| Author |
Message
|
| LouML |
 Posted: Thu Aug 16, 2012 8:23 am Post subject: Using MQS_REPORT_NOAUTH & MQSAUTHERRORS for 2035 in Wind |
 |
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
We are running MQ Server 7.5 on a Windows 2008 Server.
One of our clients is getting 2035 errors trying to connect. I’ve checked all the usual things and everything looks okay.
I’ve set the MQS_REPORT_NOAUTH and MQSAUTHERRORS environment variables to help diagnose the problem.
Here is the output of a set command to display the environment variables (I’ve removed all but the variables in question)
| Code: |
f:\>set
. . .
MQSAUTHERRORS=TRUE
MQS_REPORT_NOAUTH=TRUE
. . .
f:\>dspmq
|
I’ve stopped and restarted the Queue Manager but I still don’t see an AMQ8077 message (like the following) I’d expect in the error log:
| Code: |
----- amqrmrsa.c : 898 --------------------------------------------------------
8/16/2012 09:00:07 - Process(5236.21) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(WEBDEV) Installation(Installation1)
VRMF(7.5.0.0) QMgr(QM.WEBDEV.01)
AMQ8077: Entity 'some-userid ' has insufficient authority to access object
‘QM.WEBDEV.01’.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
|
I still just get the following:
| Code: |
----- amqrmrsa.c : 898 --------------------------------------------------------
8/16/2012 09:00:07 - Process(5236.21) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(WEBDEV) Installation(Installation1)
VRMF(7.5.0.0) QMgr(QM.WEBDEV.01)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 1972 -------------------------------------------------------
8/16/2012 09:00:07 - Process(5236.21) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(WEBDEV) Installation(Installation1)
VRMF(7.5.0.0) QMgr(QM.WEBDEV.01)
AMQ9999: Channel 'ForRemoteClient' to host 'wiapp01dev (123.123.123.123)' ended
abnormally.
EXPLANATION:
The channel program running under process ID 5236(3256) for channel
'ForRemoteClient' ended abnormally. The host name is 'wiapp01dev
(123.123.123.123)'; in some cases the host name cannot be determined and so is
shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
|
I’ve used this successfully on Unix servers but can’t seem to get it to work on Windows.
I've tried setting the variables from the command prompt and doing the endmqm and strmqm commands from there.
I've also tried setting the variables using the advanced system setting of the My Computer properties and restarting the MQ service.
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Aug 16, 2012 8:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I've never had to set the variables for Windows, only ever on *nix.
I notice it's stating that the MUSR_MQADMIN userid failed initialisation, so are you running the service under that user and logging on as a domain user? What does Task Manager state the amqpsrvn.exe and amqsvc.exe processes are running under?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 16, 2012 9:46 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
What does MQSAUTHERRORS do? Why are two variables needed?
You can also enable queue manager auth events and look at the event messages. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Fri Aug 17, 2012 2:26 am Post subject: Re: Using MQS_REPORT_NOAUTH & MQSAUTHERRORS for 2035 in |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| LouML wrote: |
We are running MQ Server 7.5 on a Windows 2008 Server.
One of our clients is getting 2035 errors trying to connect. I’ve checked all the usual things and everything looks okay.
I’ve set the MQS_REPORT_NOAUTH and MQSAUTHERRORS environment variables to help diagnose the problem. |
I don't think these are relevant for MQ 7.5. OAM authority errors should always appear in the error logs. On Windows, they will also appear in the Windows App Event log. ALTER QMGR AUTHOREV(ENABLED) should also produce event messages for OAM authority errors.
| Quote: |
I still just get the following:
| Code: |
----- amqrmrsa.c : 898 --------------------------------------------------------
8/16/2012 09:00:07 - Process(5236.21) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(WEBDEV) Installation(Installation1)
VRMF(7.5.0.0) QMgr(QM.WEBDEV.01)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
|
|
I think this is the MCA process trying to use queue manager userid (MUSR_MQADMIN), not an OAM authority error. Is it in the mqm group?
