| Author |
Message
|
| jhalstead |
 Posted: Thu Jun 27, 2002 8:54 am Post subject: MQSI on UNIX and NT |
 |
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Are there any rules w.r.t. the user id's used when creating brokers on unix. To ensure you don't get the following types of error when deploying from the configmgr.
Apr 10 14:23:24 cose2e1 WMQIv210[47128]: (BROKER1.execution group 1)[3599]BIP4041E: Execution group 'execution group 1' received an invalid configuration message. See the following messages for details of the error. : BROKER1.4287da1d-ed00-0000-0080-ef8ed9a98840: /build/S000_P/src/DataFlowEngine/ImbConfigurationN
ode.cpp: 334: ImbConfigurationNode::evaluate: ComIbmConfigurationNode: ConfigurationNode
Apr 10 14:23:24 cose2e1 WMQIv210[47128]: (BROKER1.execution group 1)[3599]BIP2230E: Error detected whilst processing a message in node 'DynamicSubscriptionEngine'. : BROKER1.4287da1d-ed00-0000-0080-ef8ed9a98840: /build/S000_P/src/DataFlowEngine/ImbPubSubResource.cpp: 934: ImbPubSubResource::handleResource: DynamicSubscriptionEngine: DynamicSubscriptionEngine
Apr 10 14:23:24 cose2e1 WMQIv210[47128]: (BROKER1.execution group 1)[3599]BIP7150E: User id 'db2admin' not authorized to put to queue 'SYSTEM.BROKER.ADMIN.REPLY' on queue manager 'MQSISVRCFG' using accounting token '0000000000000000000000000000000000000000000000000000000000000000'. : BROKER1.4287da1d-ed00-0000-0080-ef8ed9a98840: /build/S000_P/src/DataFlowEngine/ImbPubSubSubscribeMessageHandler.cpp: 261: ImbPubSubSubscribeMessageHandler::getAttributes: ComIbmPSControl
Node: ControlNode
Does the userid on the configmgr need to be the same as that onthe broker? Does the broker qmgr need to be running under the same ID also?
Any thought or ideas would be great.
Jamie |
|
| Back to top |
|
 |
| William Wong |
| Posted: Thu Jun 27, 2002 11:09 pm Post subject: |
|
|
Newbie
Joined: 27 Jun 2002
Posts: 3
Location: Hong Kong
|
I also got broker created on unix and experienced the same errors.
I got the following steps to tackle the problem.
Suppose your configuation manager is running with a user "usr1" (db2admin for your case), you need to create a user "USR1" in the unix server runing the broker.
Hope this help.
William |
|
| Back to top |
|
|
| jhalstead |
| Posted: Thu Jun 27, 2002 11:54 pm Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Okay thanks for that William, unfortunately this user does exist on the unix box and is in all the relvant groups.... Is it the UPPER CASE point that is of significance here?
The thing that's confusing me here is that this is the second broker that I'm creating in this environment and the only differnece is the user ID that the broker runs under...
Thanks
Jamie |
|
| Back to top |
|
|
| abiram8 |
| Posted: Fri Jun 28, 2002 4:35 am Post subject: |
|
|
Master
Joined: 27 Mar 2002
Posts: 207
Location: India
|
Hi,
Create the same db2admin user in the unix box it will work
R.Abiram |
|
| Back to top |
|
|
| vmcgloin |
| Posted: Fri Jun 28, 2002 5:41 am Post subject: |
|
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
Is queue manager 'MQSISVRCFG' on the NT box i.e. the configmgr (rather than Unix)?
Does db2admin exist in the mqm group on NT or do you have some other security in place?
Try an amqsput to a local queue on the qmgr involved. |
|
| Back to top |
|
|
| CodeCraft |
| Posted: Fri Jun 28, 2002 6:21 am Post subject: |
|
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
When you deploy, the deploy is carried out by the broker running as UID X on the broker system.
UID X need authority to put a response onto the SYSTEM.BROKER.ADMIN.REPLY queue on the config. mgr system.
Therefore UID X should also exist on, and be a member of MQM, on the configmgr system, or, be authorised through some other method to access the queue (not an MQ security expert).
It's not a good idea to use db2admin as the service id, although the documentation may indicate it's use in examples.
