| Author |
Message
|
| Gideon |
 Posted: Wed Sep 21, 2011 2:30 pm Post subject: How to verify whether a trusted app is actually trusted |
 |
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
What I am trying to do is learn how to tell if clients are running in trusted mode.
My purpose is to understand what is going on better.
I read the trusted mode documents and search the archieves of this site for how to verify trusted mode, but only found a hit about WMB
I have remote clients connecting to my qmgr on my AIX server.
Before the clients connect there is no amqrmppa process:
| Code: |
$ ps -ef | grep amqrmppa
mqm 2425806 2752740 0 22:09:00 pts/0 0:00 grep amqrmppa
$ |
When the clients connect, I find the amqrmppa process, and examine the threads:
| Code: |
$ ps -ef | grep amqrmppa
mqm 2884114 2950008 287 22:09:08 - 0:05 /usr/mqm/bin/amqrmppa -m WQM1
mqm 2425808 2752740 0 22:09:13 pts/0 0:00 grep amqrmppa
$ ps -lm -p 2884114
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
240001 A 12 2884114 2950008 362 60 24 9e107c590 5696 * - 0:38 amqr
400000 R - 2 61
418400 S - 3 61
418400 S - 3 61
8410400 S - 17 68 f1000f0a1000e640
8410400 S - 13 66 f1000f0a1000eb40
418400 S - 18 69
418400 S - 22 71
418400 S - 3 61
8410400 S - 0 60 f1000f0a10012740
418400 S - 4 62
418400 S - 2 61
8410400 S - 16 68 f1000f0a10014640
410400 S - 17 68 f1000a04000e8720
8430400 S - 0 60 f1000f0a1008b040
418400 S - 16 68
418400 S - 20 70
8410400 S - 11 65 f1000f0a1008d440
400000 R - 11 65
8410400 S - 16 68 f1000f0a10090740
418400 S - 15 67
418400 S - 21 70
418400 S - 0 68
410400 S - 0 60 f1000a038071f7b0
418400 S - 3 61
418400 S - 21 70
418400 S - 3 61
8410400 S - 14 67 f1000f0a10116240
418400 S - 22 71
418400 S - 4 62
8410400 S - 12 66 f1000f0a1018d940
418400 S - 16 68
8410400 S - 19 69 f1000f0a10190640
418400 S - 16 68
400000 R - 2 61
$ |
Does this verify that my clients are connecting in trusted mode. Is there anything else I should do
Thanks
Last edited by Gideon on Thu Sep 22, 2011 6:32 am; edited 2 times in total |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Sep 21, 2011 9:00 pm Post subject: Re: Verification |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
What I am trying to do is learn how to tell if clients are running in trusted mode.
My purpose is to understand what is going on better. |
Why would you want applications to run "trusted?" What have you read about trusted? Why do you believe that "trusted" is a benefit?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 5:35 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I understand that trusted apps have a problem in they can damage the qmgr if improperly written, or if you have an improperly written user exit.
What I am trying to do is increase my skill, and when I asked to examine a trusted app in the future, I can successfully verify whether that app is truly running as trusted or not
So I basically just want to learn how to verify if the apps are running as trusted to increase my understanding of MQ |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 5:41 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Do quick google search for wmq+trusted, or wmq+fastpath. You will discover that this is documented in the WMQ Application Programming Reference, and WMQ Application Programming Guide.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 5:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
You might also want to change the title of this post from 'verification' to something more informative - like 'what is a trusted application'. This would make it easier for others to search and find this subject.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 6:34 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I changed the title, and will do the google search.
Strange that how to verify if a trusted app is really trusted would be in the API |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 22, 2011 7:50 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Gideon wrote: |
| ...What I am trying to do is increase my skill, and when I asked to examine a trusted app in the future, I can successfully verify whether that app is truly running as trusted or not... |
There is a world of difference to verifying whether an application is running trusted, and whether it should run trusted.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 7:50 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
| Strange that how to verify if a trusted app is really trusted would be in the API |
You have misunderstood this. Let me ask you a question or two.
