| Author |
Message
|
| pintrader |
 Posted: Mon Aug 25, 2014 5:07 am Post subject: Permission to system queues or objects |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
is there a list of permissions to the system queues or system objects that I must set in order for any client connection or connection from another Qmgr to be able to use my Qmgr resources ?
thanks |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Aug 25, 2014 5:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You should set absolutely no permission on any system queues for anything.
So, whatever problem you're trying to solve by setting permissions on system queues, that's the wrong way to solve it.
What problem are you trying to solve? |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Aug 25, 2014 5:43 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| mqjeff wrote: |
You should set absolutely no permission on any system queues for anything.
So, whatever problem you're trying to solve by setting permissions on system queues, that's the wrong way to solve it.
What problem are you trying to solve? |
hi, thanks for reply. something like SYSTEM.CHANNEl.SYNCQ? (and maybe others) . I believe SYSTEM.CHANNEl.SYNCQ is only used by Qmgr? Does a normal user need permission to put to this queue ? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 25, 2014 5:53 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
would you please care to explain how you cam to the conclusion that you needed to set auth on some (random) SYSTEM.* object in otder to get a client to work?
Have you gone through the process of actually getting a client to work?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 25, 2014 7:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mqjeff wrote: |
| What problem are you trying to solve? |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 25, 2014 7:25 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The only system queue you may need to have permissions for, is the qmgr's DEAD.LETTER.QUEUE. And if you did your homework it should not start with SYSTEM, but use the SYSTEM.DEAD.LETTER.QUEUE as a constructor template... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 25, 2014 9:04 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| fjb_saper wrote: |
| The only system queue you may need to have permissions for, is the qmgr's DEAD.LETTER.QUEUE. And if you did your homework it should not start with SYSTEM, but use the SYSTEM.DEAD.LETTER.QUEUE as a constructor template... |
Allow me to disagree a bit.
End-users should not have permission to use the queue manager dead-letter queue. It's use is proscribed and well documented, and includes down-stream receiver MCA's depositing undeliverable messages, upstream sender channels that fail to convert outbound messages, and failed trigger messages. None of these activities are end-user activities.
Use as an application-oriented dead-letter queue, imposed by the message-broker/IIB, is an irritating exception.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 25, 2014 9:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| Use as an application-oriented dead-letter queue, imposed by the message-broker/IIB, is an irritating exception. |
Only if the input queue in use by WMB/IIB fails to provide a back out queue. If that is defined, the software uses that.
Also it would be more irritating if the software did not use the queue manager's dead letter queue and fell to a poison message scenarion.
Note also that the software follows the rules, adds a DLH and uses the provided range of reason codes.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 25, 2014 10:22 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| Vitor wrote: |
| bruce2359 wrote: |
| Use as an application-oriented dead-letter queue, imposed by the message-broker/IIB, is an irritating exception. |
Only if the input queue in use by WMB/IIB fails to provide a back out queue. If that is defined, the software uses that.
Also it would be more irritating if the software did not use the queue manager's dead letter queue and fell to a poison message scenarion.
Note also that the software follows the rules, adds a DLH and uses the provided range of reason codes. |
Very good explanation Vitor. The other use of the DLQ is for overflow messages when the BOQ becomes full. Yes it does happen. Ok it is rare but it does sometimes happen.
I know of a few sites where there is/was no DLQ system or othewise. They prefer to live with poison messages etc. Sigh. One was done because an IBM consultant said that DLQ's were not needed.
My (And our standard) is that the System DLQ is not SYSTEM..QUEUE but {QMGRNAME}..QUEUE and that all users who write to duly auth'd local queues and BOQ's are also auth'd to write to the DLQ. What happens when the BOQ gets full? if you can't write to the DLQ then you are in a poison message situation.
Sometimes you have to be pragmatic in order to make things work especially where you have systems located where there are no trained MQ or Broker admins on site.
