| Author |
Message
|
| jeevan |
 Posted: Sat Jun 09, 2012 2:25 pm Post subject: amqsputc in MQ 7.1 failing with 2035/2539/2538 |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
Recently, I have upgraded my laptop to windows 7. also, I installed mq7.1. While verifying installation, I tried to run amqsputc with setting mqserver variable which I have done hundreds of times. But this is failing this time. I tried to read and figure out but am unable.
I used to get 2538/39 and eventually 2035.
The other things, IBM doc suggest to set dcomcnfg and I did not find ibm mqseries under DCONG node.
I tried setting mcauser
tried with giving channel authority
nothing works.
I am getting the following error
C:\Windows\system32>set MQSERVER=SYSTEM.DEF.SVRCONN/TCP/localhost(2414)
C:\Windows\system32>amqsputc Q1 MB7QMGR
Sample AMQSPUT0 start
MQCONN ended with reason code 2035
C:\Windows\system32>amqsputc Q1 MB7QMGR
Have any one of you have encountered similar issue with mq7.1/windows 7 ?
Thanks
jeevan |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Jun 09, 2012 4:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
channel security is different in 7.1
Think of an inbuilt ipsec2 exit that will refuse the usual all powerfull group unless told specifically to accept it...
read up on the channel authorization records and I don't mean setmqaut...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Jun 09, 2012 6:03 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| fjb_saper wrote: |
channel security is different in 7.1
Think of an inbuilt ipsec2 exit that will refuse the usual all powerfull group unless told specifically to accept it...
read up on the channel authorization records and I don't mean setmqaut...
Have fun |
Thanks
I have some suspicion but was not sure. this does the magic
alter qmgr chlauth(disabled)' |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Jun 10, 2012 2:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| jeevan wrote: |
I have some suspicion but was not sure. this does the magic
alter qmgr chlauth(disabled)' |
Yes, this is a workaround.
No, do not use it. It's terrible. It unlocks your entire queue manager.
Even in Dev, it's much better to just create a new chlauth record for a specific channel that allows access to mqm. It's even better to just delete the predefined rule, than to disable chlauth entirely.
DO NOT DISABLE CHLAUTH. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sun Jun 10, 2012 5:00 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| mqjeff wrote: |
| jeevan wrote: |
I have some suspicion but was not sure. this does the magic
alter qmgr chlauth(disabled)' |
Yes, this is a workaround.
No, do not use it. It's terrible. It unlocks your entire queue manager.
Even in Dev, it's much better to just create a new chlauth record for a specific channel that allows access to mqm. It's even better to just delete the predefined rule, than to disable chlauth entirely.
DO NOT DISABLE CHLAUTH. |
Yes that is next thing I have to do.
I have another issue.
After upgrading my laptop ( not the production systems) to mq7.1, when I tried to use rfhutil/MQ71 to connect to remote systems, it is giving me 2059. But I can add the queue manager successfully in explorer. Not sure what is going on ? will this chlauth cause in this case? the channel I am using for remote system is of the existing system, but the client is the 7.1. would the client also cause the issue? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jun 10, 2012 11:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
MQExplorer (java) and RFHUtilc just like MO71 have a different authentication mechanism / model.
I'd say working as designed... and yes it is most likely due to the user you are trying to connect with...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Sun Jun 10, 2012 2:16 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| fjb_saper wrote: |
MQExplorer (java) and RFHUtilc just like MO71 have a different authentication mechanism / model.
I'd say working as designed... and yes it is most likely due to the user you are trying to connect with... |
I understand that, but as I am connecting to b7.01.*, how the chlauth feature of of mq71. would affect the connection? also error code is not 2035 but 2059 . |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jun 10, 2012 3:29 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
in order to get a 2035 the user name has to be flowed through and the attempt to start the channel needs to be made. If on the other side the program shuts down the channel before even flowing the user through because it is not one of the allowed user, you may well get a 2059...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Wed Nov 14, 2012 8:24 pm Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
| Quote: |
| create a new chlauth record for a specific channel that allows access to mqm. |
How can we create a new chlauth to allow access to an administrator user in Windows?? Will the below work??
SET CHLAUTH('*.SVRCONN') USERSRC(MAP) MCAUSER(<userid>)[/quote] |
|
| Back to top |
|
|
| jeevan |
| Posted: Wed Nov 21, 2012 1:29 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| sijtom0703 wrote: |
| Quote: |
| create a new chlauth record for a specific channel that allows access to mqm. |
How can we create a new chlauth to allow access to an administrator user in Windows?? Will the below work??
SET CHLAUTH('*.SVRCONN') USERSRC(MAP) MCAUSER(<userid>) |
[/quote]
That does not work. The admin users are blocked by blockuser rule, so you have to create another blockuser rule as follows for your particular channel:
set chlauth(yourserverconn) TYPE(BLOCKUSER) USERLIST('nobody') ACTION(ADD) |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Mon Nov 26, 2012 12:05 pm Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
| Thank you Jeevan! It worked. |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Mon Nov 26, 2012 3:07 pm Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
Hi,
Just like to know how it works! What exactly is 'nobody' here |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Nov 27, 2012 2:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sijtom0703 wrote: |
| What exactly is 'nobody' here |
Google 'linux-nobody' - learn to use Google, it can be your friend.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
