| Author |
Message
|
| chris boehnke |
 Posted: Sat Mar 14, 2009 4:29 pm Post subject: MQSC commands in SDSF - Getting authorization error |
 |
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
Hi Guys,
We are on z/OS MQ version 6.
I am trying to execute MQSC commands like DISPLAY CLUSQMGR(*) etc in SDSF and I am getting NOT AUTHORIZED FOR CMD.
I am in SDSF -> ST and did this:
/+QM1 DISPLAY CLUSQMGR(*)
-where QM1 is my QMgr name on this LPAR and this QMgr is part of a cluster, CLUS1.
I am getting NOT AUTHORIZED FOR CMD. Not sure whether I need any special permissions to execute the commands.
I am able to do the Admin functions via ISPF panels and need to know whether I need extra privileges for executing MQSC commands.
Please let me know.
Thanks. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sat Mar 14, 2009 9:04 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Can you issue any other MVS console commands from SDSF?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| chris boehnke |
| Posted: Sun Mar 15, 2009 7:49 am Post subject: |
|
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
| bruce2359 wrote: |
| Can you issue any other MVS console commands from SDSF? |
I tried some other MQSC commands like DIS CHS(*), DIS LSSTATUS(*) etc but nothing is working and complaining like complaining like not authorized for CMD.
I tried like this:
/+QM1 DIS CHS(*)
/+QM1 DIS LSSTATUS(*)
Not sure whether you mean some other MVS commands means here MQSC or any other commands. As an MQ Admin I am supposed to execute only MQSC commands.
Let me know your thoughts...thanks. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Mar 15, 2009 8:03 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
MVS console operators issue MVS commands. There is a big manual documenting the usual MVS commands. The Cancel command is used to cancel TSO sessions or batch jobs, for example.
For commands to subsystems, the operatore prefixes the command with a command prefix (CPF). $ is the usual CPF for commands to JES.
Your sysprogs have created CPFs for your qmgr instances. QM1 is the CPF. From SDSF, you must prefix the QM1 CPF with a slash so that SDSF forwards the QM1 DISPLAY command to the MVS console for execution.
It appears that you are being denied the ability to issue MVS operator commands from SDSF. Your security admins will need to grant you this priviledge. SDSF console command security is different from being able to use CSQOREXX or run CSQUTIL in batch.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| chris boehnke |
| Posted: Mon Mar 16, 2009 7:42 am Post subject: |
|
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
| bruce2359 wrote: |
MVS console operators issue MVS commands. There is a big manual documenting the usual MVS commands. The Cancel command is used to cancel TSO sessions or batch jobs, for example.
For commands to subsystems, the operatore prefixes the command with a command prefix (CPF). $ is the usual CPF for commands to JES.
Your sysprogs have created CPFs for your qmgr instances. QM1 is the CPF. From SDSF, you must prefix the QM1 CPF with a slash so that SDSF forwards the QM1 DISPLAY command to the MVS console for execution.
It appears that you are being denied the ability to issue MVS operator commands from SDSF. Your security admins will need to grant you this priviledge. SDSF console command security is different from being able to use CSQOREXX or run CSQUTIL in batch. |
Hey Bruce,
Thanks for the info. I checked with my mainframe SysAdmin and they dont want give the command console privileges.
Do we have any other way we can achieve this?. Like issuing commands like DIS CHS(*), DIS LSSTATUS(*), DIS CLUSQMGR(*) etc in a member and pass it to JCL which uses CSQUTIL and write the SYSOUT to spool or to a member?.
Let me know your thoughts...thanks. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Mar 16, 2009 7:48 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Yes, you can process MQSC commands in batch with CSQUTIL. Take a look at the z/OS WMQ System Admin manual, the section on CSQUTIL utility.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Mar 16, 2009 9:23 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Move to z/OS forum.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| ctefehinoz |
| Posted: Mon Mar 16, 2009 4:46 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
Chris,
Find the ICH408I messages in the syslog or the MQ MSTR address space JESMSGLG. You could be failing on any number of profiles.
HTH
Ctefehinoz |
|
| Back to top |
|
|
| zhanghz |
| Posted: Mon Mar 16, 2009 9:32 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| can't your sysadmin give you access to issue just MQ related commands in console? i belive it's very doable. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Mon Mar 16, 2009 10:31 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
go get the MA10 Utilities, there is a simple command interface so you can issue all the MQSC commands from ISPF
_________________
Regards, Butcher |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Tue Mar 17, 2009 5:09 am Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
| Mr Butcher wrote: |
| go get the MA10 Utilities, there is a simple command interface so you can issue all the MQSC commands from ISPF |
....providing you have the right authorities defined. (Just to finish off Mr Butcher's advice) |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Mar 26, 2009 11:06 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Did you resolve this issue? If so, please share your solution with others.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| chris boehnke |
| Posted: Fri Mar 27, 2009 6:16 am Post subject: |
|
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
| bruce2359 wrote: |
| Did you resolve this issue? If so, please share your solution with others. |
I am using JCL with CSQUTIL and running MQSC commands like DIS CHS(*), DIS LSSTATUS(*) etc in a member and supply this member to CSQUTIL in a JCL. Looking the output in the spool.
As many other applications are running on the same LPAR, our mainframe sys admins not happy to provide command level access. As we have the CSQUTIL option, our management is not forcing the mainframe sys admins to provide the command level access.
Not sure whether the mainframe sys admins can resctrict access only to MQSC commands in command console?.
Thanks. |
|
| Back to top |
|
|
| ctefehinoz |
| Posted: Sun Mar 29, 2009 4:24 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
Chris,
Yes they can if they even bother to try. To me at least and IMHO, they are maintaining the status quo, or the "battery hen" mentality. Again, IMHO, any CICS/DBA/MQ/SYSPROG should have display authority. The line about "many apps blah blah" doesn't wash. That being said, since I don't know your shop at all security requirements may dictate otherwise.
That they have stated the argument means you will have an almighty uphill battle to change their attitude that may unfortunately last the rest of your career. My sympathies to you  .
Ctefehinoz |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Mar 29, 2009 9:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ctefehinoz wrote: |
Chris,
Yes they can if they even bother to try. To me at least and IMHO, they are maintaining the status quo, or the "battery hen" mentality. Again, IMHO, any CICS/DBA/MQ/SYSPROG should have display authority. The line about "many apps blah blah" doesn't wash. That being said, since I don't know your shop at all security requirements may dictate otherwise.
That they have stated the argument means you will have an almighty uphill battle to change their attitude that may unfortunately last the rest of your career. My sympathies to you .
Ctefehinoz |
With version 7 and up just get MO72, make sure your id is authorized in the mqm group (as admin it should be) and use one of the free client connections (SSL encrypted of course)....
I know it is PC based and not mainframe, but it gets the job done, just all the same and avoids having to beg system authorizations from the security group. All you need there is MQ authorizations.
Your alternative using JCL and CSQUTIL is equally valid and is MF based.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
