| Author |
Message
|
| ammx |
 Posted: Fri Sep 08, 2017 7:49 pm Post subject: MQ Client is not getting messages from the MQ queue manager |
 |
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi
I am working with two Linux RedHat servers, one with MQ Client 8.0.0.6 and the other with MQ Server 8.0.0.6. I am trying to test a queue manager "AEDMQ03A" that is not receiving messages from the Client machine. These are the following steps i have done:
1) I verified in the MQ Server that the queue manager AEDMQ03A is running, and its listener is also running on port 1414.
2) I checked there is a server-connection channel "SYSTEM.DEF.SVRCONN" (runmqsc AEDMQ03A and then DISPLAY CHANNEL(*) )and it gave me the next information:
| Code: |
CHANNEL(SYSTEM.DEF.SVRCONN)
CHLTYPE(SVRCONN)
ALTDATE(2016-02-15)
ALTTIME(02.20.25)
CERTLABL( )
COMPHDR(NONE)
COMPMSG(NONE)
DESCR( )
DISCINT(0)
HBINT(300)
KAINT(AUTO)
MAXINST(100)
MAXINSTC(90)
MAXMSGL(4194304)
MCAUSER(nobody)
MONCHL(QMGR)
RCVDATA( )
RCVEXIT( )
SCYDATA( )
SCYEXIT( )
SENDDATA( )
SENDEXIT( )
SHARECNV(10)
SSLCAUTH(REQUIRED)
SSLCIPH( )
SSLPEER( )
TRPTYPE(TCP) |
On the client side
3) I defined the environment variables MQSERVER like this:
MQSERVER=SYSTEM.DEF.SVRCONN/TCP/ 'IP_ADRESS_MQServer(port)'
4) I checked that a local queue named "SYSTEM.DEFAULT.LOCAL.QUEUE" exists
5) Then I try to "amqsputc SYSTEM.DEFAULT.LOCAL.QUEUE AEDMQ03A", but it gives me the error:
"Sample AMQSPUT0 start
MQCONNX ended with reason code 2035"
I investigated this and I know it has something to do with permissions. I went to the AEDMQ03A error logs and found these three messages that caught my attention:
AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'ip_adress_client' ended abnormally
AMQ8077: Entity nobody has insufficient authority to access object 'SYSTEM.DEFAULT.LOCAL.QUEUE'(NOBODY IS THE MCAUSER OF THE CHANNEL)
AMQ9777: Channel was blocked. The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from adress 'ip_MQclient' because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)
I thought that the only issue was the permissions on the local queue and the queue manager but apparently there other 2 issues there.
Regarding the permissions setting with the command setmqaut, which user or group do I have to give the permissions to, the user mqm or the MCAUSER that appeared on the SVRCONN channel? And what kind of permissions, +all, +put,+get??
Thanks in advance |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Sep 09, 2017 2:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well this is not going to work the way you want. As you guessed the channel you chose is not working. You need to define a server connection channel that does not start with SYSTEM...
Security is now enforcing best practice and will prevent you from using any channel starting with SYSTEM....
For the second part don't use user mqm or any other user in the mqm group. Those are considered privileged users and are "banned" by default.
You will still have to authorize the group/user to access the qmgr and its relevant objects (queues) using setmqaut.
After that you should be good.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ammx |
| Posted: Sat Sep 09, 2017 9:07 pm Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi
I already created another server-communication channel like this:
DEFINE CHANNEL(A03ZCIWAS) CHLTYPE(SVRCONN) TRPTYPE(TCP)
I also created the client-communication channel (I am not sure if this step is necessary, but I did it anyways).
DEFINE CHANNEL(A03ZCIWAS) CHLTYPE(CLNTCONN) CONNAME(xx.xx,xx.xx) QMNAME(AEDMQ03A) TRPTYPE(TCP) <-- here the xx.xx.xx.xx is the IP adress of the MQ Server
Then I set the MQSERVER environment variable with MQSERVER=A03ZCIWAS/TCP/'xx.xx.xx.xx(1414)'
After this i set the necessary permissions for the queue manager and the queue. I did it for user nobody which is the user in the MCAUSER of the SVRCONN CHANNEL(named A03ZCIWAS).
setmqaut -m AEDMQ03A -t qmgr -p nobody +alladm
setmqaut -m AEDMQ03A -n QUEUE_TEST -t queue -p nobody +alladm
I also setmqaut for the group where nobody belongs to(it only belongs to one group). The QUEUE_TEST is the local queue I created for testing
and the when I tried ./amqsputc QUEUE_TEST AEDMQ03A, it gives me the error message:
Sample AMQSPUT0 start
target queue is QUEUE_TEST
MQOPEN ended with reason code 2035
unable to open queue for output
Sample AMQSPUT0 end
I don't understand why it is giving me this cause I already gave permissions for the queue and the queue manager |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Sep 10, 2017 12:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Look in the queue manager error log to further understand why you are getting the 2035 reason code.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Sep 10, 2017 3:57 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
You can delete the CLNTCONN type channel. Its not required if you are using the MQSERVER environment variable to configure a MQ Client connection.
Also, don't use the userid 'nobody'. It has that name for a reason. It defines a principal that should not exist and/or is not usable and/or does not have authority to anything.
For MQ authorities, its best to use a dedicated app group, with the userid of interest being a member of that group. Don't use any groups that most userid are in (eg. staff) as this over authorises in MQ.
_________________
Glenn |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Sep 11, 2017 4:50 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
The thread title gives me pain "MQ queue manager is not getting messages from the MQ Client". It should be the other way around "MQ Client is not getting messages from the MQ queue manager".
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 12, 2017 4:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gbaddeley wrote: |
| The thread title gives me pain "MQ queue manager is not getting messages from the MQ Client". It should be the other way around "MQ Client is not getting messages from the MQ queue manager". |
So updated the title.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
