| Author |
Message
|
| fireguok |
 Posted: Tue Jun 09, 2009 12:33 am Post subject: PCFAgent issue |
 |
|
Novice
Joined: 03 Apr 2007
Posts: 22
|
I jwrote a jave program to retrieve all the queue depth. It worked fine if I use mqm use in both of the program and the server connection channel.
However it failed when I used a different username mqclient. I grant all queue/channel/qmgr access by setmqaut, but still failed with MQException 2035.
Is there any special requirment for PCFAgent? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jun 09, 2009 1:15 am Post subject: Re: PCFAgent issue |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fireguok wrote: |
| Is there any special requirment for PCFAgent? |
Does the user in question have access to the SYSTEM queues?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fireguok |
| Posted: Tue Jun 09, 2009 1:31 am Post subject: |
|
|
Novice
Joined: 03 Apr 2007
Posts: 22
|
| Yes. I add all access to all queues/channels. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 09, 2009 1:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Then you can do one (or more) of the following:
- enable security events to see what it's failing against
- wait for someone with more Java than me to explain how to authorise against the command server in Java
- accept that obtaining queue depths is an administrative function and run the application as the administrator (i.e. mqm)
Other options are undoubtably possible.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 09, 2009 1:51 pm Post subject: Re: PCFAgent issue |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| fireguok wrote: |
| Is there any special requirment for PCFAgent? |
Does the user in question have access to the SYSTEM queues? |
Did you grant the user connect rights to the qmgr? See setmqaut 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fireguok |
| Posted: Tue Jun 09, 2009 3:18 pm Post subject: |
|
|
Novice
Joined: 03 Apr 2007
Posts: 22
|
| yes, all access to qmgr. no joy. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jun 09, 2009 4:30 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Vitor wrote: |
- enable security events to see what it's failing against
|
Vitor is right.
("Authority Events" is the name you'll see in the manuals, but this is the solution to determine why you are getting a 2035.)
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Jun 09, 2009 5:27 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| PeterPotkay wrote: |
| Vitor wrote: |
- enable security events to see what it's failing against
|
Vitor is right.
("Authority Events" is the name you'll see in the manuals, but this is the solution to determine why you are getting a 2035.) |
Authority event messages (in SYSTEM.ADMIN.QMGR.EVENT queue) are only produced on distributed platforms. This is not an issue for z/OS mainframes because MQ authorisation errors produce messages on the sys log and job log.
An alternative for distributed platforms is to set environment variables, refer to http://www.ibm.com/support/docview.wss?uid=swg21299319 and http://www.ibm.com/support/docview.wss?uid=swg21377578 .
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 09, 2009 7:48 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I seem to remember that you need to be mqm to retrieve information about certain system queues... like system.auth* for instance...
Exclude the system queues from your query and you might just get what you are looking for...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fireguok |
| Posted: Wed Jun 10, 2009 4:58 pm Post subject: |
|
|
Novice
Joined: 03 Apr 2007
Posts: 22
|
However, the tricky thing here is MQException was throwed by the following pcf code after I set the mcauser to be non mqm.
PCFAgent agent = new PCFAgent(mqSvr, mqPort, mqChl); |
|
| Back to top |
|
|
| fireguok |
| Posted: Wed Jun 10, 2009 5:29 pm Post subject: |
|
|
Novice
Joined: 03 Apr 2007
Posts: 22
|
Sorry, after I define the parameters MQSAUTHERRORS/MQS_REPORT_NOAUTH, I figured out actually the user didn't have access to a couple of system queues.
I don't know why and I checked before and the user had the access.
Is there a way that I can use wildcard * to grant access in a batch mod, sth like the following.
setmqaut -m prod.esp1 -n '*' -t q -p mqclient +dsp +inq |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 10, 2009 7:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| fireguok wrote: |
Sorry, after I define the parameters MQSAUTHERRORS/MQS_REPORT_NOAUTH, I figured out actually the user didn't have access to a couple of system queues.
I don't know why and I checked before and the user had the access.
Is there a way that I can use wildcard * to grant access in a batch mod, sth like the following.
setmqaut -m prod.esp1 -n '*' -t q -p mqclient +dsp +inq |
Lookup the "**" wildcard in the security/admin manual.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jun 10, 2009 11:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fireguok wrote: |
| I figured out actually the user didn't have access to a couple of system queues. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