Is it missing some other Windows security right?
_________________
Glenn |
|
| Back to top |
|
|
| LouML |
| Posted: Fri Aug 17, 2012 6:15 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
MUSR_MQADMIN is in the mqm group.
All of the MQ processes are running as MUSR_MQADMIN
The WebSphere MQ service is also running under MUSR_MQADMIN
I altered the queue manager to set AUTHOREV(ENABLED)
I've stopped/restarted the queue manager but still don't see the AMQ8077
The only errors I see in the Windows Application Event log are the same as are in the AMQERR01.LOG
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Aug 17, 2012 6:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Define another user and put it in the mqm group. Set up the relevant processes to run under that user and see if the issue persists.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 18, 2012 7:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
HELLO! V7.5! mqm group on SVRCONN channel denied by default!
 the manual 
Look at the authorization records for the channel...
Also consider administration via remote qmgr with SSL on all SVRCONN...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Aug 18, 2012 10:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
HELLO! V7.5! mqm group on SVRCONN channel denied by default!
the manual
Look at the authorization records for the channel...
Also consider administration via remote qmgr with SSL on all SVRCONN...
Have fun |
And having read back the OP and seen 'AMQ9999: Channel 'ForRemoteClient' to host 'wiapp01dev (123.123.123.123)' ended abnormally.' I hold up my hand and say - doh! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| LouML |
| Posted: Tue Sep 04, 2012 3:33 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
| fjb_saper wrote: |
HELLO! V7.5! mqm group on SVRCONN channel denied by default!
the manual
Look at the authorization records for the channel...
Also consider administration via remote qmgr with SSL on all SVRCONN...
Have fun |
We have the following channel authorizations for this channel:
| Code: |
dis chlauth('ForRemoteClient')
9 : dis chlauth('ForRemoteClient')
AMQ8878: Display channel authentication record details.
CHLAUTH(ForRemoteClient) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) MCAUSER(STCCFO_svc)
USERSRC(MAP) WARN(NO)
ALTDATE(2012-09-04) ALTTIME(06.55.44)
AMQ8878: Display channel authentication record details.
CHLAUTH(ForRemoteClient) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(NOUSER) WARN(NO)
ALTDATE(2012-08-21) ALTTIME(09.12.00)
|
I can connect from my own client server as mqm and my own AD account
| Code: |
-bash-3.00$ /opt/mqm/samp/bin/amqscnxc -x 'wiapp05dev(1414)' -c 'ForRemoteClient'
Sample AMQSCNXC start
Connecting to the default queue manager
using the server connection channel 'ForRemoteClient'
on connection name wiapp05dev(1414).
Connection established to queue manager QM.WEBINFDEV.01
Sample AMQSCNXC end
-bash-3.00$ |
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 04, 2012 4:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Try changing WARN() on the addressmap to YES. |
|
| Back to top |
|
|
| LouML |
| Posted: Tue Sep 04, 2012 4:22 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
| mqjeff wrote: |
| Try changing WARN() on the addressmap to YES. |
Doesn't allow the WARN(YES) or WARN(NO) but defaults to NO when omitted.
| Code: |
set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') WARN(YES) ACTION(replace)
41 : set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') WARN(YES) ACTION(replace)
AMQ8886: Parameter not allowed for this channel authentication record user source value.
set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') WARN(NO) ACTION(replace)
42 : set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') WARN(NO) ACTION(replace)
AMQ8886: Parameter not allowed for this channel authentication record user source value.
set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') ACTION(replace)
43 : set chlauth(‘ForRemoteClient’) TYPE(addressmap) ADDRESS(*) USERSRC(map) MCAUSER('STCCFO_svc') ACTION(replace)
AMQ8877: WebSphere MQ channel authentication record set.
:
:
dis chlauth(‘ForRemoteClient’)
44 : dis chlauth(CH.WEBINFDEV.CLIENT)
AMQ8878: Display channel authentication record details.
