ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authorizing putting messages on remote cluster queues

Post new topic  Reply to topic
 Authorizing putting messages on remote cluster queues « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Wed Oct 29, 2014 3:49 pm    Post subject: Authorizing putting messages on remote cluster queues Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
http://www-01.ibm.com/support/knowledgecenter/nl/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014390_.htm

Quote:

Authorizing putting messages on remote cluster queues
•For UNIX, Linux and Windows systems, issue the following commands:
setmqaut -m QMgrName -t qmgr -g GroupName +connect
setmqaut -m QMgrName -t queue -n QueueName -g GroupName -all +put



MQ 7.5.0.2
QM1 and QM2 are in the same cluster.
The app is connected to QM1.
THE.CLUSTERED.QUEUE is defined and clustered on QM2


So I do this on QM1 (Windows, that’s why the user and not the group):
Code:
SET AUTHREC PRINCIPAL('mqusr') OBJTYPE(QMGR) AUTHRMV(ALL) AUTHADD(CONNECT,INQ)
SET AUTHREC PRINCIPAL('mqusr') PROFILE(THE.CLUSTERED.QUEUE) OBJTYPE(QUEUE) AUTHRMV(ALL) AUTHADD(PUT,INQ)


The app then client connects to QM1 and fails with a 2035 when trying to open the queue.

C:\>amqsputc THE.CLUSTER.QUEUE
Sample AMQSPUT0 start
target queue is THE.CLUSTER.QUEUE
MQOPEN ended with reason code 2035
unable to open queue for output
Sample AMQSPUT0 end



Why? Before you say I need to grant access to the SYSTEM.CLUSTER.TRANSMIT.QUEUE, see the link above where it does not say I need access to the S.C.T.Q. I am putting to a clustered queue and not specifying the destination QM name.

If I try to access this queue from QM1 with a User ID that does have access to the S.C.T.Q., it works.

So is the Knowledge Center wrong, or is this not working as its supposed to?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 29, 2014 7:43 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Did you check and add the relevant clause in the qm.ini and bounce the qmgr?
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.con.doc/q018900_.htm

And yes I dare say SCTQ because it is the default value and to do what you want you need RQMName

_________________
MQ & Broker admin

Last edited by fjb_saper on Mon Jul 13, 2015 12:51 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
PeterPotkay
PostPosted: Wed Nov 05, 2014 4:23 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
IBM clarified that page in the KC is lacking and should note that you still need access to the transmit queue in this case. The page will be updated.

Meanwhile I opened up an RFE to deal with this:
http://www.mqseries.net/phpBB2/viewtopic.php?p=384126#384126
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Authorizing putting messages on remote cluster queues
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.