| Author |
Message
|
| ruimadaleno |
 Posted: Tue Aug 04, 2015 3:01 am Post subject: |
 |
|
Master
Joined: 08 May 2014
Posts: 274
|
What about using a UDP (user defined property) to record the service request number ?
Every developer that builds a message flows must create an UDP named "SR" with default value "SRXXXXXX". This UDP is them updated at deployment time using mqsiapplybaroverride.
PRO:
Can be modified easily at deployment time (mqsiapplybaroverride)
CON:
UDPs are not visible in web console, it's only visible in message broker console (for us it's a con because message broker console takes so much time to load )
My understanding is that a UPD should be used as a placeholder to some piece of data required to properly operate a message flow/service.
If we decide to go with keyword is must install Ant (or similar tool - any suggestion ? maybe Maven .. from your experience wich one suits better to an websphere message broker deployment automation ?) in every message broker server ?
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Aug 04, 2015 4:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ruimadaleno wrote: |
| What about using a UDP (user defined property) to record the service request number ? |
You could.
| ruimadaleno wrote: |
Every developer that builds a message flows must create an UDP named "SR" with default value "SRXXXXXX". This UDP is them updated at deployment time using mqsiapplybaroverride.
PRO:
Can be modified easily at deployment time (mqsiapplybaroverride)
CON:
UDPs are not visible in web console, it's only visible in message broker console (for us it's a con because message broker console takes so much time to load ) |
| ruimadaleno wrote: |
| My understanding is that a UPD should be used as a placeholder to some piece of data required to properly operate a message flow/service. |
Because it can't be detected administratively, it's not much use for anything else.
| ruimadaleno wrote: |
| If we decide to go with keyword is must install Ant (or similar tool - any suggestion ? maybe Maven .. from your experience wich one suits better to an websphere message broker deployment automation ?) |
Horses for courses. Pros and cons.
| ruimadaleno wrote: |
| in every message broker server ? |
Or just the central build server discussed earlier in this thread. Nothing about doing this changes how you're building the bar file, or the ability to deploy remotely.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 10, 2015 3:26 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
Hi all,
I've config my Ant script in Jenkins to use mqsideploy like mentioned above. Currently, the problem I'm facing is related between the connection of Jenkins machine and the QMGR machine. The output of mqsideploy command is bellow:
| Code: |
> mqsideploy -i [my_hostname] -p [my_port] -q [my_queuemanager] -e [my_execution_group] -a [my_bar_file]
BIP1044I: Connecting to the queue manager...
BIP1046E: Unable to connect with the queue manager (The user 'NB20269' is not authorized to connect to queue manager 'BPCQMGR01' (MQ reason code 2035 while trying to connect)).
The utility encountered a problem while attempting to connect to the queue manager to put a message to the broker's request queue.
Ensure that the correct connection parameters have been supplied to the utility. Also ensure that the queue manager is running and that the current user is able to access the queues beginning SYSTEM.BROKER. If this error text includes an MQ reason code, look up the meaning behind the error in the Application Programming Reference guide and proceed as appropriate.
|
From my understanding the user don't have permissions to do this operation, which makes sense. Right? So, my question is, how can I configure the QMGR to allow the communication between the Jenkins and QMGR machines?
Samuel Ramos |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 10, 2015 4:10 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
By assigning the correct group/user permissions (setmqaut) and opening access (see channel auth records) 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 10, 2015 5:41 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
| fjb_saper wrote: |
| By assigning the correct group/user permissions (setmqaut) and opening access (see channel auth records) |
Thanks for your response fjb_saper 
I've run dspmqaut to check the user permissions and I believe that the user already has the right permissions:
| Code: |
> dspmqaut -m [my_queuemanager] -n SYSTEM.BROKER.DEPLOY.QUEUE -t q -p NB20269
A entidade NB20269 possui as seguintes autorizaç≈es para o objeto SYSTEM.BROKER.DEPLOY.QUEUE:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
> dspmqaut -m [my_queuemanager] -t qmgr -p NB20269
A entidade NB20269 possui as seguintes autorizaç≈es para o objeto [my_queuemanager]:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
ctrl
system
>dspmqaut -m [my_queuemanager] -n SYSTEM.BROKER.DEPLOY.REPLY -t q -p NB20269
A entidade NB20269 possui as seguintes autorizaç≈es para o objeto SYSTEM.BROKER.DEPLOY.REPLY:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
|
But if I look into channel auth records I still see the default channel configuration
| Code: |
display chlauth(*)
3 : display chlauth(*)
AMQ8878: Exibir detalhes do registro de autenticaç⌠o de canal.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Exibir detalhes do registro de autenticaç⌠o de canal.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Exibir detalhes do registro de autenticaç⌠o de canal.
CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN)
|
How I do the channel configuration without create a security breach?
Samuel Ramos |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 17, 2015 5:35 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
Hi all,
I was able to establish a connection between machines using the commands bellow:
| Code: |
setmqaut -m [my_queuemanager] -t qmgr -p [my_user] +connect +inq +dsp
setmqaut -m [my_queuemanager] -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p [my_user] +inq +browse +get +dsp
setmqaut -m [my_queuemanager] -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p [my_user] +inq +put
setmqaut -m [my_queuemanager] -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p [my_user] +dsp +inq +put +get
setmqaut -m [my_queuemanager] -t q -n SYSTEM.BROKER.DEPLOY.QUEUE -p [my_user] +dsp +inq +put +get
setmqaut -m [my_queuemanager] -t q -n SYSTEM.BROKER.DEPLOY.REPLY -p [my_user] +get
|
and opening the channel access with
| Code: |
SET CHLAUTH(SYSTEM.BKR.CONFIG) TYPE(USERMAP) ADDRESS(*) CLNTUSER([my_user]) MCAUSER([my_user])
|
But, this only works if [my_user] exists in both machines - the one with Jenkins and in the remote one. Why!? Is there another way to establish the connection?
Cheers,
Samuel Ramos |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 17, 2015 5:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There are several different ways, especially in mq v8, to control or alter the user that a queue manager sees on an incoming channel.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 17, 2015 5:56 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
Thanks for your reply mqjeff,
| mqjeff wrote: |
| There are several different ways, especially in mq v8, to control or alter the user that a queue manager sees on an incoming channel. |
I'm using MQ 7.5. What I know so far is:
When doing a mqsideploy, the command uses the system user id logged on. And the same user, needs to exists in the remote machine.
Is that possible to config users without adding them to the local and remote systems?
Cheers,
Samuel Ramos |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 17, 2015 6:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You always need to setmqaut, unless you wrongly use mqm.
Even at 7.5, you can control what user the qmgr sees for incoming channels.
Look at CHLAUTH.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Sep 17, 2015 6:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| samuelramos wrote: |
| When doing a mqsideploy, the command uses the system user id logged on. |
No it doesn't. It uses the id provided by the connection; if it didn't, you wouldn't have needed all those setmqaut commands and channel authority records.
OK, pedantically, it's the broker's service id actually performing the update because that's the process reading the deploy queue. That's nothing to do with anything you're discussing here; you're talking about getting that process to accept the deployed artifacts.
| samuelramos wrote: |
| And the same user, needs to exists in the remote machine. |
It's true that the user that you end up with on the remote machine is authenticated and authorized by the remote machine.
| samuelramos wrote: |
| Is that possible to config users without adding them to the local and remote systems? |
To recap my two points above:
- the final resolved user has to be known / capable of authentication by the remote machine
- the final resolved user (as my most worthy associate also pointed out) doesn't need to have anything in common with the user who triggered the deploy locally.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 17, 2015 8:22 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
Thanks Vitor and mqjeff,
I believe I'm getting somewhere! Looking for command:
| Code: |
SET CHLAUTH(' generic-channel-name ') TYPE (USERMAP) CLNTUSER(client-user-name) MCAUSER( user )
|
I really don't need to have the same user in both sides, it creates a mapping them right?
| Code: |
SET CHLAUTH(SYSTEM.BKR.CONFIG) TYPE(USERMAP) ADDRESS(*) CLNTUSER([my_local_user]) MCAUSER([remote_user])
|
Is there a way to use a wildcard inside ex. CLNTUSER(*)?
Cheers,
Samuel Ramos |
|
| Back to top |
|
|
| samuelramos |
| Posted: Thu Sep 17, 2015 9:23 am Post subject: |
|
|
Newbie
Joined: 10 Sep 2015
Posts: 9
|
Thanks Vitor and mqjeff
I believe I finally achieved the scenario I was looking for!
