| Author |
Message
|
| dev135 |
 Posted: Mon Aug 16, 2010 9:39 am Post subject: Authorization error |
 |
|
Apprentice
Joined: 21 Oct 2008
Posts: 44
|
Hi ,
I have a cluster alias queue (say q1) on Qmgr 1 and an application existing with app id "abc" on Qmgr 2 trying to access that cluster alias queue for putting a message to target queue .
Qmgr 1 and Qmgr 2 are in same cluster.
The app id exists on both servers (of Qmgr 1 & Qmgr 2) and have permissions for putting message on queues.
But somehow i am still getting 2035 error.Any thoughts?
(giving access to SCTQ for app id.. i guess might work, but i dont want to give that)
Thanks,
DR. |
|
| Back to top |
|
 |
| shashivarungupta |
| Posted: Mon Aug 16, 2010 9:47 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Have you created the id 'abc' on the servers ?
Have you set the access level using setmqaut on the respective queues ?
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| dev135 |
| Posted: Mon Aug 16, 2010 9:49 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2008
Posts: 44
|
| Yes..the id exists on servers and access is given to queues and qmgrs also.. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Aug 16, 2010 9:57 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| dev135 wrote: |
| Yes..the id exists on servers and access is given to queues and qmgrs also.. |
A 2035 means that your UserID is not authorized to access the queue.
Have you confirmed with dspmqaut ? Can you paste the o/p here !
Have you checked the security exit settings on channel ?
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| dev135 |
| Posted: Mon Aug 16, 2010 10:13 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2008
Posts: 44
|
dspmqaut -m qmgr1 -n queue_name -t queue -p abc
Entity abc has the following authorizations for object queue_name:
get
browse
put
inq
dsp
dspmqaut -m qmgr1 -t qmgr -p abc
Entity abc has the following authorizations for object qmgr1:
inq
connect
Security exit settings at channel level?We dont have any exits enabled at channel level... |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Aug 16, 2010 10:38 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Quote: |
| Security exit settings at channel level?We dont have any exits enabled at channel level... |
Haven't you ever heard of it !!
Security Exit Name and Security Exit Data are the parameters that's used for sec.exit.
Through which channel you are connecting to the qmgr ?
How you have setup the Security Exit ?
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 16, 2010 10:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
To put directly to a queue across the cluster, i.e. the instance of the queue exists on a remote queue manager, requires access to the S.C.T.Q., which as you have rightly pointed out is not something ideal. Better to make the base queue (in QMGR1) clustered and create a QALIAS to it in the originating queue manager (QMGR2), and give the application the necessary permissions to the QALIAS. It doesn't matter that you have the same userid set up on each machine, or even if the queue managers are on the same machine, the authorities are checked by the queue manager against which the application is bound.
shashivarungupta: not everyone uses security exits, and your constant banging on about them to those that do not (nowhere in the original post does it mention exits) can lead to confusion and irritation - READ THE OP's POSTS PROPERLY! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Aug 16, 2010 10:49 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Which OS you have setup ?
On AIX, (as if you used principal id), so a principal id belong to more than one groups (group set) and has the aggregate of all the authorities granted to each group in its group set. These authorities are cached, so any changes you make to the principal's group membership are not recognized until the qmgr is restared or unless you issue the Refresh Security !!
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 16, 2010 10:53 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| shashivarungupta wrote: |
Which OS you have setup ?
On AIX, (as if you used principal id), so a principal id belong to more than one groups (group set) and has the aggregate of all the authorities granted to each group in its group set. These authorities are cached, so any changes you make to the principal's group membership are not recognized until the qmgr is restared or unless you issue the Refresh Security !! |
| exerk wrote: |
| ...It doesn't matter that you have the same userid set up on each machine, or even if the queue managers are on the same machine, the authorities are checked by the queue manager against which the application is bound... |
Security 101 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dev135 |
| Posted: Mon Aug 16, 2010 1:06 pm Post subject: |
|
|
Apprentice
Joined: 21 Oct 2008
Posts: 44
|
Thanks for the response.
Sorry i should have mentioned this early...
I am having my target queue on Qmgr3 within different cluster(Qmgr 1 and Qmgr3 are in different cluster)
So we are trying to send a message from Qmgr2 to Qmgr3(target queue) via Qmgr1.
OS: AIX |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 16, 2010 1:16 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
QA -> QR -> QL
Where:
1. QA in QMGR2 references;
2. QR (cluster alias) in QMGR1 references;
3. QL in QMGR3.
Try it...it's all in the manual 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
