| Author |
Message
|
| bdurkin |
 Posted: Fri Jun 29, 2012 1:31 am Post subject: MQ Server 7.5 on Linux - MQ Explorer on Windows |
 |
|
Newbie
Joined: 28 Jun 2012
Posts: 4
|
Hi All,
I have been unable to get the Explorer to connect to my remote server. I keep getting Access not permitted...[AMQ4036]
I have installed a vanilla MQ Server ver 7.5 on Linux and confirmed using the sample applications amqsput and amqsget that my MQ Server is running.
I also created a vanilla (activated) user in linux (that I could log into), that is not a member of the group mqm called 'testuser'.
The exact commands I used to configure the server are..
| Code: |
sudo su
mqlicense.sh -accept
rpm -ivh MQSeriesRuntime-7.5.0-0.x86_64.rpm MQSeriesServer-7.5.0-0.x86_64.rpm
rpm -ivh MQSeriesJava-7.5.0-0.x86_64.rpm MQSeriesJRE-7.5.0-0.x86_64.rpm
rpm -ivh MQSeriesMan-7.5.0-0.x86_64.rpm MQSeriesSamples-7.5.0-0.x86_64.rpm
exit
sudo su - mqm
. /opt/mqm/bin/setmqenv -s
export PATH=$PATH:/opt/mqm/samp/bin
crtmqm -q QMA
strmqm
runmqsc
|
The commands I provide to runmqsc are:
| Code: |
DEFINE QLOCAL(QUEUE1)
SET AUTHREC PROFILE(QUEUE1) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(PUT,GET)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('testuser') AUTHADD(CONNECT)
DEFINE CHANNEL(CHANNEL1) CHLTYPE(SVRCONN) TRPTYPE(TCP)
SET CHLAUTH(CHANNEL1) TYPE(ADDRESSMAP) MCAUSER('testuser') ADDRESS('*')
DEFINE LISTENER(LISTENER1) TRPTYPE(TCP) CONTROL(QMGR) PORT(1414)
START LISTENER(LISTENER1)
END
|
On the Windows pc (Logged in as myRealName):
I installed MQ Client and MQ Explorer ver 7.5(from Server install download. Selecting client and Explorer only during a custom install) on a Windows 7 workstation.
In the System properties, I created an environment variable 'MQSERVER' with the value 'CHANNEL1/TCP/myServerIp'
In MQ Explorer I added a Queue Manager with the properties:
Queue manager name: QMA
How to connect: directly
Host name or Ip: myServerIp
port:1414
server-connection channel: CHANNEL1
User: not defined
SSL: not defined
I have tried the following variations on the linux server (Uninstalling the packages and rm -rf /var/mqm each time)
ALTER QMGR CHLAUTH(DISABLED)
Setting the user listed in the runmqsc commands to 'mqm'
Setting the user listed in the runmqsc commands to ' '
Not adding the user auth code
Please can anyone tell me what I am missing?
Also, as I have not installed an MQ Server on the Windows workstation, I have not been able to find any "sample" apps to help me test the client install. Are the client apps only available with a full server install? |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Jun 29, 2012 6:24 am Post subject: Re: MQ Server 7.5 on Linux - MQ Explorer on Windows |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bdurkin wrote: |
I have been unable to get the Explorer to connect to my remote server. I keep getting Access not permitted...[AMQ4036]
I have installed a vanilla MQ Server ver 7.5 on Linux and confirmed using the sample applications amqsput and amqsget that my MQ Server is running.
I also created a vanilla (activated) user in linux (that I could log into), that is not a member of the group mqm called 'testuser'.
Please can anyone tell me what I am missing? |
What did the queue manager logs tell you?
| bdurkin wrote: |
| Also, as I have not installed an MQ Server on the Windows workstation, I have not been able to find any "sample" apps to help me test the client install. Are the client apps only available with a full server install? |
Yes, amqsputc and amqsgetc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 29, 2012 6:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The sample programs are usually a separate install "choice". But the choice is available with both the server and the client. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jun 29, 2012 10:44 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Did you issue the MQSC REFRESH SECURITY command?