CHLAUTH(‘ForRemoteClient’) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) MCAUSER(STCCFO_svc)
USERSRC(MAP) WARN(NO)
ALTDATE(2012-09-04) ALTTIME(08.17.36)
AMQ8878: Display channel authentication record details.
CHLAUTH(‘ForRemoteClient’) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(NOUSER) WARN(NO)
ALTDATE(2012-08-21) ALTTIME(09.14.56)
|
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 04, 2012 4:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Huh. Okay.
Can you tell if the addressmap is in effect when you connect from your mqm user? i.e. that you are being mapped into the correct user? |
|
| Back to top |
|
|
| LouML |
| Posted: Thu Sep 06, 2012 7:11 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
I disabled CHLAUTH on the Queue Manager and he still gets 2035
| Code: |
dis qmgr chlauth
2 : dis qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM.WEBINFDEV.01) CHLAUTH(DISABLED)
|
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| iceage |
| Posted: Tue Sep 11, 2012 10:19 am Post subject: |
|
|
Acolyte
Joined: 12 Apr 2006
Posts: 68
|
Whats the MCAUSER on this channel ?
And i see in your CHLAUTH records (i haven't used this feature) MCAUSER(STCCFO_svc) , do you have STCCFO_svc defined in your system ?
From the errors reported , looks like your connections are failing to start the channel itself. You will see AMQ8077 once the client connects and fails due to lack of authorization. |
|
| Back to top |
|
|
| LouML |
| Posted: Wed Sep 12, 2012 4:50 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
| iceage wrote: |
Whats the MCAUSER on this channel ?
And i see in your CHLAUTH records (i haven't used this feature) MCAUSER(STCCFO_svc) , do you have STCCFO_svc defined in your system ?
From the errors reported , looks like your connections are failing to start the channel itself. You will see AMQ8077 once the client connects and fails due to lack of authorization. |
The MCAUSER on the channel is STCCFO_svc and it is defined on the server.
The channel starts when I try to connect so I know the channel 'can' start.
Starting from scratch - I've re-enabled channel authorization on the queue manager and stopped/restarted it. I've removed all other channel authorizations so I'm left with the following:
| Code: |
dis chlauth(*)
16 : dis chlauth(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.WEBINFDEV.CLIENT) TYPE(BLOCKUSER)
USERLIST(NOUSER)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
dis chl(CH.WEBINFDEV.CLIENT)
17 : dis chl(CH.WEBINFDEV.CLIENT)
AMQ8414: Display Channel details.
CHANNEL(CH.WEBINFDEV.CLIENT) CHLTYPE(SVRCONN)
ALTDATE(2012-09-12) ALTTIME(07.43.59)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER(MUSR_MQADMIN)
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(REQUIRED) SSLCIPH( )
SSLPEER( ) TRPTYPE(TCP)
|
I can connect from a Unix server when I'm the 'mqm' userid:
| Code: |
-bash-3.00$ /opt/mqm/samp/bin/amqscnxc -x 'wiapp05dev(6060)' -c CH.WEBINFDEV.CLIENT
Sample AMQSCNXC start
Connecting to the default queue manager
using the server connection channel CH.WEBINFDEV.CLIENT
on connection name wiapp05dev(6060).
Connection established to queue manager QM.WEBINFDEV.01
Sample AMQSCNXC end
-bash-3.00$
|
I had a colleague try to connect from a Unix server logged in as his own userid (not in the 'mqm' group) and he was also successful:
| Code: |
$ /opt/mqm/samp/bin/amqscnxc -x 'wiapp05dev(6060)' -c CH.WEBINFDEV.CLIENT
Sample AMQSCNXC start
Connecting to the default queue manager
using the server connection channel CH.WEBINFDEV.CLIENT
on connection name wiapp05dev(6060).
Connection established to queue manager QM.WEBINFDEV.01
Sample AMQSCNXC end
$ |
MUSR_MQADMIN exists on the Windows Server and all MQ processes are running under this userid.
As far as I can tell, this is the most 'open' a 7.5 queue manager with channel authorization enabled can be.
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
|
|
