mq process/user account doesn't have access to the AD in order to look up accounts. However, everything looks ok in the DCOM config for the MQ service and things obviously work for a while.
While I can't access the queue manager, a dmpmqaut results in "WebSphere MQ was unable to display an error message 7047. AMQ7047".
"strmqm -c <QMNAME>" solves the problem, but only temporarily for a limited amount of time. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 14, 2007 5:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is it possible that someone has decided to muck around with SYSTEM.* queues, perhaps deleting ones that they feel are "unneeded" or "create security exposures"?
strmqm -c should only recreate the default objects. That should only fix security issues if someone is deleting or mangling default objects.
Unless I'm wrong.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| gs |
| Posted: Fri Sep 14, 2007 5:50 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
Nah, I don't think so as the queue manager was created from scratch just after the mq installation.
Actually I'm not sure what "strmqm -c actually" does. Documentation says recreate/refresh system objects but what does this mean practically? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 14, 2007 7:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gs wrote: |
Nah, I don't think so as the queue manager was created from scratch just after the mq installation.
Actually I'm not sure what "strmqm -c actually" does. Documentation says recreate/refresh system objects but what does this mean practically? |
recreate / modify all queues, processes etc starting with SYSTEM.
These objects will then have the default values.
They are used by the qmgr as a template to create all the other objects you define.
Some are used by the qmgr in V6 to store authority information, and just plainly to function.
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gs |
| Posted: Fri Sep 14, 2007 7:16 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
The more I dig into this, the more confused I get..
As I said "strmqm -c" solved the problem temporarily. Just an hour ago, I created a new test QM to see if that one worked regarding authority, which it did. After having tried this the original QM suddenly started working without ANY interaction with it(!).
Thanks everyone for looking into this.
Someone told be there was a problem with the combination MQ6/VMWare but what are your thoughts on this? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 14, 2007 7:44 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| gs wrote: |
| Someone told be there was a problem with the combination MQ6/VMWare but what are your thoughts on this? |
Ask them to be specific.
I imagine they won't be able to. They may say something like "well, I tried it this one time, and it didn't work. I didn't spend a lot of time trying to figure out why. It worked outside VM, so I figure that must have been the issue".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Sep 14, 2007 7:25 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
http://www-1.ibm.com/support/docview.wss?rs=171&context=SSFKSJ&context=SSWHKB&q1=mq+vmware&uid=swg21244533&loc=en_US&cs=utf-8&lang=en
| Code: |
Problem
You install MQ v5.3 or v6.0 on a VMWARE partition running Windows® 2003 SP1. When you try to create a Queue Manager using the "crtmqm -q QMNAME" or "crtmqm QMNAME" command you receive the following:
AMQ8101: WebSphere MQ error (893) has occurred
Solution
Add the logged in userId directly to the local 'mqm' group for the VMWARE guest OS.
|
The post on the list serve that I found this on said they thought it was related to VMWare not being able to query the nested domain group's members, that you had to add the individual IDs from that domain group individualy into the local mqm group. They weren't 100% sure though.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Sep 15, 2007 3:55 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
That sounds suspiciously like a poorly diagnosed network/network configuration problem, and not a fundamental issue with VMWare + MQ.
I haven't had problems with the combination, myself.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
