Author |
Message
|
mlotfi |
Posted: Mon Jan 25, 2016 9:45 am Post subject: MQJE001: Completion Code '2', Reason '2035' |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
Hi,
I am new here,
I installed WebSphere MQ 8 in my Windows 7, I created a queue manager :
YASEEN.QM
I tried one ofe the java code that come with the sample in the installation :
PCF_ListQueueNames.java
as a command line argument from eclipse I gave :
YASEEN.QM ITD-968735 1414
when I run it I got :
mqde : com.ibm.mq.headers.MQExceptionWrapper: MQJE001: Completion Code '2', Reason '2035'.
and the log error says :
Code: |
1/25/2016 12:43:20 - Process(8216.3) User(MUSR_MQADMIN) Program(amqzmur0.exe)
Host(ITD-968735) Installation(Installation1)
VRMF(8.0.0.4) QMgr(YASEEN.QM)
AMQ6287: WebSphere MQ V8.0.0.4 (p800-004-151022.DE).
EXPLANATION:
WebSphere MQ system information:
Host Info :- Windows 7 Enterprise x64 Edition, Build 7601: SP1 (MQ
Windows (x64 platform) 64-bit)
Installation :- C:\Program Files\IBM\WebSphere MQ (Installation1)
Version :- 8.0.0.4 (p800-004-151022.DE)
ACTION:
None.
-------------------------------------------------------------------------------
1/25/2016 12:43:20 - Process(7796.17) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(ITD-968735) Installation(Installation1)
VRMF(8.0.0.4) QMgr(YASEEN.QM)
AMQ9245: Unable to obtain account details for channel MCA user ID.
EXPLANATION:
WebSphere MQ was unable to obtain the account details for MCA user ID 'mqm'.
This user ID was the MCA user ID for channel 'SYSTEM.DEF.SVRCONN' on queue
manager 'YASEEN.QM' and may have been defined in the channel definition, or
supplied either by a channel exit or by a client.
ACTION:
Ensure that the user ID is correct and that it is defined on the Windows local
system, the local domain or on a trusted domain. For a domain user ID, ensure
that all necessary domain controllers are available.
----- cmqxrsrv.c : 2140 -------------------------------------------------------
1/25/2016 12:43:20 - Process(7796.17) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(ITD-968735) Installation(Installation1)
VRMF(8.0.0.4) QMgr(YASEEN.QM)
AMQ9557: Queue Manager User ID initialization failed for 'mqm'.
EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
|
|
|
Back to top |
|
 |
exerk |
Posted: Mon Jan 25, 2016 10:04 am Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
MQ administrative user accounts, connecting by client, are automatically blocked - take a look at the CHLAUTH information here, and other posts related to it (including the one about how to allow the use of MQ administrative users without turning off security). _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
mlotfi |
Posted: Mon Jan 25, 2016 10:32 am Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
In the oabove link you gave me, she said :
Code: |
Using CHLAUTH to allow connections in
The first thing to do is to create a (external link to wiktionary) back-stop rule. This is a rule that will catch any connections not otherwise matched by more specific rules. This rule has the effect of stopping any remote connections from being able to attach to your queue manager at all! See later on if this makes you nervous!
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule')
Now that we have closed the door on all remote connections we can start to put more specific rules in place to allow certain connections in. Here are some examples:
SET CHLAUTH('APPL1.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('9.20.1-3.*') USERSRC(CHANNEL)
SET CHLAUTH('SYSTEM.ADMIN.*') TYPE(SSLPEERMAP) SSLPEER('O=IBM') USERSRC(CHANNEL)
SET CHLAUTH('TO.QM2') TYPE(QMGRMAP) QMNAME('QM1') USERSRC(MAP) MCAUSER('QM1USER')
SET CHLAUTH('*.SVRCONN') TYPE(USERMAP) CLNTUSER('mhughson') MCAUSER('hughson@hursley')
SET CHLAUTH('*') TYPE(SSLPEERMAP) SSLPEER('CN="Morag Hughson"') ADDRESS('9.*') MCAUSER('hughson')
|
should I do all of them ?
what is my CLNTUSER ?
what is my MCAUSER ?
Thanks. |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jan 25, 2016 10:44 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mlotfi wrote: |
In the oabove link you gave me, she said :
Code: |
.....
Now that we have closed the door on all remote connections we can start to put more specific rules in place to allow certain connections in. Here are some examples:
|
should I do all of them ? |
Unless you're Morag, none of them are probably that relevant!
As she said, these are examples. You need specific rules that allow the access you want.
mlotfi wrote: |
what is my CLNTUSER ?
what is my MCAUSER ?
|
How can we know that?
