| Author |
Message
|
| Gideon |
 Posted: Wed Oct 08, 2014 11:18 am Post subject: Can not start channel |
 |
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I am using WMQ 8 for the first time. I installed it and created a
new queue manager (inelegantly named QM), and tried to connect
the MQ Explorer in non-secure mode (will get to the secure
mode once the non-secure mode is done).
I start the QM and the listener, and try to connect, and I get the
following error:
| Code: |
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object |
I had never gotten this particular error before, but I make sure the
firewall is down. I check to make sure the listener is running, all seems
well, so I do what I rarely do, and check the status of the channel
I get the following:
| Code: |
-bash-4.1$ runmqsc QM
5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager QM.
display chstatus(system.admin.svrconn)
1 : display chstatus(system.admin.svrconn)
AMQ8420: Channel Status not found. |
OK, the channel is not active, so I try to start it
| Code: |
start channel(system.admin.svrconn)
2 : start channel(system.admin.svrconn)
AMQ8018: Start WebSphere MQ channel accepted. |
The channel seems happy, so I check the status again
| Code: |
display chstatus(system.admin.svrconn)
3 : display chstatus(system.admin.svrconn)
AMQ8420: Channel Status not found. |
All is not well, so I look at the channel definition
| Code: |
display channel(system.admin.svrconn)
4 : display channel(system.admin.svrconn)
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2014-10-07) ALTTIME(16.23.27)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER(mqm) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP) |
While I am not a great expert, this seems acceptable, so I look
at the CHLAUTH
| Code: |
DISPLAY QMGR CHLAUTH
5 : DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(QM) CHLAUTH(DISABLED) |
and it is happily disabled, exactly what I wanted
I look at the AMQ???.LOG, but do not see anything
The following thread suggested setting the DISCINT value
http://mqseries.net/phpBB/viewtopic.php?t=26981&sid=70316e45fbeef51f94b92a8277e9eb72
... BUT the DISCINT is set to 0, so the channel should run indefinitely
How can I further investigate this issue?
Thanks |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Oct 08, 2014 11:25 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
SVRCONN channels don't start on their own. They only start when a client application tries to connect to them.
Try running amqsputc in another shell, and give it the right information to use the channel.
Then leave it running and check the chlstatus again. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Oct 08, 2014 11:26 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
A SVRCONN channel become active when a client-bindings app connects to it.
So, what issue are you facing?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Wed Oct 08, 2014 11:45 am Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I define a queue from runmqsc
| Code: |
define qlocal(TEST)
3 : define qlocal(TEST)
AMQ8006: WebSphere MQ queue created. |
Then I try to amqsput to it
| Code: |
su - mqm
-bash-4.1$ cd /opt/mqm/samp/bin/
-bash-4.1$ ./amqsput TEST QM
Sample AMQSPUT0 start
target queue is TEST
hellow world
Sample AMQSPUT0 end |
However, the channel still can not be started
(I do not understand why a server side amqsput would activate a channel, I have done this before and never had to amqsput to get a MQ Explorer connection)
bruce2359: To answer your question, the issue I am trying to resolve is that I can not connect
to the QM from a remote Windows Explorer, where I get the following error:
| Code: |
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object |
Thanks |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 08, 2014 11:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The channel is only started as long as amqsputC is running.
Note that you ran amqsput, and you quit it. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Oct 08, 2014 1:30 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| If a new queue manager was created at v8, Gideon could be being blocked by the default CONNAUTH rules. If my memory serves me correctly from Morag's session at MQTC, the default is REQUIRED for remote connections and OPTIONAL for local bindings. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 08, 2014 7:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
| If a new queue manager was created at v8, Gideon could be being blocked by the default CONNAUTH rules. If my memory serves me correctly from Morag's session at MQTC, the default is REQUIRED for remote connections and OPTIONAL for local bindings. |
Indeed there is no indication that the OP ever tried to authenticate the connection. This would effectively prevent him from connecting to the queue manager.
However I believe the default is REQUIRED FOR ADMIN.
I would say that the OP tried to connect as a priviledged user...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Oct 09, 2014 5:14 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| fjb_saper wrote: |
| However I believe the default is REQUIRED FOR ADMIN. |
I looked at the default settings for CHCKCLNT on a new v8 queue manager, and you are correct.
dis qmgr connauth
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
dis authinfo('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') all
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2014-10-09) ALTTIME(08.05.04) |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Oct 09, 2014 12:34 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I used the following command
define authinfo('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) replace
and then restarted the QM
Now I can successfully connect in from MQExplorer
Thanks for everyone's help |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 09, 2014 4:48 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Gideon wrote: |
I used the following command
define authinfo('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) replace
and then restarted the QM
Now I can successfully connect in from MQExplorer
Thanks for everyone's help |
Gideon, I would not change this SYSTEM object.
Just define an new authinfo object in the user name space and set the qmgr's conninfo pointer to it...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
