| Author |
Message
|
| ashritha |
 Posted: Thu Dec 08, 2005 8:33 am Post subject: Remote Config Manager |
 |
|
Voyager
Joined: 25 Jul 2005
Posts: 85
|
Hello,
I have broker toolkit on windows machine and i have configuration manager on a remote windows machine.
When i am trying to create a domain connection for the remote configuration manager i see the following error:
| Quote: |
BIP0915E Message Brokers Toolkit is unable to communicate with the configuration manager
User Administrator@LPPCONSULT7 is not authorized to connect to queue manager 'OITMQCD1' (MQ reason code 2035 while trying to connect) |
Can any one help?
How do i make the user on the toolkit box authorized to connect to the other box? do i have to add this user to the remote box as well?
Is this a network issue?
-Thanks |
|
| Back to top |
|
 |
| mqmatt |
| Posted: Thu Dec 08, 2005 8:51 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
This is a "how do I connect to a queue manager on a remote machine" question - read the MQ manuals (hint: look for mqm, setmqaut and mcauser)
Once you've set up the queue manager, you need to define ACLs on the Config Manager - read the MB manuals (look for mqbrkrs and mqsicreateaclgroup (V5), or mqsicreateaclentry (V6)).
Finally, don't use the Administrator ID; you will run into problems. |
|
| Back to top |
|
|
| ashritha |
| Posted: Fri Dec 09, 2005 7:10 am Post subject: |
|
|
Voyager
Joined: 25 Jul 2005
Posts: 85
|
I have the same problem with any login... not just administrator.
I don't think I will need to set any mcauser as I am trying to connect from toolkit. I guess mca channel id is set in the channels of the queuemanagers not required while connecting from toolkit.
And to create an ACL, does the userid of the toolkit box has to be physically existing on the broker box? If that is the case, i can have hundreds of toolkits trying to use the same config manager and having hundreds of users on AIX seems meaning less. (or may be any identity management third party tool may be used with username server)
In version 5.0 I never had the need to create an ACL to get connected to a remote config manager. Is it different when config manager is on AIX as in the old version of MB config managers were only on windows.
Can anyone please throw some light? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Dec 09, 2005 7:19 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It is very different when using a configmgr on AIX than on Windows.
The configmgr uses the local security repository to authorize users.
So when the configmgr is running on windows, it uses the windows security registry to identify and authorize users. If the windows machine is in a domain, then you can use domain users. This is likely how you had it set up.
When the configmgr is running on AIX, or unix, or whatever, it uses the unix security registry.
One thing that I am not clear on is your question
| Quote: |
| And to create an ACL, does the userid of the toolkit box has to be physically existing on the broker box? |
This is a big question, as if they do have to exist (in name at least, if not in password), then you have to duplicate them. This is not very helpful, even with something like IBM Tivoli Identity Manager around.
There is maybe a good layout of some questions and issues in the following thread.
http://www.mqseries.net/phpBB2/viewtopic.php?t=24941
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| solomita |
| Posted: Thu Jan 19, 2006 12:34 pm Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
I am having the same problem...were you able to solve it?
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 19, 2006 12:36 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
How do you know it's the same problem?
If it is the same problem, did you try the suggestions in this thread to see if they fixed it?
Did they fix it?
If not, are you sure it's the same problem?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| solomita |
| Posted: Thu Jan 19, 2006 12:39 pm Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
I am getting the same error. I know my client is connected properly as i was able to successfully put a message from the box with the toolkit to the box with the config mgr. I also have an acl entry set up on the box with the config mgr. Didnt help. I found something in the Client manual which says "A WebSphere MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. The return code to the MQCONN call at the client is MQRC_NOT_AUTHORIZED."
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 19, 2006 12:46 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You don't know that your client can connect properly, if you are using a Java client.
Also, a 2035 return code always indicates a problem with MQ level security and not with Broker level security. And Broker ACLs will never help you solve problems with MQ level security.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| solomita |
| Posted: Thu Jan 19, 2006 12:52 pm Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
so what do you suggest....
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 19, 2006 12:58 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I suggest you read my last comment again.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bobbee |
| Posted: Thu Jan 19, 2006 1:18 pm Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
I have not done this in awhile but on the QMGR on you ConfigMGR there should be a SVRCONN channel called somethng like "SYSTEM.BRK.CONFIG" change the MCSUSER on that to an acceptable mqm id. This WILL open the channel for ANYBODY to communcate to the QMGR and Configmgr. And will be a security risk but it will get you off the ground.
Moving into a locked down environment this IS NOT what you want to do. At which point you need to read the security stuff and set your userid's up as global under the domain. set up the groups as global and start setting up auths.
bobbee |
|
| Back to top |
|
|
| solomita |
| Posted: Thu Jan 19, 2006 2:52 pm Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
OK i set the id on the SYSTEM.BKR.CONFIG chl and I got a new error message which I seemed to get around by creating an entry in my ACL list giving the user full access to ConfigMgrProxy. Not sure why I needed to do this as we are not using domain security. Eitherway, even if the broker is running though, the user in the separate toolkit install sees the broker as not running.
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
| bobbee |
| Posted: Fri Jan 20, 2006 6:26 am Post subject: |
|
|
Knight
Joined: 20 Sep 2001
Posts: 545
Location: Tampa
|
| Check your log, DLQ and queues. I would guess that the messages from the broker to the Configuration manager to your Toolkit are not getting through. This may also be because of security settings. Some where the message path to you is broken and you are not getting the status message back to the toolkit. |
|
| Back to top |
|
|
|
|