Hopefully they
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 25, 2014 10:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| smdavies99 wrote: |
| Very good explanation Vitor. The other use of the DLQ is for overflow messages when the BOQ becomes full. Yes it does happen. Ok it is rare but it does sometimes happen. |
And when it happens, you find everybody in the monitoring chain from the guy who installed the software to the guy who gets the page, identify the guilty party, and hurt him.
Or all of them on principle.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 25, 2014 12:05 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| Vitor wrote: |
And when it happens, you find everybody in the monitoring chain from the guy who installed the software to the guy who gets the page, identify the guilty party, and hurt him.
Or all of them on principle. |
You make theassumption that there is some form of monitoring system in place in the first place?
A decent MQ & IIB Monitoring solution can cost as much as IIB. Many customers are very reluctant to stump up for that sort of solution so all sorts of homegrown ones get put in place. Some are good and some.... well, they leave a lot to be desired.
I know of one system where in the past I found some 500,000 messages on a BOQ. There is no monitoring system because the client is too cheapskate to even have a passive backup system. The reason is that the messages were destined for another system that regularly goes down. There are no people on-site monitoring the health of the other system. Again the cheapskate nature of the client is to blame (it is funded by the local government). No matter what was said to them they wouldn't budge an inch.
They won't upgrade from 6.1.0.3 either yet still they wanted support.
That's life in the real world (outside big companies)
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 25, 2014 12:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| smdavies99 wrote: |
| You make theassumption that there is some form of monitoring system in place in the first place? |
Even if it's a shell script fired by a WMQ trigger.
If there's nothing, then I hurt whoever owns the enviroment.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Aug 25, 2014 2:05 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
There is nothing wrong with using SYSTEM.DEAD.LETTER.QUEUE in my opinion. There is nothing magical about that queue. Its not used by MQ for any other purpose. Its not used by MQ to create other queues. In this regard it is different then the SYSTEM.DEFAULT.* queues. I agree the SYSTEM.DEFAULT.* queues should not be used or modified, as future queues created would be impacted by the changes.
But I have yet to hear a convincing arguement on why you should not use the SYSTEM.DEAD.LETTER.QUEUE. I got no problem with somoneone wanting to use some other queue for their DLQ, just no need to get all out of sorts if someone does use SYSTEM.DEAD.LETTER.QUEUE. Keep calm and MQ on, no harm will come in using SYSTEM.DEAD.LETTER.QUEUE as your DLQ. 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Aug 25, 2014 2:10 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Any app misbehaving enough to fill their B.O. queue in short order, or ignored long enough to fill their B.O. queue after months, will very likely do the same to your DLQ. Apps stay out of DLQs please.
I suppose the arguement could be made that the DLQ is better monitored than the B.Q. queues, so it will get the attention as soon as 1 message hits. Phooey! If you can monitor the DLQ you can monitor the B.O. queue. If the app won't monitor the B.O. queue, let them fill up the B.O. queue and grind to a halt - serves them right!
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 25, 2014 5:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
There is nothing wrong with using SYSTEM.DEAD.LETTER.QUEUE in my opinion. There is nothing magical about that queue. Its not used by MQ for any other purpose. Its not used by MQ to create other queues. In this regard it is different then the SYSTEM.DEFAULT.* queues. I agree the SYSTEM.DEFAULT.* queues should not be used or modified, as future queues created would be impacted by the changes.
But I have yet to hear a convincing arguement on why you should not use the SYSTEM.DEAD.LETTER.QUEUE. I got no problem with somoneone wanting to use some other queue for their DLQ, just no need to get all out of sorts if someone does use SYSTEM.DEAD.LETTER.QUEUE. Keep calm and MQ on, no harm will come in using SYSTEM.DEAD.LETTER.QUEUE as your DLQ. |
The only reason I have not to use it, is because it starts with SYSTEM. I have no problems using it as template for creating the real SDLQ. The defaults on the SYSTEM.DEAD.LETTER.QUEUE are different from the ones on the SYSTEM.DEFAULT.LOCAL.QUEUE and for good reason....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
