| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| 2035 with Visual Browse tool |
View previous topic :: View next topic |
| Author |
Message
|
| Seeker |
 Posted: Wed Nov 10, 2004 12:04 pm Post subject: WMQ Version 5.2 |
 |
|
Newbie
Joined: 07 Oct 2004
Posts: 8
|
Hello Roger,
Thanks for your prompt reply. I have no problem in giving connect permissions, but when I try to set authority for all the system queues (SYSTEM.*), setmqaut reports that it cannot find the specified queue name. I 'am using version 5.2 and the manual does not mention anything about wild card specifications for queues. I could set perms. on the SYSTEM.ADMIN.COMMAND.QUEUE, but could not figure out what AMQ* name should be. Any suggestions would be greatly appreciated.
Thanks,
Seeker. |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Wed Nov 10, 2004 12:31 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
MQ 5.2 did NOT support any wildcarding - none, nothing, nada. Therefore, you need to explicitly state each queue.
I would suggest that you upgrade to WMQ v5.3.
For the 'why', read Chapter 10 of the WMQ System Administration manual.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| cocam |
| Posted: Thu Jan 18, 2007 6:40 am Post subject: MQ Visual Edit with 2035 |
|
|
Newbie
Joined: 18 Jan 2007
Posts: 3
|
Hi,
I think that I have the same issue with a 2035 when using the "List" facility in MQ Visual Edit.
I am running MQ Visual Edit 1.3.1.A from a Windows workstation connecting to MQ 5.3 CSD 11 on Solaris 9.
I connect to the Q Maneger using a SVRCONN with the MCAUSER set and have run the setmqaut commands to grant allmqi and dsp to the qmgr and all of the Q's in the qmgr.
I have tried the test scenarios mentioned in this case with the following
Test #1 - Success
Test #2 - Success
Test #3 - Completion code =2 Reason Code =2035
Any help would be greatly appreciated.
Colin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 18, 2007 8:23 am Post subject: Re: MQ Visual Edit with 2035 |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| cocam wrote: |
| Test #3 - Completion code =2 Reason Code =2035 |
Did you issue the REFRESH SECURITY command via runmqsc after you made any setmqaut changes?
Also, did you do the following suggests commands:
| Code: |
setmqaut -m QMRNAME -t qmgr -g GROUP +dsp +allmqi
setmqaut -m QMRNAME -t q -n SYSTEM.** -g GROUP +dsp +allmqi |
(Replace "QMRNAME" with your queue manager name and replace "GROUP" with the group name that your UserId is in.)
The first command allows the program to connect to the queue manager, where as the second command allows the GROUP users to access the queues. (Please pay attention to the double '**' asterisks.) You MUST do BOTH commands, otherwise you will get 2035 (Not Authorized).
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| cocam |
| Posted: Fri Jan 19, 2007 12:51 am Post subject: |
|
|
Newbie
Joined: 18 Jan 2007
Posts: 3
|
Hmmm,
Very interesting. I have run the following against the qmgr that I was working with for discussion let's call the QM1. Note I am using the principal and not the group for authority.
[color=darkblue]setmqaut -m $qm -t qmgr -p ciplinkw +dsp +allmqi
setmqaut -m $qm -t q -p ciplinkw -n SYSTEM.** +dsp +allmqi
runmqsc ${qm} << EOF
refresh security
end
EOF[/color]
With the following output
[color=darkblue]The setmqaut command completed successfully.
The setmqaut command completed successfully.
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QM1.
1 : refresh security
AMQ8560: WebSphere MQ security cache refreshed.
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed[/color].
However I still get the 2035 when I try the "list" facility.
Next I tried running the script agaist a new qmgr for discussion QM2 and when I try the "list" facility, it worked. So I will have to back track to determine if I have run a setmqauth on QM1 that is overriding the +dsp and +allmqi.
If I find the offending setmqauth, I will post an update.
Many thanks for your help.
Colin |
|
| Back to top |
|
|
| cocam |
| Posted: Fri Jan 19, 2007 4:42 am Post subject: |
|
|
Newbie
Joined: 18 Jan 2007
Posts: 3
|
Hi,
On comparing the authorities on QM1 and QM2, I discovered that the authorities on SYSTEM.ADMIN.COMMAND.QUEUE were as follows
For the unsuccessful QM1
dsp
For the successful QM2
get browse put inq set dsp passid passall setid setall
I am not sure why QM1 didn’t seem to take the setmqauth command
setmqaut -m QM1 -t q -p ciplinkw -n SYSTEM.** +dsp +allmqi
but when I ran the setmqauth explicitly to update the authorities on SYSTEM.ADMIN.COMMAND.QUEUE
setmqaut -m QM1 -t q -p ciplinkw -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +allmqi
the “list” facility was successful.
Again,
Thanks for your help.
Colin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sun Jan 21, 2007 9:50 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
It almost seems like between a setmqaut command and you testing the 'List of Queues' function that a REFRESH SECURITY command was missed. Or maybe a setmqaut command that you thought was executed was not executed.
i.e. If I have 15 Unix commands in a PC editor, I copy the commands to the clipboard then paste the commands via Putty or Exceed into a shell prompt, some times the shell does not process all of the commands. I find it safer to 'vi go.sh' and paste the commands into vi, save the file and then run it.
Anyway, I'm glad that it is now working for you.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| yortch |
| Posted: Tue Mar 13, 2007 8:10 am Post subject: Minimum set of permissions required to list queue |
|
|
Apprentice
Joined: 30 Aug 2004
Posts: 34
|
I did not want to grant +allmqi permission to system queues, so I used the authorization denied entries in the Windows Event log to incrementally grant permissions required to list queues on a queue manager:
setmqaut -m QM_NAME -t qmgr -g GROUP +connect +dsp
setmqaut -m QM_NAME -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g GROUP +put +inq +dsp
setmqaut -m QM_NAME -n SYSTEM.AUTH.DATA.QUEUE -t queue -g GROUP +dsp
setmqaut -m QM_NAME -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g GROUP +get +dsp
setmqaut -m QM_NAME -n AMQ.** -t queue -g GROUP +dsp
In addition, you need to grant +dsp authority for the actual system and application queues that you want the group to see - the only caveat is that if the permission is not granted to all queues, a warning will be logged on the Windows Event Log for each queue with authorization denied.
This should be the minimum set of permissions needed to list queues on a queue manager. I could not find this clearly documente anywhere, so I hope this helps others. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
