| Author |
Message
|
| atheek |
 Posted: Tue Nov 27, 2007 5:26 pm Post subject: RACF access |
 |
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
I need to connect my application running in Windows to a mainframe application via an IMS Bridge. I have created a new user id at mainframe and got the necessary IMS privileges. But when we actually tested we werent getting any reply messages from IMS. We got the explanantion that the RACF access is not granted to the Transmission queue to my windows box. Now I need to raise a RACF access request for granting the necessary permissions. I have zero mainframe knowledge.
I have the following information:
Name of XmitQ, QMGR, the mainframe logon user id (which needs the RACF permissions).
what else information will I be required to suggest to a 3rd party team to get this done. I have heard terms like data set, tera data etc which I have no clue at all.
TIA
-Atheek |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Tue Nov 27, 2007 11:04 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 28, 2007 12:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Look at the ICH408I RACF violation message on the system log, it tells you the name of the RACF class and the name of the RACF profile that controls the access to the resource.
In most cases, access should be granted by a RACF Group and not RACF Userid. It may therefore only be necessary to connect your RACF Userid to a RACF Group which already has the permission needed. |
|
| Back to top |
|
|
| rtsujimoto |
| Posted: Wed Nov 28, 2007 7:18 am Post subject: |
|
|
Centurion
Joined: 16 Jun 2004
Posts: 119
Location: Lake Success, NY
|
| I think you need to clarify what you mean by reply message. If you are referring to a COD, then the userid that flows with your message needs to have authorization to put to the XMITQ. If, on the other hand, a reply message is simply a message put on the XMITQ by the IMS application, then you need to review your standards. In general, an application should put to a queue remote and not an XMITQ. |
|
| Back to top |
|
|
| atheek |
| Posted: Wed Nov 28, 2007 9:29 pm Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
Hi all,
Many thanks to all for replying. This the ICH408I error I am getting:
15.33.12 STC04080 ICH408I USER(EIMAPP ) GROUP($B#C ) NAME(GENERIC USER ID ) 359
359 QM0.QM126 CL(MQQUEUE )
359 INSUFFICIENT ACCESS AUTHORITY
359 FROM QM0.** (G)
359 ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
The user id is : EIMAPP
Transmission Queue is QM126.
I dont know which one is the RACF class or profile. could you let me know what type of access request i need to raise for getting EIMAPP the sufficient priveleges to access xmit q QM126
TIA
-Atheek |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 29, 2007 12:30 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The RACF class is MQQUEUE
The protected resource is QM0.QM126
The RACF profile which controls access is QM0.**
This means that no specific profile has been defined for the xmit queue, so you could either request access to the generic profile above (option 1) or have another profile defined for the xmit queue (option 2).
Lets make life easy for you - here are the exact commands to get someone with RACF Special to issue:
Option 1 (grant access to all queues on QM0):
PERMIT QM0.** CL(MQQUEUE) ID(EIMAPP) ACCESS(UPDATE)
Option 2 (grant access just to this xmit queue):
RDEFINE MQQUEUE QM0.QM126
PERMIT QM0.QM126 CL(MQQUEUE) GEN FROM(QM0.**) FCLASS(MQQUEUE) FGENERIC
PERMIT QM0.QM126 CL(MQQUEUE) ID(EIMAPP) ACCESS(UPDATE) GEN |
|
| Back to top |
|
|
| atheek |
| Posted: Thu Nov 29, 2007 3:36 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
cool! Thanx a ton mate!!!
-Atheek |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Nov 29, 2007 7:51 am Post subject: |
|
|
Guest
|
| Quote: |
| In general, an application should put to a queue remote and not an XMITQ. |
In general, yes. But in the request-reply model, the replying application relies on the reply-to-queue and reply-to-qmgr fields in the request message descriptor to send the reply.
The assumption of the replying application is to use both of these fields in the MQOD used to mqput the reply. Thus, the reply-to-qmgr will usually be the transmission queue back to the requesting qmgr. |
|
| Back to top |
|
|
| saurabhsinha23 |
| Posted: Fri Nov 30, 2007 12:30 pm Post subject: |
|
|
Novice
Joined: 20 Apr 2004
Posts: 12
|
Hi zpat,
Could you please let me know where can these commands be issued? Is any kind of access needed to execute these commands?
Thanks,
Saurabh
| zpat wrote: |
The RACF class is MQQUEUE
The protected resource is QM0.QM126
The RACF profile which controls access is QM0.**
This means that no specific profile has been defined for the xmit queue, so you could either request access to the generic profile above (option 1) or have another profile defined for the xmit queue (option 2).
Lets make life easy for you - here are the exact commands to get someone with RACF Special to issue:
Option 1 (grant access to all queues on QM0):
PERMIT QM0.** CL(MQQUEUE) ID(EIMAPP) ACCESS(UPDATE)
Option 2 (grant access just to this xmit queue):
RDEFINE MQQUEUE QM0.QM126
PERMIT QM0.QM126 CL(MQQUEUE) GEN FROM(QM0.**) FCLASS(MQQUEUE) FGENERIC
PERMIT QM0.QM126 CL(MQQUEUE) ID(EIMAPP) ACCESS(UPDATE) GEN |
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 30, 2007 12:33 pm Post subject: |
|
|
Guest
|
| You must have authority to issue racf admin commands. Send this along to your racf administrator, and have him/her execute the commands. |
|
| Back to top |
|
|
| tleichen |
| Posted: Fri Nov 30, 2007 12:49 pm Post subject: |
|
|
Yatiri
Joined: 11 Apr 2005
Posts: 663
Location: Center of the USA
|
| saurabhsinha23 wrote: |
Hi zpat,
Could you please let me know where can these commands be issued? Is any kind of access needed to execute these commands?
Thanks,
Saurabh
|
This is one of those things that if you don't know it, you can't (or shouldn't) do it. 
_________________
IBM Certified MQSeries Specialist
IBM Certified MQSeries Developer |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 30, 2007 10:30 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| These are TSO commands issued by someone with RACF "Special" privileges. |
|
| Back to top |
|
|
|
|
