| Author |
Message
|
| pateluje |
 Posted: Tue Jun 01, 2004 11:49 am Post subject: MQ Client - MQ Server Connections |
 |
|
Newbie
Joined: 11 May 2004
Posts: 7
|
Help,
I need help in setting up access for a mq client on Solaris to talk to a queue manager on another box also running on Solaris.
The mq client is installed on a sun box (server A) as user mqm, group mqm. The application that is going to use the mq client runs under user id biw. The application user id biw has also been added to the mqm group on Server A.
The mq server / queue manager are up and running also running under user mqm group mqm on a sun box (server B)
We get the following errors when they try to connect to the qmanager on Server B.
MQCONN ended with reason code 2035
Can someone please walk me through with getting the biw id on server A access to put messages to a queue on Server B, without giving to much access to biw access to the queue manager on server A.
Your help would be greatly appreciated. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Jun 01, 2004 12:32 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Reason code 2035 is a security error.
The documentation for the mqseries security command 'setmqaut' should help you understand how to resolve this.
You will need to set the mq authorities to allow the user in question to access the appropriate mqseries resources you need.
But be aware that security on Unix is done actually at the group level, not at the user level. So put biw into it's own group, and setmqaut for that group.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| pateluje |
| Posted: Tue Jun 01, 2004 12:41 pm Post subject: |
|
|
Newbie
Joined: 11 May 2004
Posts: 7
|
Just to clarify,
If I create a group called mqusers and add the biw user to this group. I will be able to grant access to the biw user to specific mq objects (mq object a).
Also in the future if I need to add another user to access a defferent set mq objects (mq object B) , will I be able to add them to the mqusers group and have each user only access their own set of objects?
Thanks
Ujesh |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jun 01, 2004 12:49 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
No.
Any member of mqusers will have the same accesses.
On Unix.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| pateluje |
| Posted: Tue Jun 01, 2004 1:31 pm Post subject: |
|
|
Newbie
Joined: 11 May 2004
Posts: 7
|
Then will the following work
I have created a group mqusers on the mq server and created a local biw account. There is also a svrconn channel defined with MCAUSER left blank.
I have then run the following command.
setmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -g mqusers +put +browse +get
Will this allow the biw id on the client machine to put to this queue.
Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jun 01, 2004 2:18 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You probably also have to give the user connection rights to the queue manager.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| pateluje |
| Posted: Tue Jun 01, 2004 6:47 pm Post subject: |
|
|
Newbie
Joined: 11 May 2004
Posts: 7
|
This still does not work.
I have done the following:
On my mq server I have created a local biw account belonging to mquser group. I have granted allmqi to the principal biw and group mquser to the queue BIW.BUS.DEV.PUT.QL01.
On the mq client as user biw on Solaris 8 client machine:
MQSERVER=WIB.EMX.TSN15.CL01/TCP/'morgan.domainname.com(4501)'
I run the following command and this is what I am getting.
amqsputc EMX.WIB.PUT.QA01 TSN15
Sample AMQSPUT0 start
MQCONN ended with reason code 2035
I have checked to see that the listener on my server is running, I am using the inetd.conf. There are no connectivity problems between the client and server.
Do I also need to have runmqlsr to have this work? I can't run both, as both the inetd spawned process and runmqlsr will have a conflict binding port 4501. Am I missing something?
Can someone please help find what I am doing wrong. This is now becoming urgent. I am familiar with MQ Server Channels, first time having to deal with client channel. Help !!!!!
 |
|
| Back to top |
|
|
| morpheus |
| Posted: Wed Jun 02, 2004 7:44 am Post subject: |
|
|
Acolyte
Joined: 08 Mar 2003
Posts: 72
Location: Austin, TX
|
Issue 'dspmqaut' on the queue manager object with the user id and see what authorizations you have for that user on the object.
-Morphues |
|
| Back to top |
|
|
| pateluje |
| Posted: Wed Jun 02, 2004 7:53 am Post subject: |
|
|
Newbie
Joined: 11 May 2004
Posts: 7
|
Here is the output from running the dspmqaut
For the group mqusers
mqm:morgan:/opt/mqm/bin $ dspmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -g mqusers
Entity mqusers has the following authorizations for object BIW.BUS.DEV.PUT.QL01:
get
browse
put
inq
set
passid
passall
setid
setall
For the user biw part of the mqusers group.
mqm:morgan:/opt/mqm/bin $ dspmqaut -m TSN15 -n BIW.BUS.DEV.PUT.QL01 -t queue -p biw
Entity biw has the following authorizations for object BIW.BUS.DEV.PUT.QL01:
get
browse
put
inq
set
passid
passall
setid
setall |
|
| Back to top |
|
|
| mqonnet |
| Posted: Wed Jun 02, 2004 7:56 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Your question is already answered, looks like you overlooked it.
"On my mq server I have created a local biw account belonging to mquser group. I have granted allmqi to the principal biw and group mquser to the queue BIW.BUS.DEV.PUT.QL01.
"
jefflowrey Posted: 01 Jun 2004 17:18 Post subject:
--------------------------------------------------------------------------------
You probably also have to give the user connection rights to the queue manager.
You did not post dspmqaut -m TSN15 -t qmgr -p biw???? You have to give "connect" permissions on the queue manager for the user biw. If you carefully look at where 2035 is originating from. It is an MQconn call. So that all explains, i guess. :)
Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jun 02, 2004 8:07 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
And after you do setmqaut commands, it is always a good idea to issue the REFRESH SECURITY command from within runmqsc.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| morpheus |
| Posted: Wed Jun 02, 2004 8:33 am Post subject: |
|
|
Acolyte
Joined: 08 Mar 2003
Posts: 72
Location: Austin, TX
|
Yes. Connection rights one thing you need to give and one more thing I observed from your statement
| Code: |
| amqsputc EMX.WIB.PUT.QA01 TSN15 |
Is EMX.WIB.PUT.QA01 an alias queue? If it is you need to give authorizations on alias queue not on the base queue.
-Morpheus |
|
| Back to top |
|
|
| mqonnet |
| Posted: Wed Jun 02, 2004 8:47 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Per the email response here's what you need to do.
setmqaut -m TSN15 -t qmgr -g mquser +connect
setmqaut -m TSN15 -t qmgr -p biw +connect
If you are concerned about security in this context then make sure you specify the userid(biw) in mcauser to make client connections more or less fool-proof.
Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| pateluje |
| Posted: Thu Jun 03, 2004 2:03 pm Post subject: Thanks |
|
|
Newbie
Joined: 11 May 2004
Posts: 7
|
Thank you to all for helping me to get the client connected.
Thanks
 |
|
| Back to top |
|
|
|
|