Also, if you need some test applications then download MO71 or MQ Visual Edit.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| bdurkin |
| Posted: Tue Jul 03, 2012 4:43 am Post subject: Re: MQ Server 7.5 on Linux - MQ Explorer on Windows |
|
|
Newbie
Joined: 28 Jun 2012
Posts: 4
|
| exerk wrote: |
What did the queue manager logs tell you? |
The logs told me that the user WinUserName is not authorised, but I thought that the command
| Code: |
| SET CHLAUTH(CHANNEL1) ... MCAUSER('testuser')... |
is supposed to override the provided client user id WinUserName with the linux user id testuser.
If I change testuser to WinUserName in the configuration, then of cause I get the error
| Code: |
| AMQ5653: The user 'WinUserName' is not defined. |
| RogerLacroix wrote: |
Did you issue the MQSC REFRESH SECURITY command |
I hadn't, but now I have and it has no effect.
So how can anyone tell me how to turn the security off, as the command
| Code: |
| ALTER QMGR CHLAUTH(DISABLED) |
doesn't do it. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jul 03, 2012 5:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
So let me get this straight:
1. You have created testuser on the Linux box?
2. You have set the relevant authorities for testuser on the queue manager?
3. You have created a SVRCONN in the queue manager, or are using SYSTEM.ADMIN.SVRCONN, and have set the MCAUSER attribute of the SVRCONN to 'testuser' (note the quotes)?
4. You have set up the CHLAUTH for the SVRCONN being used, and/or disabled channel authorities?
5. You have installed the sample applications amqsputc and amqsgetc on your desktop?
6. You have set the MQSERVER environment variable applicable to your queue manager?
7. You have used the sample applications to test connection to your queue manager?
And from the MQ Explorer you just plug in the server IP, Port, and SVRCONN name, you don't need to explicitly create the MQSERVER environment variable.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bdurkin |
| Posted: Wed Jul 04, 2012 5:00 am Post subject: |
|
|
Newbie
Joined: 28 Jun 2012
Posts: 4
|
Issue Solved.. Thanks to exerk! 
I worked though exerks check list, and all was good till I got to point 4
| exerk wrote: |
4. You have set up the CHLAUTH for the SVRCONN being used, and/or disabled channel authorities?
|
After investigating I found I needed to add the following grants in runmqsc
| Code: |
SET AUTHREC PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(DSP,INQ,GET)
SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(PUT,INQ)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('testuser') AUTHADD(CONNECT,INQ,DSP)
|
Thus the final configuration script is
| Code: |
DEFINE QLOCAL(QUEUE1)
SET AUTHREC PROFILE(QUEUE1) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(PUT,GET,DSP)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('testuser') AUTHADD(CONNECT,INQ,DSP)
SET AUTHREC PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(DSP,INQ,GET)
SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('testuser') AUTHADD(PUT,INQ)
DEFINE CHANNEL(CHANNEL1) CHLTYPE(SVRCONN) TRPTYPE(TCP)
SET CHLAUTH(CHANNEL1) TYPE(ADDRESSMAP) MCAUSER('testuser') ADDRESS('*')
DEFINE LISTENER(LISTENER1) TRPTYPE(TCP) CONTROL(QMGR) PORT(1414)
START LISTENER(LISTENER1)
END
|
note: I also needed to add AUTHADD(DSP) to PROFILE(QUEUE1) so that the queue would appear in the MQ Explorer.
 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 04, 2012 7:09 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bdurkin wrote: |
note: I also needed to add AUTHADD(DSP) to PROFILE(QUEUE1) so that the queue would appear in the MQ Explorer.
|
If the purpose is to display information I usually do something like
| Code: |
| setmqaut -m qmgr -t q -n ** -g group +inq +dsp |
In other words add inq and dsp...
Then add selective browsing to the queues the group should have browse access to...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bdurkin |
| Posted: Thu Jul 05, 2012 4:20 am Post subject: |
|
|
Newbie
Joined: 28 Jun 2012
Posts: 4
|
Oh, and the answer to the final part of my original post...
| bdurkin wrote: |
| Also, as I have not installed an MQ Server on the Windows workstation, I have not been able to find any "sample" apps to help me test the client install. Are the client apps only available with a full server install? |
...is that on windows the samples are installed by default to the following path (Note: The installer adds this to the windows system path for you.. which is nice.)
| Code: |
| C:\Program Files\IBM\WebSphere MQ\tools\c\samples\bin |
which I had failed to find earlier because I was expecting then to be in a similar location/structure to the samples in the Unix/Linux systems which is
 |
|
| Back to top |
|
|
|
|
