| Author |
Message
|
| Rinku |
 Posted: Fri Jun 07, 2013 12:48 pm Post subject: RFHUtil 2035 Not authorized (Open) z/OS |
 |
|
Newbie
Joined: 07 Jun 2013
Posts: 5
|
Hi,
I am trying to read a queue which seats in ZOS through RFHutil on my windows machine.
And each time I try to browse the queue I get an error "16.46.07 2035 Not authorized (Open)".
Interestingly I have Websphere MQ7.0 installed on my PC. When I try to connect to that qmgr using it it gets through. I am not sure what is going wrong with my RFHutil. I see the channel and ports looks ok to me. Help me plz. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Fri Jun 07, 2013 1:39 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Contact your MQ Admin for the Queue Manager on z/OS, who will work with the z/OS RACF administers to grant you access. If they determine you should have access to that queue on that queue manager.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Rinku |
| Posted: Fri Jun 07, 2013 5:18 pm Post subject: |
|
|
Newbie
Joined: 07 Jun 2013
Posts: 5
|
Hi PeterPotkay,
Appreciate your quick reply.. What making me confuse is same Qmgr and same queue I can access using Websphere MQ explorer on my PC. It just the
RFHUtil does not work. So I am thinking am I missing anything in RFHutil.
Also in ZOS I do have access to that specific queue... |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 07, 2013 6:14 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
The most likely explanation is that your Windows username does not exist on z/OS. Windows domain does not extend to z/OS.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Jun 08, 2013 5:41 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| bruce2359 wrote: |
| The most likely explanation is that your Windows username does not exist on z/OS. Windows domain does not extend to z/OS. |
That doesn't explain the difference in behavior between 2 tools on his PC where one works and the other gets a 2035.
Compare the client connections details between the two tools. What channel name are you using with MQExplorer versus rfhutilc? Are you specifying client exit parameters with one and not the other? Are you using SSL with one and not the other?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Jun 08, 2013 7:11 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
Look at the z/OS system log to see exactly what RACF rule was violated, and what userid violated the rule. Post the entire error text here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jun 08, 2013 8:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Most likely RFHUtilc flows a user id and MQExplorer does not...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqsiuser |
| Posted: Sat Jun 08, 2013 10:12 am Post subject: |
|
|
Yatiri
Joined: 15 Apr 2008
Posts: 637
Location: Germany
|
What is your Windows user name and what is your MCA-User-Name (on the Channel, that you use in RFH-Util)?
On Unix/AIX it is:
| Code: |
runmqsc <QMGR>
display channel <Channel> |
On the output of the 2nd command: Look for the "MCA User" (Message Channel Agent User)
On Dev-Environments you may set the MCA-User to your windows user.
_________________
Just use REFERENCEs |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Jun 08, 2013 10:26 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
| fjb_saper wrote: |
Most likely RFHUtilc flows a user id and MQExplorer does not...
Have fun |
The Explorer can flow a userid. The Explorer prompts you to supply one.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jun 08, 2013 2:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bruce2359 wrote: |
| fjb_saper wrote: |
Most likely RFHUtilc flows a user id and MQExplorer does not...
Have fun |
The Explorer can flow a userid. The Explorer prompts you to supply one. |
Can is the appropriate word. You're allowed to leave the field blank...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Rinku |
| Posted: Mon Jun 10, 2013 5:53 am Post subject: |
|
|
Newbie
Joined: 07 Jun 2013
Posts: 5
|
Thank you every one for your valuable information.. I took all your suggestion and tried to figure it out.
I tried to connect using both Websphere Explorer and RFHutil. And at the same time I was watching the the activity in Zos.
1. WebspereExplorer : It connects well and the same time I don't see any activity at the ZOS end. I believe it doesn't carry the userid.
2. RFHutil : failed with 2035 Not authorized (Open). And at the Zos end I could see it is carrying my windows id; which is apparently wrong.
09.33.41 STC27086 ACF01004 LOGONID RAMAKANT NOT FOUND
09.33.41 STC27086 ACF01004 LOGONID RAMAKANT NOT FOUND
Now I am not sure how to stop this? Any suggestion ?? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jun 10, 2013 6:03 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
| Rinku wrote: |
| Now I am not sure how to stop this? Any suggestion ?? |
You need to have your z/OS security admin person authorize your userid on z/OS.
Just because you have authority on Windows, doesn't mean you have authority on z/OS, AIX, Solaris, Linux, iSeries, etc..
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jun 10, 2013 7:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| bruce2359 wrote: |
| Rinku wrote: |
| Now I am not sure how to stop this? Any suggestion ?? |
You need to have your z/OS security admin person authorize your userid on z/OS. |
No. The zOS admin needs to secure the channel to ensure that only correct users can connect and be authenticated, and that the channel enforces an MCA that provides authorization to necessary function for that channel. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jun 10, 2013 8:25 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| fjb_saper wrote: |
Most likely RFHUtilc flows a user id and MQExplorer does not...
|
MQ Explorer flows the User ID from the client machine up to the queue manager.
My guess is his MQ Explorer connects over a channel that has a hardoced MCAUSER that has access to the MQ resources on that queue manager, and the rfhutilc connection is being attempted over a different channel that does not have a hard coded MCAUSER, so his Windows ID (RAMAKANT) is being presented to the queue manager and RACF says no way.
But without having the details of the client side connection parameters from both tools and the channel details in full from the queue manager side we're just guessing. There are so many potential variables here with potential Exits, potential CHLAUTH rules, hard coded or blank MCAUSERs, unknown number of channels being used, etc.... all that impact what ID is actually being used for Authority checking.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 10, 2013 8:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| fjb_saper wrote: |
Most likely RFHUtilc flows a user id and MQExplorer does not...
|
MQ Explorer flows the User ID from the client machine up to the queue manager. |
One of these days, I'll have to take the time and check that. I always thought that if you did not specify a client ID, MQExplorer flowed a "blank" user id, thus giving the unsuspecting the power of the channel's agent Id (usually mqm or GOD) if no MCAUser was set on the channel...
So sorry what I really meant with the comment you quoted was that no user was specified to create the connection to the MF thus MQE flowing a "blank" user.
For the same case RFHUtilc always implicitly flows the userId of the user running the tool.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