Steps in the remote machine:
1. I've create a new system user: LimitedUser
2. Add the following group/user permissions (setmqaut) to LimitedUser
| Code: |
setmqaut -m QMGR -t qmgr -p LimitedUser +connect +inq +dsp
setmqaut -m QMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p LimitedUser+inq +browse +get +dsp
setmqaut -m QMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p LimitedUser+inq +put
setmqaut -m QMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p LimitedUser+dsp +inq +put +get
setmqaut -m QMGR -t q -n SYSTEM.BROKER.DEPLOY.QUEUE -p LimitedUser+dsp +inq +put +get
setmqaut -m QMGR -t q -n SYSTEM.BROKER.DEPLOY.REPLY -p LimitedUser+get
|
3. Allow the access only to a specific IP address in channel auth records
| Code: |
SET CHLAUTH(SYSTEM.BKR.CONFIG) TYPE(ADDRESSMAP) ADDRESS('192.168.*.*') USERSRC(MAP) MCAUSER(LimitedUser)
|
Now, only the machine that fulfill the generic IP can connect to the remote machine, no matter the user it's beeing used by Jenkins machine.
Cheers,
Samuel Ramos |
|
| Back to top |
|
|
| mahalakshmimanohar |
| Posted: Tue Feb 21, 2017 3:45 am Post subject: Re: Planning Continuous Integration with Jenkins and WMB 8.0 |
|
|
Newbie
Joined: 21 Feb 2017
Posts: 1
|
| ruimadaleno wrote: |
Twos month ago we have changed the deployment process in our broker environment (in short: deployment was done via message broker explorer and now is done via scripts: properties files + bar files + mqsideploy + mqsiapplybaroverride)
Now we are looking for the next step: automation
And this is were the doubts begin 
The tool to be used is Jenkins (because there is some knowledge in house - using jenkins for testing automation)
Source code is kept in SVN (subversion)
We have 3 environments (Production, Staging and Development), running websphere message broker 8.0.0.5 on windows server 2008 r2
What are we looking we looking for ? Automation for the following steps
1) Get the source code from SVN
2) Compile - create bar file (mqsicreatebar)
3) Apply/override properties - properties file + mqsiapplybaroverride
4) Deploy bar file in the proper execution group in the target environment
we have done some tests in developers local machines and we have successfully run the above steps with a jenkins build (it must be improved, but, the proof of concept is completed)
Some questions are floating in our minds, and we like to ear from your experience on this subject.
the first one is:
Do we need to install jenkins in every broker environment ? or by the other hand, can we install and configure a jenkins server for deployment on every broker environment ? if yes, it means that, somehow, jenkins has the ability to execute remote commands or the broker client has the ability for remote deployment ? |
I am trying to use Jenkins for the CI with IIB10. Repository is GIT/Bitbucket. I am completely naive in this. You have mentioned that the PoC has been completed by you. Could you please brief on the PoC? did u use ant script |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 21, 2017 5:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
The OP hasn't posted here in 2 years. Don't hold your breath.
If you're "completely naïve" in this, I suggest you ask Mr Google and start reading. Saying that you're linking Git & Bitbucket with IIBv10 using Jenkins for CI is like saying you're trying to build a vehicle that can go down a paved road using refined oil for fuel.
There has to be a couple of hundred ways to configure what you're describing, based on exactly what your requirements, restrictions and use cases are.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Tue Feb 21, 2017 8:30 am Post subject: Re: Planning Continuous Integration with Jenkins and WMB 8.0 |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
| mahalakshmimanohar wrote: |
| ruimadaleno wrote: |
Twos month ago we have changed the deployment process in our broker environment (in short: deployment was done via message broker explorer and now is done via scripts: properties files + bar files + mqsideploy + mqsiapplybaroverride)
Now we are looking for the next step: automation
And this is were the doubts begin
The tool to be used is Jenkins (because there is some knowledge in house - using jenkins for testing automation)
Source code is kept in SVN (subversion)
We have 3 environments (Production, Staging and Development), running websphere message broker 8.0.0.5 on windows server 2008 r2
What are we looking we looking for ? Automation for the following steps
1) Get the source code from SVN
2) Compile - create bar file (mqsicreatebar)
3) Apply/override properties - properties file + mqsiapplybaroverride
4) Deploy bar file in the proper execution group in the target environment
we have done some tests in developers local machines and we have successfully run the above steps with a jenkins build (it must be improved, but, the proof of concept is completed)
Some questions are floating in our minds, and we like to ear from your experience on this subject.
the first one is:
Do we need to install jenkins in every broker environment ? or by the other hand, can we install and configure a jenkins server for deployment on every broker environment ? if yes, it means that, somehow, jenkins has the ability to execute remote commands or the broker client has the ability for remote deployment ? |
I am trying to use Jenkins for the CI with IIB10. Repository is GIT/Bitbucket. I am completely naive in this. You have mentioned that the PoC has been completed by you. Could you please brief on the PoC? did u use ant script |
Yes we have built the PoC with an Ant script.
I suggest to open a new topic, describe your scenario and broker environment and goals, maybe we can give you an help.
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
|
|