Are you a programmer? If so, have you ever written a bullet-proof application. By bullet-proof, I mean an application that will never fail, no matter what data is passed to it today, tomorrow, or months, or years from now. If you answered yes, you are indeed a special person - one living in a delusion of adequacy.
In order to verify that a trusted app is really trusted is to test it - over and over and over.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 7:58 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
| exerk wrote: |
| Gideon wrote: |
| ...What I am trying to do is increase my skill, and when I asked to examine a trusted app in the future, I can successfully verify whether that app is truly running as trusted or not... |
There is a world of difference to verifying whether an application is running trusted, and whether it should run trusted. |
I totally agree, just trying to learn the basiscs in case I am asked to support a trusted app in the future that I do not have the authority to change its configuration |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 8:41 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
| ...just trying to learn the basics... |
This is not the basics. Trusted apps are an advanced subject.
There are knowns - things that you already know.
There are known unknowns - things that you know that you don't know.
There are unknown unknowns - things that you don't know that you don't know.
All software is subject to software bugs and failures. This is a known. Exactly what errors will emerge is most often an unknown unknown.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 9:04 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I found the API reference on this site:
http://www-01.ibm.com/support/docview.wss?uid=pub1sc34606203
but it is not online, and erquires a purchase price.
I did find some information on this site:
http://www.ibm.com/developerworks/websphere/library/techarticles/0712_dunn/0712_dunn.html
It said the following:
| Code: |
If you have decided to use trusted applications throughout one useful check to ensure that there are no agent processes is to run the command ps -ef |grep amqzlaa.
There should be none. It is difficult to identify which MQ application a particular agent is associated with. If you need to remove an agent you will have to do it by a process of elimination.
As an aside a useful command to look at the environment variables of a process is the command ps eww. This is run with a process number as an additional argument.
So run ps eww 106896 for example. This command can be used when looking to see if MQ_CONNECT_TYPE is set for an MQ listener for example. |
|
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 9:32 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
The command below works great to determine if the MQ_CONNECT_TYPE is set correctly
| Code: |
| ps eww <pid of listener> |
In this website:
http://www.ibm.com/developerworks/websphere/library/techarticles/0712_dunn/0712_dunn.html
it says
| Code: |
| There should be none. It is difficult to identify which MQ application a particular agent is associated with. If you need to remove an agent you will have to do it by a process of elimination. |
What exactly does this mean?
Is it suggesting that I kill the amqzlaa and then see which application has stopped sending messages ???? (Sounds messy) |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 10:00 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
What exactly does this mean?
Is it suggesting that I kill the amqzlaa and then see which application has stopped sending messages ???? (Sounds messy) |
It means that there is no supplied way to identify which apps are managed by which agents.
"Sounds messy" is a good description for your trying to master advanced topics like this one when you are seeking to understand the basics.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Last edited by bruce2359 on Thu Sep 22, 2011 10:08 am; edited 1 time in total |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 10:08 am Post subject: Re: How to verify whether a trusted app is actually trusted |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
| What I am trying to do is learn how to tell if clients are running in trusted mode. |
Can any application run as trusted?
There are documented prerequisites that must be met before an application can run as trusted. Did you discover these in your research?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 11:05 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I probably was not specific enough. I am trying to ensure that the channel agents that my remote client applications are connecting to on the server are trusted.
Yes, I researched the prerequisites for trusted agents, In a netshell they are:
In the qm.ini, include the following in the Channels stanza:
MQIBindType=FASTPATH
Export the following variable in the mqm environment when you start the Qmgr and the listener:
export MQ_CONNECT_TYPE=FASTPATH
Also, the calling MQI code must be wwitten with a MQCONNX call,
where the MQCNO_FASTPATH_BINDING is set to allow trusted apps
That last point begs a question,
If I set up my server to be truested with the first 2 considerations above, will the channel agents be trusted no matter if the client app is using a proper MQCONNX call or not?
I am wondering this becuase isnt the channel agent at that point independent of the app ?
Thanks |
|
| Back to top |
|
|
|
|
