ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Error 2035 on the users that have all needed rights

Post new topic  Reply to topic
 Error 2035 on the users that have all needed rights « View previous topic :: View next topic » 
Author Message
jumping_frog
PostPosted: Thu Feb 23, 2012 6:36 am    Post subject: Error 2035 on the users that have all needed rights Reply with quote

Newbie

Joined: 23 Feb 2012
Posts: 2

Hello,

I have got error 2035 from amqscnxc on the windows box. User that have run amqscnxc is a member of local group mqm and has all rights on the qmanager.

Here is a more detailed explanation.

I have installed MQ 7.1 on the standalone (local authentication and authorisation) windows 2003 box.

Then I have created Qmanager, Local/Remote Queues, Sender/Receiver/Server-connection channels and listener.

Connectivity with remote Qmanager have established successfully sender/receiver channel pairs are in the running state.

I was able to put data via MQExplorer to the queue and data was successfully transmitted to the corresponding queue on the remote queue manager.

That's why I have considered that installation is OK.

Than I want to test connectivity for applications application with amqscnxc but
while performing this test I have got error 2035
amqscnxc -x 10.0.10.254 -c SERVER.CHNL TEST
Sample AMQSCNXC start
Connecting to queue manager TEST
using the server connection channel SERVER.CHNL
on connection name 10.0.10.254.
MQCONNX ended with reason code 2035

It's very strange because user exists and is a member of the group mqm!
set | findstr USER
USERDOMAIN=MQ-SWIFT
USERNAME=mq_usr

user mq_usr has all needed priviledges on the qmanager TEST
dspmqaut.exe -p mq_usr -m TEST -t qmgr
Entity mq_usr has the following authorizations for object TEST:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
ctrl
system

amqscnxc returns error 2035 also and for the user that can successfully connect to qmanager TEST via MQExplorer!

amqscnxc and MQExplorer was executed on the same box as Qmanager had been installed.

What's going wrong?
Back to top
View user's profile Send private message
JasonE
PostPosted: Thu Feb 23, 2012 9:25 am    Post subject: Reply with quote

Grand Master

Joined: 03 Nov 2003
Posts: 1220
Location: Hursley

If you are connecting as a client to a windows machine, if you are seeing 2035, what does the qmgr error logs tell you?

Oh... 7.1?

mqm userids will be rejected I think until you sort out the authrec stuff:

Point 1 on http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/mq50110_.htm

covered under
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/mi77190_.htm
Back to top
View user's profile Send private message
jumping_frog
PostPosted: Fri Feb 24, 2012 1:19 pm    Post subject: Reply with quote

Newbie

Joined: 23 Feb 2012
Posts: 2

JasonE wrote:
If you are connecting as a client to a windows machine, if you are seeing 2035, what does the qmgr error logs tell you?

Oh... 7.1?

mqm userids will be rejected I think until you sort out the authrec stuff:

Point 1 on http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/mq50110_.htm

covered under
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/mi77190_.htm

Thank you for reply. You are right.

When I removed all profiles from Channel Authentication Records and just added all priviledges to the SRV-channel with mqaut at least local connection was established successfully.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Sat Feb 25, 2012 7:23 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

jumping_frog wrote:
When I removed all profiles from Channel Authentication Records and just added all priviledges to the SRV-channel with mqaut at least local connection was established successfully.


It would have been more secure to leave the default profiles alone, and add an additional profile that was specific to this channel.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sat Feb 25, 2012 10:34 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

mqjeff wrote:
jumping_frog wrote:
When I removed all profiles from Channel Authentication Records and just added all priviledges to the SRV-channel with mqaut at least local connection was established successfully.


It would have been more secure to leave the default profiles alone, and add an additional profile that was specific to this channel.


Best-practice dictates that you grant only those privileges that are required.

Your shotgun approach, while appearing to 'fix' the problem, merely opened up future problems, namely: future security exposures.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Error 2035 on the users that have all needed rights
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.