| Author |
Message
|
| kishoreraju |
 Posted: Fri Oct 05, 2012 7:58 am Post subject: CICS request Node Error in Message broker 8 |
 |
|
Disciple
Joined: 30 Sep 2004
Posts: 156
|
When i am trying to call a CICS program using a CICS Node getting the below Error
CTG9631E Error occurred during interaction with CICS: ECI_ERR_SECURITY_ERROR, error code: -27
Please help to resolve the issue. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Fri Oct 05, 2012 8:04 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Specify the correct user credentials.
| Quote: |
| With application security enabled, when you run the ear file from launchClient, a dialog prompts you to supply the security credentials (username and password). Because the application is being authenticated against the LDAP registry, you must supply the "username" (in reality a Distinguished Name) that has been defined in the LDAP registry (uid=CTGuser1,ou=TMS,dc=CTGTest,o=COMPANYCTG). The password is also required. You now see the return code ECI_ERR_SECURITY_ERROR and a Java stack trace in the console. |
Follow the step-by-step procedure to complete the CICS bridge configuration:
http://publib.boulder.ibm.com/infocenter/cicstgzo/v8r0/index.jsp?topic=%2Fcom.ibm.cics.tg.zos.doc%2Fctgzos%2Fsc_idprop_check.html
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| McueMart |
| Posted: Fri Oct 05, 2012 8:47 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
@lancelotlinc - the links you provide are instructions on setting up ID propagation with CICS TG. This is unlikely to be the issue with the OP is having.
More likely they just haven't set the credential (security identity) correctly for their CICS node (mqsisetdbparms). Or the user id they are trying to use has been revoked. There are plenty of things which cause a ECI_ERR_SECURITY_ERROR |
|
| Back to top |
|
|
| kishoreraju |
| Posted: Fri Oct 05, 2012 9:47 am Post subject: |
|
|
Disciple
Joined: 30 Sep 2004
Posts: 156
|
| I have created the security Identity and configured CICS request node with same but still getting the same error. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 05, 2012 9:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| kishoreraju wrote: |
| I have created the security Identity and configured CICS request node with same but still getting the same error. |
Can you show as much of the configuration as you have done - without showing things like the actual password, of course. |
|
| Back to top |
|
|
| kishoreraju |
| Posted: Fri Oct 05, 2012 10:12 am Post subject: |
|
|
Disciple
Joined: 30 Sep 2004
Posts: 156
|
Here are the properties i have configured in the CICS Node:
CICS Server:tcp://myserver5:3301
ProgramName:* please do not use *
Datastructure:Commarea
Lenght :10222
SecurityIdentity:CICSSECID
Timeout:CICSSECID
Miror Transcation ID :B191
Below is te command i ran for the security idnentity.
mqsisetdbparms MB8BROKER -n cics::CICSSECID -u myuserid -p ggg
Do we need to create any security profile and get it propagated to CICS gateway to get this working. |
|
| Back to top |
|
|
| McueMart |
| Posted: Fri Oct 05, 2012 4:36 pm Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
| Have a look in your CICS log and see what it says is causing the security error. |
|
| Back to top |
|
|
| kishoreraju |
| Posted: Mon Oct 08, 2012 6:23 am Post subject: |
|
|
Disciple
Joined: 30 Sep 2004
Posts: 156
|
| CICS is not receiving any user id so it is trying to run with deault user id .because of that it failing in CICS |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Oct 08, 2012 6:27 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| McueMart wrote: |
| @lancelotlinc - the links you provide are instructions on setting up ID propagation with CICS TG. This is unlikely to be the issue with the OP is having. |
@McueMart - Why do you say that?
| kishoreraju wrote: |
| CICS is not receiving any user id so it is trying to run with deault user id .because of that it failing in CICS |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| McueMart |
| Posted: Mon Oct 08, 2012 6:48 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
| Quote: |
| @McueMart - Why do you say that? |
Because ID Propagation (in the CTG context) relates to propagating identities from WAS on to CICS. It doesnt work with the CICSRequest node. (Here's some bedtime reading if you want to understand ID Propagation in the CICS TG context http://enterprisesystemsmedia.com/article/cics-and-identity-propagation-solving-the-end-to-end-security-challenge )
@kishoreraju - You need to figure out why your request is being sent with no credentials despite your statement that the Security Identity is correctly configured (mqsisetdbparms). Possibly the next step is a user trace, although I dont believe this will actually show you much of the internal workings of the CICSRequest node (sorry havent used the CICSRequest node in broker much!)
From the looks if it you are going directly to CICS with your request (local mode/2-tier topology), possibly if you go via CICS TG (remote mode/3-tier topology), you will be able to enable tracing on CICS TG to see whats going on. |
|
| Back to top |
|
|
| McueMart |
| Posted: Mon Oct 08, 2012 7:03 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
|
| Back to top |
|
|
| kishoreraju |
| Posted: Mon Oct 08, 2012 7:27 am Post subject: |
|
|
Disciple
Joined: 30 Sep 2004
Posts: 156
|
| do you think its good candidate for PMR with IBM |
|
| Back to top |
|
|
| McueMart |
| Posted: Mon Oct 08, 2012 7:45 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
| First use a User Trace to try and determine if you can see what the issue is yourself. Have you definitely restarted the execution group since your created the security identity with mqsisetdbparms? |
|
| Back to top |
|
|
| wbi_telecom |
| Posted: Tue Oct 09, 2012 4:40 am Post subject: |
|
|
Disciple
Joined: 15 Feb 2006
Posts: 188
Location: Harrisburg, PA
|
We have been using CICSRequest node in 2 tier architecture in Version 7. There are 2 steps that need to be done to get it working from security standpoint. One is creating a securtiy identity which is done by the broker admins using the CICS credentials (RACF and password) and the second one is the creation of IPCONN which is done by the CICSAdmins on their end. Also the IPCONN is for an execution group on a broker which means you cannot run the same flow in 2 execution groups on a broker using the same IPCONN.
You will have to involve your CICS admins and ask them to create the IPCONN. They will need some information from you to create one. So if you have multiple brokers, you will need to create one for each. I believe this information is available in infocenter.
If you were to contact the IBM support, please make sure you tell them that you are using a 2 tier architecture (I assume you are). Usually they assume that you are using a CICS transaction gateway which delays the resolution. CICSRequest node errors come with CTG prefix which makes everything that CICS Transaction gateway is involved even if its not.
Cheers, |
|
| Back to top |
|
|
| McueMart |
| Posted: Tue Oct 09, 2012 4:58 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
| I think the OP must already have an IPCONN configured else they would probably be seeing an connection based error, rather than the security error they are seeing. This does bring up the question of what the USERAUTH setting is on the IPCONN though. I believe it should be set to VERIFY if you intend to send a user/password on the request. |
|
| Back to top |
|
|
|
|
