| Author |
Message
|
| Vitor |
 Posted: Sat Mar 29, 2008 7:55 am Post subject: |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ko.t wrote: |
03/20/08 13:12:47 - Process(20347.483) User(our_user) Program(amqzlaa0_nd)
AMQ7310: Report message could not be put on a reply-to queue.
|
Why is the process not running as mqm? This process (and the others like it) should be running as the MQ owning id.
| ko.t wrote: |
Is my previous post about enabling authority events true? The messages in SYSTEM!ADMIN!QMGR!EVENT don't tell me a lot. It seems like copies of messages that were sent.
|
Yes it is. I think the problem is you've enabled all the events, and hence there are rafts of events (including the logging events you seem to be looking at).
Enable just the security events, set up your own queue to receive them, and review the event messages. You'll find the format of these messages, and details on how to configure the rest in the Monitoring MQ documention.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Sun Mar 30, 2008 6:32 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If your inbound channels have the following settings:
MCAUSER(' ')
SCYEXIT(' ')
SSLCIPH(' ')
Your QMGR is open to anonymous administration (if you run a listener). This includes any channel that starts with 'SYSTEM'. All the setmqaut's will do nothing to change this.
It is trivial to connect to a QMGR and specify a blank user ID. When a 'Blank' user ID is specified, that tells the QMGR to execute the operation as the WMQ Service ID (mqm in UNIX).
If you have a channel that you don't want used, just set MCAUSER('nobody'). If anyone has ever done anything to make 'nobody' a usable ID on any of your systems, then they should be slapped about with a trout.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sun Mar 30, 2008 11:14 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| JosephGramig wrote: |
| It is trivial to connect to a QMGR and specify a blank user ID. When a 'Blank' user ID is specified, that tells the QMGR to execute the operation as the WMQ Service ID (mqm in UNIX). |
Weeeellllll.... Technically what is says is "use the userid that is running the MCA". But this is always mqm, so it amounts to the same thing.
| JosephGramig wrote: |
| If you have a channel that you don't want used, just set MCAUSER('nobody'). If anyone has ever done anything to make 'nobody' a usable ID on any of your systems, then they should be slapped about with a trout. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ko.t |
| Posted: Tue Apr 01, 2008 4:06 am Post subject: |
|
|
Newbie
Joined: 29 Mar 2008
Posts: 9
|
Hello there,
many thanks for the replies!!!!
I have entered the setmqaut command:
| Quote: |
$ setmqaut -m QM -n other_QM -t queue -g our_user +get +browse +put +inq +set +crt +dlt +chg +dsp +passid +passall +setid +setall +clr
The setmqaut command completed successfully.
$ dspmqaut -m QM -n other_QM -t queue -g our_user
Entity our_user has the following authorizations for object other_QM:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
|
I get the same error.
Is there something more that I must enter in MQSeries or Solaris?
Our user is also member of the group mqm in /etc/group.
[/quote] |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Apr 01, 2008 4:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9471
Location: US: west coast, almost. Otherwise, enroute.
|
Please cut/paste and post here the actual Dead Letter Header for one of the COD messages that failed.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Apr 01, 2008 5:43 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If you tried this action before you were granted the access and the QMGR has not been restarted, then the old access is probably cached.
Have you tried REFRESH SECURITY at runmqsc?
I tend to issue that after setmqaut commands.
Your command is granting full authority to the XMITQ 'other_QM' to the group 'our_user'. The ID in the message needs to exist on the machine where 'QM' is and be in the group 'our_user'. |
|
| Back to top |
|
|
| ko.t |
| Posted: Tue Apr 01, 2008 6:39 am Post subject: |
|
|
Newbie
Joined: 29 Mar 2008
Posts: 9
|
I granted our_user to mqm in /etc/group, executed the setmqauth command and then refresh security(*)
but still the same. 
This is the DLH (in MQJExplorer):
Reason: 2035
Destination Queue: <other_QM.REPORTQ>
Destination Queue Manager: <other_QM>
Original Encoding: 273
Original CCSID: 819
Original Format:
Put Application Type: 7
Put Application Name: <QM>
Put Date 20080401
Put Time 14265414
Is there something that I must add on Solaris level? Another etc/ file? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Apr 01, 2008 11:14 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| ko.t wrote: |
| I granted our_user to mqm in /etc/group |
What? Do you mean you put the user 'our_user' in the mqm group by editing the /etc/group file? and then did a refresh secuirty?
No, there is no OS thing you need to do (other then get the user in the right group). This is an OAM thing.
I think you are better off processing the messages off the DLQ with a program/ID that has the privilege to send the message back. This will avoid you granting extraneous IDs privilege in your shop. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Apr 01, 2008 11:17 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Vitor wrote: |
| Enable just the security events, set up your own queue to receive them, and review the event messages. You'll find the format of these messages, and details on how to configure the rest in the Monitoring MQ documention. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ko.t |
| Posted: Wed Apr 02, 2008 5:33 am Post subject: |
|
|
Newbie
Joined: 29 Mar 2008
Posts: 9
|
Well, IBM told me to set the environment with : 'export MQS_REPORT_NOAUTH=TRUE'. With this command I obtain the following specific error: AMQ8077.
But I can't get the error and the the command is in the environment. Does somebody tell me more about this command?
| Quote: |
AMQ8077 Entity ..... has insufficient authority to access object .....
Explanation:
The specified entity is not authorized to access the required object.
The following requested permissions are unauthorized: ......
|
Thanks for the time  |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 02, 2008 5:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ko.t wrote: |
But I can't get the error and the the command is in the environment. Does somebody tell me more about this command?
|
So you've applied this variable, and are not seeing AMQ8077 messages? You're sure it's in scope for the queue manager?
What do IBM say (as this was at their instruction)?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ko.t |
| Posted: Wed Apr 02, 2008 6:15 am Post subject: |
|
|
Newbie
Joined: 29 Mar 2008
Posts: 9
|
IBM told that I can get more detail with that command.
They are researching the problem.
How do I know when I am in the right scope? the environment is set and than I stop/start the QM. so it's in scope? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 02, 2008 6:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ko.t wrote: |
| How do I know when I am in the right scope? the environment is set and than I stop/start the QM. so it's in scope? |
Talk to the UNIX admin for your box, and show him/her the change IBM have requested. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ko.t |
| Posted: Mon Apr 07, 2008 12:58 am Post subject: |
|
|
Newbie
Joined: 29 Mar 2008
Posts: 9
|
I know what the problem is
There was a unknown principal. I have seen with tracing MQ en set the environment variabel MQNOAUTH.
[url]
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg21174924#UNIXst
[/url]
I have searched for this problem and there were two possibilities:
1. Add the user to unix.
2. Create a specific server connection channel. Then set the MCAUSER value of the server connection channel to a specific user defined on the machine.
I know that the first works. I actually don't want to add this principals (50 x ) Does anyone have experience with possibility 2?
Thanks a lot! |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Apr 07, 2008 5:19 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| ko.t wrote: |
| Does anyone have experience with possibility 2? |
It's what you should be doing anyway, in combination with SSL, to enforce both authentication and authorization of users.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
