| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Using RQMNAME auths instead of granting SCTQ access |
« View previous topic :: View next topic » |
| Author |
Message
|
| w33f |
 Posted: Mon Dec 09, 2013 3:05 am Post subject: Using RQMNAME auths instead of granting SCTQ access |
 |
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
Hey guys
I've been playing around for a few hours but can't see what I'm doing wrong..
So I've got 2 7.5.0.1 qmgrs in a cluster(QM1 the local qmgr, and QM2, another qmgr in the same cluster), I've got this this parameter in the qm.ini file of QM1 (and yes, I've since bounced the qmgr many times after the change):
| Code: |
Security:
ClusterQueueAccessControl=RQMName
|
Secondly, I've got the following AUTHREC set in QM1:
| Code: |
dis authrec PROFILE(QM2)
1 : dis authrec PROFILE(QM2)
AMQ8864: Display authority record details.
PROFILE(QM2) ENTITY(mqgtwy)
ENTTYPE(GROUP) OBJTYPE(RQMNAME)
AUTHLIST(PUT)
AMQ8864: Display authority record details.
PROFILE(QM2) ENTITY(mqm)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
|
I'm trying to put to a local unclustered queue on QM2 from this qmgr using a SVRCONN channel where mqgtwy is the MCAUSER.
Running this command (put to the queue on QM2 using server bindings) works fine:
./q -oQM2/REPLY.QUEUE.TEST -m QM1
However running this command (going through the SVRCONN channel with mqgtwy to do the same thing):
./q -oQM2/REPLY.QUEUE.TEST -m QM1 -lmqic
Comes up with the following error in the logs:
| Code: |
-------------------------------------------------------------------------------
12/09/2013 09:38:08 PM - Process(22909.12) User(mqm) Program(amqzlaa0)
Host(***) Installation(Installation1)
VRMF(7.5.0.1) QMgr(QM1)
AMQ8077: Entity 'mqgtwy ' has insufficient authority to access object
'SYSTEM.CLUSTER.TRANSMIT.QUEUE'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: put
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 624 --------------------------------------------------------
|
Am I missing something? Based on what I've read, this setting in qm.ini + the authrec should bypass the need to grant SCTQ permissions for mqgtwy. Just to clarify, the command I used to set the AUTHREC was:
SET AUTHREC OBJTYPE(RQMNAME) PROFILE(QM2) GROUP(‘mqgtwy’) AUTHADD(PUT) |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Mon Dec 09, 2013 5:01 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
|
| Back to top |
|
|
| w33f |
| Posted: Mon Dec 09, 2013 6:48 pm Post subject: |
|
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
Thanks mate, I went and tried this on a couple of other qmgrs, making sure to follow the order:
1. Update qm.ini
2. Bounce the qmgr
3. Add the authrec profile
4. Send the message
And it worked both times... Maybe this qmgr is just munted or something. I've raised a PMR just to try to find the root cause, will let you know if I get anything. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Dec 10, 2013 4:38 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
Was the MQ version and operating system the same on the other QMs where it worked? Just guessing...
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Dec 10, 2013 6:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| w33f wrote: |
| I've raised a PMR just to try to find the root cause, will let you know if I get anything. |
Please do. This is an interesting issue which I'd like to know the final outcome of. Especially if there's any clue from IBM as to how the qmgr was munted, deliberately or accidentally.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| w33f |
| Posted: Tue Dec 10, 2013 7:18 pm Post subject: |
|
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
Ok, so turns out I'm a moron. For some reason when I first started playing around with it I'd defined a qremote qmgr alias for QM2 on QM1 and forgot about it, then when I stumbled across it later I deleted it and it all started working! It even shows up in my first post as the 2nd QM2 object when displaying the authrecs for the QM2 profile.
I assume having the qremote there would have overidden the fact that QM2 was a clusqmgr and when the message was resolved to the local qmgr alias, it would've ignored the rqmname authrec due to it being a local object and that's why it tried to use the SCTQ. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
