| Author |
Message
|
| kspranava |
 Posted: Sun Jan 08, 2006 10:12 pm Post subject: Not throwing 2035 error |
 |
|
Centurion
Joined: 27 Apr 2003
Posts: 124
|
Hi Gurus,
OAM for the input queue is set using setmqaut command; able to view the same using amqoamd command and security was refreshed. But when a message with invalid user id is sent to the queue, it is picked up by the message flow and directly routed to failure terminal of input node (if any MRM/NEON domain is specified, msg is parsed correctly) with following error
| Quote: |
| Warning on MQGET. Propagating a message to the failure terminal' |
Output in trace file placed in Failure path
(0x01000000):MQMD = (
(0x03000000):SourceQueue = 'TEST'
(0x03000000):Transactional = TRUE
(0x03000000):Encoding = 546
(0x03000000):CodedCharSetId = 437
(0x03000000):Format = ' '
(0x03000000):Version = 2
(0x03000000):Report = 0
(0x03000000):MsgType = 8
(0x03000000):Expiry = -1
(0x03000000):Feedback = 0
(0x03000000):Priority = 0
(0x03000000):Persistence = 0
(0x03000000):MsgId = X'414d5120424d5347443351332020202043b43e4620026101'
(0x03000000):CorrelId = X'000000000000000000000000000000000000000000000000'
(0x03000000):BackoutCount = 0
(0x03000000):ReplyToQ = ' '
(0x03000000):ReplyToQMgr = 'BMSGD3Q3 '
(0x03000000):UserIdentifier = 'mqcls1 '
(0x03000000):AccountingToken = X'1601051500000052aac8681ed19818828ba628ec03000000000000000000000b'
(0x03000000):ApplIdentityData = ' '
(0x03000000):PutApplType = 11
(0x03000000):PutApplName = ' '
(0x03000000):PutDate = DATE '2006-01-05'
(0x03000000):PutTime = GMTTIME '06:42:45.340'
(0x03000000):ApplOriginData = ' '
(0x03000000):GroupId = X'000000000000000000000000000000000000000000000000'
(0x03000000):MsgSeqNumber = 1
(0x03000000):Offset = 0
(0x03000000):MsgFlags = 0
(0x03000000):OriginalLength = -1
)
(0x01000000):RecoverableException = (
(0x03000000):File = '/build/S500_P/src/DataFlowEngine/ImbMqInputNode.cpp'
(0x03000000):Line = 3218
(0x03000000):Function = 'ImbMqInputNode::eligibleForBackout'
(0x03000000):Type = 'ComIbmMQInputNode'
(0x03000000):Name = 'TEST#FCMComposite_1_13'
(0x03000000):Label = 'TEST.TEST'
(0x03000000):Text = 'Warning on MQGET. Propagating a message to the failure terminal'
(0x03000000):Catalog = 'BIPv500'
(0x03000000):Severity = 3
(0x03000000):Number = 2651
Env:
AIx 5.2
WMQ 530.9 CSD09
WBIMB v5 FP04
Service and ServiceComponents lines are NOT commented in qm.ini
This looks a bit strange to me as I was expecting a msg in QM DLQ with 2035 error code.
Any leads is highly appreciable.
Thanks & regards,
Pranava. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Mon Jan 09, 2006 4:33 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Broker will never throw a 2035 for an incoming message...
2035 is returned to the putting application - more accurately to the application that is trying an operation that it doesn't have permissions to perform. 2035 is only a valid return code for MQOPEN, MQCONNECT, and MQPUT1 (because it does an MQCONNECT and an MQOPEN).
The lookup of your BIP number, 2651, says that there will be additional error messages that will tell you what's really wrong.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kspranava |
| Posted: Mon Jan 09, 2006 11:50 pm Post subject: |
|
|
Centurion
Joined: 27 Apr 2003
Posts: 124
|
Hi Jeff,
I agree, broker will never throw 2035 error. My questions are
1)How did the message reach the queue inspite of NOT having authority. Shouldnt QMgr taken care of it?
