ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ Client - MQ Server Connections

Post new topic  Reply to topic
 MQ Client - MQ Server Connections « View previous topic :: View next topic » 
Author Message
pateluje
PostPosted: Tue Jun 01, 2004 11:49 am    Post subject: MQ Client - MQ Server Connections Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

Help,

I need help in setting up access for a mq client on Solaris to talk to a queue manager on another box also running on Solaris.

The mq client is installed on a sun box (server A) as user mqm, group mqm. The application that is going to use the mq client runs under user id biw. The application user id biw has also been added to the mqm group on Server A.

The mq server / queue manager are up and running also running under user mqm group mqm on a sun box (server B)

We get the following errors when they try to connect to the qmanager on Server B.

MQCONN ended with reason code 2035

Can someone please walk me through with getting the biw id on server A access to put messages to a queue on Server B, without giving to much access to biw access to the queue manager on server A.

Your help would be greatly appreciated.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Jun 01, 2004 12:32 pm    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Reason code 2035 is a security error.

The documentation for the mqseries security command 'setmqaut' should help you understand how to resolve this.

You will need to set the mq authorities to allow the user in question to access the appropriate mqseries resources you need.

But be aware that security on Unix is done actually at the group level, not at the user level. So put biw into it's own group, and setmqaut for that group.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
pateluje
PostPosted: Tue Jun 01, 2004 12:41 pm    Post subject: Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

Just to clarify,

If I create a group called mqusers and add the biw user to this group. I will be able to grant access to the biw user to specific mq objects (mq object a).

Also in the future if I need to add another user to access a defferent set mq objects (mq object B) , will I be able to add them to the mqusers group and have each user only access their own set of objects?

Thanks
Ujesh
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Jun 01, 2004 12:49 pm    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

No.

Any member of mqusers will have the same accesses.

On Unix.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
pateluje
PostPosted: Tue Jun 01, 2004 1:31 pm    Post subject: Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

Then will the following work

I have created a group mqusers on the mq server and created a local biw account. There is also a svrconn channel defined with MCAUSER left blank.

I have then run the following command.

setmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -g mqusers +put +browse +get

Will this allow the biw id on the client machine to put to this queue.

Thanks
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Jun 01, 2004 2:18 pm    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

You probably also have to give the user connection rights to the queue manager.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
pateluje
PostPosted: Tue Jun 01, 2004 6:47 pm    Post subject: Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

This still does not work.

I have done the following:

On my mq server I have created a local biw account belonging to mquser group. I have granted allmqi to the principal biw and group mquser to the queue BIW.BUS.DEV.PUT.QL01.

On the mq client as user biw on Solaris 8 client machine:

MQSERVER=WIB.EMX.TSN15.CL01/TCP/'morgan.domainname.com(4501)'

I run the following command and this is what I am getting.

amqsputc EMX.WIB.PUT.QA01 TSN15
Sample AMQSPUT0 start
MQCONN ended with reason code 2035

I have checked to see that the listener on my server is running, I am using the inetd.conf. There are no connectivity problems between the client and server.

Do I also need to have runmqlsr to have this work? I can't run both, as both the inetd spawned process and runmqlsr will have a conflict binding port 4501. Am I missing something?

Can someone please help find what I am doing wrong. This is now becoming urgent. I am familiar with MQ Server Channels, first time having to deal with client channel. Help !!!!!

Back to top
View user's profile Send private message
morpheus
PostPosted: Wed Jun 02, 2004 7:44 am    Post subject: Reply with quote

Acolyte

Joined: 08 Mar 2003
Posts: 72
Location: Austin, TX

Issue 'dspmqaut' on the queue manager object with the user id and see what authorizations you have for that user on the object.



-Morphues
Back to top
View user's profile Send private message
pateluje
PostPosted: Wed Jun 02, 2004 7:53 am    Post subject: Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

Here is the output from running the dspmqaut

For the group mqusers
mqm:morgan:/opt/mqm/bin $ dspmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -g mqusers
Entity mqusers has the following authorizations for object BIW.BUS.DEV.PUT.QL01:
get
browse
put
inq
set
passid
passall
setid
setall


For the user biw part of the mqusers group.
mqm:morgan:/opt/mqm/bin $ dspmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -p biw
Entity biw has the following authorizations for object BIW.BUS.DEV.PUT.QL01:
get
browse
put
inq
set
passid
passall
setid
setall
Back to top
View user's profile Send private message
mqonnet
PostPosted: Wed Jun 02, 2004 7:56 am    Post subject: Reply with quote

Grand Master

Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.

Your question is already answered, looks like you overlooked it.

"On my mq server I have created a local biw account belonging to mquser group. I have granted allmqi to the principal biw and group mquser to the queue BIW.BUS.DEV.PUT.QL01.
"

jefflowrey Posted: 01 Jun 2004 17:18 Post subject:

--------------------------------------------------------------------------------

You probably also have to give the user connection rights to the queue manager.

You did not post dspmqaut -m TSN15 -t qmgr -p biw???? You have to give "connect" permissions on the queue manager for the user biw. If you carefully look at where 2035 is originating from. It is an MQconn call. So that all explains, i guess. :)


Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator
Back to top
View user's profile Send private message Send e-mail Visit poster's website
RogerLacroix
PostPosted: Wed Jun 02, 2004 8:07 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

And after you do setmqaut commands, it is always a good idea to issue the REFRESH SECURITY command from within runmqsc.

Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
morpheus
PostPosted: Wed Jun 02, 2004 8:33 am    Post subject: Reply with quote

Acolyte

Joined: 08 Mar 2003
Posts: 72
Location: Austin, TX

Yes. Connection rights one thing you need to give and one more thing I observed from your statement
Code:
amqsputc EMX.WIB.PUT.QA01 TSN15


Is EMX.WIB.PUT.QA01 an alias queue? If it is you need to give authorizations on alias queue not on the base queue.


-Morpheus
Back to top
View user's profile Send private message
mqonnet
PostPosted: Wed Jun 02, 2004 8:47 am    Post subject: Reply with quote

Grand Master

Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.

Per the email response here's what you need to do.

setmqaut -m TSN15 -t qmgr -g mquser +connect
setmqaut -m TSN15 -t qmgr -p biw +connect

If you are concerned about security in this context then make sure you specify the userid(biw) in mcauser to make client connections more or less fool-proof.


Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator
Back to top
View user's profile Send private message Send e-mail Visit poster's website
pateluje
PostPosted: Thu Jun 03, 2004 2:03 pm    Post subject: Thanks Reply with quote

Newbie

Joined: 11 May 2004
Posts: 7

Thank you to all for helping me to get the client connected.

Thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » MQ Client - MQ Server Connections
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.