| Author |
Message
|
| gx_mksoft |
 Posted: Mon Sep 29, 2003 12:43 am Post subject: What is the problem with amqscnxc -- reason code 2035 |
 |
|
Newbie
Joined: 29 Sep 2003
Posts: 5
|
I have a MQ server on HP-UX and MQ client (5.2) installed on NT.
When I try to run amqscnxc on the NT workstation, I always get reason code 2035 ( no authorization exit).
I checked the server side, the MCAUSER attribute is set to blank on the channel I tried to connect.
After I debug this c application, I found MQCD.UserIdentifier is blank.
Is this because I did not specify the MQCD.UserIdentifier that I get the reason code 2035 ?
If I am to specify the UserIdentifier, what value should I put and do I also need to specify the MQCD.Password ? |
|
| Back to top |
|
 |
| mqonnet |
| Posted: Mon Sep 29, 2003 5:10 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Well, first things first. Do you have a userid/principal defined on Unix box with the same name(case sensitive) as you are logged in on NT box. If not, then you have to do that, and you gotta do this because you left MCAUSER attribute blank. Which would mean that the OAM would use your logon id on NT as the source to authenticate any request.
As for useridentifier, it comes into play only if you set alternateuserid and i dont presume you are doing that.
Cheers
Kumar |
|
| Back to top |
|
|
| gx_mksoft |
| Posted: Mon Sep 29, 2003 7:35 pm Post subject: |
|
|
Newbie
Joined: 29 Sep 2003
Posts: 5
|
Thanks Kumar,
How do I create an user in the MQServer on HP-UX, is it must be the same with the Domain ID I logon the NT ? If I log on as LANID@DOMAIN, does it mean the name ID on MQServer should be LANID ?
Thanks again. |
|
| Back to top |
|
|
| mqonnet |
| Posted: Tue Sep 30, 2003 5:02 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
I have not worked with multiple domains and hence this has been a bit confusing issue to me at all times.
But theoretically, i believe that whatever your logon id is that is what is used for authentication purposes irrespective of which domain you login using that id. And hence you need to create a user with the same(including case) id on your Hp-Ux box as you login on your NT box.
Creation of an additional user is no different than creating a regular user on Hp-ux. Make sure that this user is made part of the mqm group, or at least grant appropriate authority to the QM objects that you wish to access, to this userid.
Cheers
Kumar |
|
| Back to top |
|
|
| gx_mksoft |
| Posted: Thu Oct 02, 2003 12:02 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2003
Posts: 5
|
Thanks Kumar.
I have another problem :-
1) MQServer and Client V5.2 installed on HP-UX
2) run amqscnxc with ID mqm is successful
3) run amqscnxc with ID testid which is under group qmg1 is failed with reason code 2035 even though the group qmq1 is grant the below permissions :-
inq
set
connect
altusr
setid
setall
4) I add user id testid to group mqm, but still failed with reason code 2035
To fix this problem , do I need to set the permission on user id level but not group level ?
Thanks |
|
| Back to top |
|
|
| mqonnet |
| Posted: Fri Oct 03, 2003 5:08 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
If you have added this userid to "mqm" group it should have worked. Lets do this.
1) On client HP-Ux you logon as id "testid" and you have defined a userid/principal with the same name(including case) on your server system and added this to the mqm group. Is this what you did. If no, then you gotta do this.
2) When you say you setmqaut the permissions as mentioned in your post, i would assume you gave permissions to only the objects of interest. Say you wanted to access a particular queue, you gave these permissions to "testid" for that queue. But my guess is you forgot to give this userid "testid" qmgr wide permissions. You need to setmqaut this userid to grant permissions to the qmgr, for at least connect if i am not wrong. So, this could be the other bit that you were missing.
3) Different platforms have slightly different implementation of security. And hence it is always advisible to check whether permissions granted group wide is populated down to individual group members. As in this case, you granted permissions to group qmg1 which has userid testid. But before using id, testid, make sure that testid has infact inherited the group permissions. If not, then you have to explicitly set these permissions on individual userid basis.
Hope this helps.
Cheers
Kumar |
|
| Back to top |
|
|
| gx_mksoft |
| Posted: Wed Oct 08, 2003 7:03 pm Post subject: |
|
|
Newbie
Joined: 29 Sep 2003
Posts: 5
|
Thanks a lot Kumar,
I succeeded in putting msg and getting msg from queue.
I have one more question hopefully you can reply as I came back after so long a time silence.
If the ID is created on the HP-UX but it is disabled(password expired or something), can I still use this ID to connect to MQServer, put msg and get msg ?
Thanks a lot ! |
|
| Back to top |
|
|
| mqonnet |
| Posted: Thu Oct 09, 2003 5:03 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Yes you should be able to.
When a client connects to a server instance, it just verifies if the userid that comes in has a valid principal/userid defined with appropriate authorizations to access MQ Objects on the server system. It does not check to see what the password for that userid is or to verify any of that stuff.
Hope this helps.
Cheers
Kumar |
|
| Back to top |
|
|
| gx_mksoft |
| Posted: Tue Oct 28, 2003 6:41 pm Post subject: |
|
|
Newbie
Joined: 29 Sep 2003
Posts: 5
|
Kumar,
I just want to say, thank you very much. |
|
| Back to top |
|
|
|
|