2)Though the message with invalid user id is parsed correctly, it is routed to Failure terminal without even going to next node of the flow. In earlier versions I never come across such a situation.
| Quote: |
| The lookup of your BIP number, 2651, says that there will be additional error messages that will tell you what's really wrong. |
I have checked for MQ Log, error, FDCs, WBIMB errors and syslog; but no error message is available. The only trace I have is the trace file tied to the failure path of MQ I/p node as posted in my prev message.
Thanks & regards,
Pranava. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jan 10, 2006 4:31 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| kspranava wrote: |
| 1)How did the message reach the queue inspite of NOT having authority. Shouldnt QMgr taken care of it? |
The QMgr would take care of it, so the message couldn't have reached the queue if the user doesn't have proper mq authorities.
So either the user isn't what you think it is, or the authorities aren't what you think they are.
| kspranava wrote: |
| 2)Though the message with invalid user id is parsed correctly, it is routed to Failure terminal without even going to next node of the flow. In earlier versions I never come across such a situation. |
This is what should happen if the MQInput node itself has a problem trying to handle the message.
| kspranava wrote: |
| I have checked for MQ Log, error, FDCs, WBIMB errors and syslog; but no error message is available. The only trace I have is the trace file tied to the failure path of MQ I/p node as posted in my prev message. |
Can you repeat the event - cause it to happen again?
Is there more to the trace, that you didn't post? Maybe there are nested recoverable exceptions?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kspranava |
| Posted: Wed Jan 11, 2006 12:22 am Post subject: |
|
|
Centurion
Joined: 27 Apr 2003
Posts: 124
|
Hi Jeff,
I checked again for the existence of user id, but the user id is not available at all.
I simulated the same scenario and checked for the log / error messages, nothing apart from the info in the trace file as mentioned earlier.
Recoverable exception is pasted completely. No more nestings.
I have the following code in trace file
${Root}
---------------
${ExceptionList}
-------------------
-------------------
And I get the following in the file
Properties, MQMD, NEON (as am using NEON input format in i/p node) and RecoverableException.
0x01000000):RecoverableException = (
(0x03000000):File = '/build/S500_P/src/DataFlowEngine/ImbMqInputNode.cpp'
(0x03000000):Line = 3218
(0x03000000):Function = 'ImbMqInputNode::eligibleForBackout'
(0x03000000):Type = 'ComIbmMQInputNode'
(0x03000000):Name = 'TEST#FCMComposite_1_13'
(0x03000000):Label = 'TEST.TEST'
(0x03000000):Text = 'Warning on MQGET. Propagating a message to the failure terminal'
(0x03000000):Catalog = 'BIPv500'
(0x03000000):Severity = 3
(0x03000000):Number = 2651
Thanks & regards,
Pranava. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 11, 2006 4:27 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Well, again, I'll suggest that the user think is beign used may not be the actual user that's being authenticated.
Is that really the *complete* ExceptionList? Because it's missing stuff.
I'd open a PMR.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kspranava |
| Posted: Mon Jan 16, 2006 9:25 pm Post subject: |
|
|
Centurion
Joined: 27 Apr 2003
Posts: 124
|
Hi Jeff,
Thanks for the replies. That is the full exception list  
We have planned to open a PMR.
Thanks,
Pranava. |
|
| Back to top |
|
|
| vennela |
| Posted: Fri Jan 20, 2006 1:51 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| kspranava wrote: |
Hi Jeff,
I checked again for the existence of user id, but the user id is not available at all |
Maybe I am missing something from the broker side of it.
But, if I look at it as a regular MQ issue:
How can you issue setmqaut for a user that is not existing for real?
This is what I did and I got the following result
| Code: |
C:\Documents and Settings\admin>setmqaut -m QM1 -t qmgr -p lsabcd +all
AMQ7026: A principal or group name was invalid. |
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 20, 2006 2:54 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It's not clear, to me, if the Broker ACLs have to point to users that exist in the active user registry or not.
Certainly from an MQ point of view, they do.
And, as I meant to say, if a program is able to access MQ, and it appears to be running as a user that does not have authorities in MQ, then there is a different user that is being authenticated to MQ through some means.
Either the authorities do exist, or the user being presented to the OAM is a different user than the one that appears to be in use.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
