| Author |
Message
|
| sbuster |
 Posted: Tue Oct 07, 2008 3:49 am Post subject: Security on Windows |
 |
|
Apprentice
Joined: 07 Oct 2008
Posts: 25
|
I have MQ client/server installed on a local windows PC and I didn't setup any security information during the install. I can connect to other linux & z/OS queue managers but I am unable to connect to any queue managers on another windows system. In order to do this is it required to enable the windows security stuff? The error I get from teh MQ Client is "An unexpected error (2063) has occured. (AMQ4999)"
Thanks. |
|
| Back to top |
|
 |
| rgprasanna |
| Posted: Tue Oct 07, 2008 4:15 am Post subject: |
|
|
Voyager
Joined: 02 May 2007
Posts: 91
Location: Chennai - India
|
Hi,
How you are connecting to queue managers on other machines?
by using explorer or as a mq client?
if it is mq client ensure you set the MQCHLLIB variable and created the client and server connection channels...
_________________
Prasanna |
|
| Back to top |
|
|
| sbuster |
| Posted: Tue Oct 07, 2008 5:27 am Post subject: |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 25
|
| I'm using client Explorer. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 07, 2008 5:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Active Directory environment?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| rgprasanna |
| Posted: Tue Oct 07, 2008 5:47 am Post subject: |
|
|
Voyager
Joined: 02 May 2007
Posts: 91
Location: Chennai - India
|
if you are using mq explorer..ensure the user id used by your mq explorer have all the privileges to connect to the queue manager on the other windows machine..also check whether you have any firewall blocking the connectivity...
_________________
Prasanna |
|
| Back to top |
|
|
| sbuster |
| Posted: Tue Oct 07, 2008 5:57 am Post subject: |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 25
|
| When we installed MQ on the remote windows machine, we did not enable the security options. So I guess my question is: Do the security features have to be enabled on a Windows installation when connecting to remove queue managers from windows? |
|
| Back to top |
|
|
| rgprasanna |
| Posted: Tue Oct 07, 2008 6:03 am Post subject: |
|
|
Voyager
Joined: 02 May 2007
Posts: 91
Location: Chennai - India
|
by default in windows the OAM is active (Object Authority Manager).......the OAM will check for the incoming connection requests and validate the same, if you set delegation to any object...so, no need to enable any security feature when you want to connect to remote machines.
i've provided the check list for remote administration below for your ref..............
Check list - Connecting to remote queue manager using MQ Explorer V 6.0?
The user id used by you to open MQ explorer should be a part of mqm group
Check the command server is running or not, if not start it
Check the server connection channel SYSTEM.ADMIN.SVRCONN exist or not, if not create it and start it
Ensure the MCAUSER attribute is blank for the SYSTEM.ADMIN.SVRCONN channel (it can be the user id used by you used to connect to MQ EXPLORER)
_________________
Prasanna |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 07, 2008 6:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sbuster wrote: |
| ...So I guess my question is: Do the security features have to be enabled on a Windows installation when connecting to remove queue managers from windows? |
My question remains: Is it an AD environment? Also, have you tried putting a valid MCAUSER in the SVRCONN channel? Just to check that you can connect?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| sbuster |
| Posted: Tue Oct 07, 2008 7:09 am Post subject: |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 25
|
I am running MQ 7, MQ 7 is what is installed on the server. Security is not enabled to use AD, it is using the default. Also, the MCAUSER attribute is blank.
The funny thing is another person with MQ 6 Explorer connects just fine, no security settings or anything on his client. |
|
| Back to top |
|
|
| sbuster |
| Posted: Thu Oct 09, 2008 4:11 am Post subject: |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 25
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Oct 09, 2008 5:27 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Just be aware that anyone and everyone can now connect to your QM over that channel with the same authority. You may or may not want that. Adding SSL or a security exit will allow you to control who can connect, now that you have restricted what they can do with MCAUSER.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
