| Author |
Message
|
| chris boehnke |
 Posted: Wed Oct 22, 2008 6:21 am Post subject: error 2035 while accessing a cluster queue |
 |
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
Hi Guys,
I am on Sun OS, MQ V.6.0 fixpack 2
I have 3 queue managers, QM1, QM2 and QM3 which in a cluster, CLUSTER1.
QM1 - full repository
QM2 - full repository
QM3- Partial repository
We have a cluster queue, CLUSTERQ on QM1 & QM2.
The permissions have been provided for the user on QM1 & QM2 for the cluster queue, CLUSTERQ to put/get etc.
When the user is trying to access the cluster queue, CLUSTERQ from QM3 to write a msg...the user is getting 2035 error which is authorization error. I provide the permissions on QM3 to connect to the queue manager.
Let me know what could be the issue.
Thanks. |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Oct 22, 2008 6:30 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have you given the userid PUT permission to the SYSTEM.CLUSTER.TRANSMIT.QUEUE?
Better to use a QA that references the qcluster and set the permissions on that. Giving PUT to the S.C.T.Q means 'where would you like to go in the cluster today?'
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 22, 2008 6:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
On QM3 create a remote queue with rname you clustered queue and rqmname ' '. Give your user's group authorization to write to that remote queue. This should do it for you. Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| chris boehnke |
| Posted: Wed Oct 22, 2008 6:52 am Post subject: |
|
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
| exerk wrote: |
Have you given the userid PUT permission to the SYSTEM.CLUSTER.TRANSMIT.QUEUE?
Better to use a QA that references the qcluster and set the permissions on that. Giving PUT to the S.C.T.Q means 'where would you like to go in the cluster today?' |
Do we need to provide the permissions for the SYSTEM.CLUSTER.TRANSMIT.QUEUE?. Why do we need to do that?. If there are multipe queues under a single queue manager which are related to different applications, how the security is going to work?. when we provide the permissions on S.C.T.Q, he is able to access all the cluster queues, right?. Even the cluster queues of different applications, right?.
I didn't provide the permissions for S.C.T.Queue. For other applications we didn't provide the permissions on S.C.T.Queue and they are able to access the cluster queues which are remote to the queue manager.
Let me know your thoughts.
Thanks. |
|
| Back to top |
|
|
| chris boehnke |
| Posted: Wed Oct 22, 2008 6:53 am Post subject: |
|
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
| fjb_saper wrote: |
| On QM3 create a remote queue with rname you clustered queue and rqmname ' '. Give your user's group authorization to write to that remote queue. This should do it for you. Enjoy |
Hi,
Why do we need to create a remote queue on QM3. all the 3 QMgrs, QM1, QM2 and QM3 are in the same cluster. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 22, 2008 7:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| chris boehnke wrote: |
| fjb_saper wrote: |
| On QM3 create a remote queue with rname you clustered queue and rqmname ' '. Give your user's group authorization to write to that remote queue. This should do it for you. Enjoy |
Hi,
Why do we need to create a remote queue on QM3. all the 3 QMgrs, QM1, QM2 and QM3 are in the same cluster. |
Because you don't want to give put permission to the SCTQ! This is way that gives permission to a remote queue and will force qmgr resolution to SCTQ. This should work whether the queue exists on the current qmgr or not. On qmgrs where the queue does exist you might want to have either this remote queue or an alias queue defined so the app is indifferent as to where it connects
I have found that the remote queue gives less trouble than an Alias queue if the repository is not available...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 22, 2008 7:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| chris boehnke wrote: |
| Do we need to provide the permissions for the SYSTEM.CLUSTER.TRANSMIT.QUEUE?. Why do we need to do that?. If there are multipe queues under a single queue manager which are related to different applications, how the security is going to work?. when we provide the permissions on S.C.T.Q, he is able to access all the cluster queues, right?. Even the cluster queues of different applications, right?. |
Precisely the point both I and fjb_saper were making - use another object to reference the queue, and give the necessary authorisations to that object.
| chris boehnke wrote: |
| I didn't provide the permissions for S.C.T.Queue. For other applications we didn't provide the permissions on S.C.T.Queue and they are able to access the cluster queues which are remote to the queue manager. |
Then I suggest you check whether those application userid's are in the mqm group.
| chris boehnke wrote: |
Hi,
Why do we need to create a remote queue on QM3. all the 3 QMgrs, QM1, QM2 and QM3 are in the same cluster. |
So you don't have to give the application authorities on the S.C.T.Q
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 22, 2008 7:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| I have found that the remote queue gives less trouble than an Alias queue if the repository is not available... |
Thank you for the tip! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Oct 22, 2008 7:37 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The first objectname is the one checked for authority. Applications should open QRemote or QAlias object definitions that the qmgr name resolution process resolve to the appropriate xmit queue.
As with private transmission queue objects, no authority should be given to any user to directly open/put messages to the S.C.T.Q.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