The fundamental point is that MQv8 blocks administrative accounts by default. You either need to specifically re-authorize that or better still define & authorize a non-administrative account to run the samples. How you do that is specific to your environment and it's standards _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mlotfi |
Posted: Mon Jan 25, 2016 10:51 am Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
How to specifically re-authorize that ?
is CLNTUSER my user name is windows ?
Thanks. |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jan 25, 2016 11:00 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mlotfi wrote: |
How to specifically re-authorize that ? |
With appropriate channel authority rules.
mlotfi wrote: |
is CLNTUSER my user name is windows ? |
It might be, depending on how the sample flows the id and what the channel does (in the sense of what you've configured it to do).
I'd guess not, given that your original 2035 was against the mqm user so I'd imagine (accidentally or deliberately) that's what you're flowing to the queue manger.
Unless you're signed into Windows as "mqm" in which case absolutely yes, it's your user name in Windows. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jan 25, 2016 11:05 am Post subject: Re: MQJE001: Completion Code '2', Reason '2035' |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mlotfi wrote: |
I am new here,
I installed WebSphere MQ 8 in my Windows 7, I created a queue manager :
YASEEN.QM
I tried one ofe the java code that come with the sample in the installation :
PCF_ListQueueNames.java
as a command line argument from eclipse I gave :
YASEEN.QM ITD-968735 1414
when I run it I got :
mqde : com.ibm.mq.headers.MQExceptionWrapper: MQJE001: Completion Code '2', Reason '2035'. |
Returning to first principles, it looks like you've just dropped down the software, spun up a sample and pointed it at SYSTEM.DEF.SVRCONN.
As you've found, that doesn't work as well under v8 as it did under previous versions as the default security stops you.
I'd take a moment, take a breath, and actually configure the queue manager. Put in your own SVRCONN channel, set that up, put channel auth rules against it and then try using the queue manager. That's probably faster and easier than banging away trying to bend the defaults until they work. You'll also learn valuable lessons about authority rules that will serve you well in future; 2035 errors from queue managers that are not installed on your local system can't be fixed by turning the security down until the error goes away. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
smdavies99 |
Posted: Mon Jan 25, 2016 11:25 am Post subject: Re: MQJE001: Completion Code '2', Reason '2035' |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
Vitor wrote: |
I'd take a moment, take a breath, and actually configure the queue manager. Put in your own SVRCONN channel, set that up, put channel auth rules against it and then try using the queue manager. That's probably faster and easier than banging away trying to bend the defaults until they work. You'll also learn valuable lessons about authority rules that will serve you well in future; 2035 errors from queue managers that are not installed on your local system can't be fixed by turning the security down until the error goes away. |
In adittion to what my esteemed colleague has said, you should make all the changes via a script. Then you can use that script as a template for the future.
There are many discussions about this area in this forum. There are some articles by Morag Hughson that will be invalliable.
This http://www.mqseries.net/phpBB2/viewtopic.php?t=71102
might be a good place to start. _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
mlotfi |
Posted: Mon Jan 25, 2016 11:30 am Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
Thank you Sir for your patience, I was assigned to do these IBM thing even I have never done them before, so I am struggling, I see myself like a blind here, when I open the documentation it's huge, I like these messaging things of IBM, I wish I will understand it more.
I have just created a new channel .
Please show me how to put channel auth rules against it.
Thanks. |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jan 25, 2016 12:01 pm Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
|
Back to top |
|
 |
mlotfi |
Posted: Mon Jan 25, 2016 12:52 pm Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
|
Back to top |
|
 |
hughson |
Posted: Wed Jan 27, 2016 1:32 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
|
Back to top |
|
 |
mlotfi |
Posted: Mon Feb 01, 2016 7:05 am Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
Thank you Morag, it's working now. |
|
Back to top |
|
 |
bruce2359 |
Posted: Mon Feb 01, 2016 7:16 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
Get some MQ training! Search google for WM207 (Windows) or WM209 (Linux). These are 4-day lecture and hands-on lab classes. Can be taken in a real or virtual classroom. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
mlotfi |
Posted: Wed Mar 09, 2016 11:22 am Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015 Posts: 60
|
Hi Morag,
I choose the second option :
Pattern 2: IP address filtered non privileged user ID
Please I have two questions :
1) I am new in linux, I am using vagrant virtual machine with MQ8 installed, where to put my sh script ?
and how it will be executed ?
2) was that IP address you put in this code was randomly chosen ?
Code: |
SET CHLAUTH(NONPRIV.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('9.10.20.30') MCAUSER('morag2')
|
Thanks, I appreciate your help. |
|
Back to top |
|
 |
|