For example, on my sandboxes, I used "mqsiserv" as the service owner on both the config. mgr and broker systems, and don't hit these sort of issues. |
|
| Back to top |
|
|
| CodeCraft |
| Posted: Fri Jun 28, 2002 6:22 am Post subject: |
|
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
| P.S. The amount of people who install db2 on NT with "db2admin" as the user, and also "db2admin" as the password is absolutely stunning. Doing this gives other people complete access to your system ... |
|
| Back to top |
|
|
| jhalstead |
| Posted: Fri Jun 28, 2002 7:21 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Sorry to have caused some confusion.
At the time of writing the initial note I did not have access to the NT system and so could not get the exact error messages. I found a previous thread which had the exact same error in and copied their error log.
To clarify.
On NT configmgr:
user = "mqsiadm"
On UNIX broker:
serviceuserid = "apolive"
However another user does exists named "mqsiadm" on this box - this is used for another broker. The reason I'm using "apolive" is that to use the NEON rules engine an environment variable needs to be set to point to MQSI_PARAMTERS_FILE (using 2.0.1).
Now even though the broker is running under "apolive" the error I'm getting on the NT configmgr side is:
BIP7150E:User id 'MQSIADM' not authorized to put to queue 'SYSTEM.BROKER.ADMIN.REPLY' on queue manager 'CM01.QMGR' using accounting token '0000000000000000000000000000000000000000000000000000000000000000'. ...
Deploys are working fine to the other configmgr, the only real difference appears to be the serviceuserid of the broker is not "mqsiadm".
Is it significant that the error message refers to 'MQSIADM' not 'mqsiadm'?
I've never had trouble before with using a different sericeuserid, could the userid which the broker qmgr runs under have any effect?
Thanks for all your kind assistance so far.
Jamie |
|
| Back to top |
|
|
| kirani |
| Posted: Fri Jun 28, 2002 11:19 am Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
Is mqsiadm part of mqm and mqbrkrs group on unix?
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| jhalstead |
| Posted: Sat Jun 29, 2002 6:12 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Yes, all the users refered to are in both mqm & mqbrkrs.
The NT user "mqsiadm" is in all the MQSI & mqm groups.
Maybe I'll just try to re-create the broker under mqsiadm and the do an mqsichangebroker?
Thanks
Jamie |
|
| Back to top |
|
|
| Nick Lethbridge |
| Posted: Sat Jun 29, 2002 11:54 am Post subject: |
|
|
Voyager
Joined: 13 Aug 2001
Posts: 88
Location: Santander, UK
|
Jamie,
Have you remembered to stop the associated queue managers for the ConfigMgr and the Brokers when you 'mqsistop' them ?
The queue managers are NOT automatically stopped by a mqsistop (but they are automatically started by a mqsistart).
If the queue managers are not stopped, they are unaware of any new user authorisations that have been defined since the ConfigMgr/Broker was created and first started !
Use endmqm after mqsistop's, so that new user authorisations (e,g, mqsiadm added to mqm and mqsibrkrs groups) are recognised by the queue manager when it re-starts.
Regards,
Nick. |
|
| Back to top |
|
|
| jhalstead |
| Posted: Mon Jul 01, 2002 8:14 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Seem to have worked around it.
I deleted and created again, but got the same problem (kinda reasurring really!). The errors were complaining about user "MQSIADM" not having access....
BIP7150E: User id 'MQSIADM' not authorized to put to queue 'SYSTEM.BROKER.ADMIN.REPLY' on queue manager
We have a user "mqsiadm" but not "MQSIADM". So as a last ditch effort this user was created and all was well.
Now the strange thing is that another broker has been running perfectly well on the same NT & UNIX boxes without this problem. I'm thinking that the realisation of the deploy from the configmgr is performed under the ID sent from the configmgr... Now why is this getting translated into upper case? The CCSID is the same on both broker qmgrs, and neither sender channel (on the configmgr) is attempting to convert...
Anyway, very simple solution, and one that was alluded to by William Wong right up there near the top, but still very strange. I'm still puzzled by this shift in case..
So, many thanks to all of you for your suggestions, help & even nuggets of security advice!
Jamie |
|
| Back to top |
|
|
|
|
