ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Securityamq4036

Post new topicReply to topic
amq4036 View previous topic :: View next topic
Author Message
przytula
PostPosted: Mon Aug 28, 2017 1:01 am Post subject: amq4036 Reply with quote

Newbie

Joined: 25 Sep 2008
Posts: 6

installed mq V8 on linux and defined channel : I can connect from mq explorer
did the same installation on different machine linux :
also defined listener-channel system.admin.svrconn as documented in :
http://www-01.ibm.com/support/docview.wss?uid=swg21250706
def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace mcauser('mqm')
when displaying settings from both machines : it looks identical
although from second machine I still get amq4036 : not authorized....
any additional settings todo ?
thanks for all update
best regards, Guy Przytula
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Aug 28, 2017 4:32 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 7858
Location: US: west coast, almost. Otherwise, enroute.

What exactly is not authorized? What error is written to the error logs?
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
przytula
PostPosted: Mon Aug 28, 2017 5:19 am Post subject: Reply with quote

Newbie

Joined: 25 Sep 2008
Posts: 6

thanks for the update
on client I just see

access not permitted you are not authorized to perform this operation : AMQ4036 severity 10 warning
the qmgr security mechanism has indicated that the userid associated with this request is not authorized to access the object
on server I do not see any logging : not in /opt/mqm nor in var/mqm/log
any psecific location client/server
best regards, Guy
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Aug 28, 2017 5:44 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 7858
Location: US: west coast, almost. Otherwise, enroute.

Look in 'errors' directory
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Mon Aug 28, 2017 7:41 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1181
Location: Derby City, USA

bruce2359 wrote:
Look in 'errors' directory
of the Qmg's data directory (where the Qmgr is running).

OOTB - CHLAUTH and CONNAUTH are in effect. Did you take that into account?
Back to top
View user's profile Send private message AIM Address
przytula
PostPosted: Mon Aug 28, 2017 9:49 pm Post subject: amq4036 Reply with quote

Newbie

Joined: 25 Sep 2008
Posts: 6

thanks for the update
looked in errors directory, but only a file present from installation time - no other errors
I have compared chlauth and is identical for both machines
will also check the others
best regards, Guy
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Aug 29, 2017 3:48 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17448

You have to look for two sets of errors. the mq_install/errors and the mq_install/qmgrs/qmgr_name/errors
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Aug 29, 2017 5:06 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 7858
Location: US: west coast, almost. Otherwise, enroute.

There are errors directories On both client and server. You need to look at both.
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Aug 29, 2017 7:56 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1181
Location: Derby City, USA

dspmqinf <QmgrName>

Will tell you where the <QmgrNameData>/errors directory lives. Oddly enough, if it does not tell you where the data directory is, then it is the default of /var/mqm/qmgrs/<QmgrName>/errors directory (in UNIX speak).

So as a good practice, you should always separate Qmgr data and log per Qmgr to different mount points. Something like:

/var/ibm/mqm/<QmgrName>/data
/var/ibm/mqm/<QmgrName>/log

with the -md -ld params. Doing so makes the Qmgr (easily) "relocatable".
Back to top
View user's profile Send private message AIM Address
Jacki123
PostPosted: Tue Dec 05, 2017 2:11 am Post subject: Reply with quote

Newbie

Joined: 05 Dec 2017
Posts: 2

What exactly is not authorized? What error is written to the error logs?
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
Jacki123
PostPosted: Tue Dec 05, 2017 2:14 am Post subject: Reply with quote

Newbie

Joined: 05 Dec 2017
Posts: 2

>Now I want to create a cluster with QM1 as a local Queue Manager while QM2 as a
>remote Queue Manager. But I am getting an error "You are not authorized to perform >this operation. (AMQ4036)". Tried this ALTER CHANNEL(SYSTEM.ADMIN.SVRCONN) >CHLTYPE(SVRCONN) MCAUSER('nobody') but its not working. Replaced 'nobody' with >MUSER_MQADMIN.

This doesn't make sense. There is no concept of a local or remote qmgr in a MQ cluster. There are only 2 types of qmgrs in a MQ cluster, full repository or partial repository. SVRCONN channels are completely unrelated to MQ clusters. The default MQ service userid on Windows is MUSR_MQADMIN, not MUSER_MQADMIN. According to today result
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Dec 05, 2017 3:31 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19430
Location: LI,NY

Jacki123 wrote:
>Now I want to create a cluster with QM1 as a local Queue Manager while QM2 as a
>remote Queue Manager. But I am getting an error "You are not authorized to perform >this operation. (AMQ4036)". Tried this ALTER CHANNEL(SYSTEM.ADMIN.SVRCONN) >CHLTYPE(SVRCONN) MCAUSER('nobody') but its not working. Replaced 'nobody' with >MUSER_MQADMIN.

This doesn't make sense. There is no concept of a local or remote qmgr in a MQ cluster. There are only 2 types of qmgrs in a MQ cluster, full repository or partial repository. SVRCONN channels are completely unrelated to MQ clusters. The default MQ service userid on Windows is MUSR_MQADMIN, not MUSER_MQADMIN. According to today result


Well setting the MCAUSER('nobody') on the channel only makes sense if you are going to change it through chlauth entries.
Typically you also need a chlauth entry of type ('blockuser') (from memory) to allow admin access to the channel, that one would block user('nobody') from accessing the channel...

Have fun and read Morag's posts on developerworks about chlauth...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Tue Dec 05, 2017 5:15 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 7858
Location: US: west coast, almost. Otherwise, enroute.

Jacki123 wrote:

This doesn't make sense. There is no concept of a local or remote qmgr in a MQ cluster.

This is an odd statement. An application always connects to its "local qmgr." If the destination queue for the next MQPUT is not local to that qmgr, then the message will flow to a "remote qmgr" that hosts the destination queue.

Jacki123 wrote:
There are only 2 types of qmgrs in a MQ cluster, full repository or partial repository.

Are you saying that it is NOT possible for a cluster qmgr to also have non-cluste SDR and/or RCVR channels (in addition to CLUSSDR and CLUSRCVR channels)?

A more precise statement might be that "there only two types of repositories; namely: partial and full."

Your post included the url http://www.keralalotteries.co.in/today-result.html . If you want us to look at something you have done, please post it within your post using the Quote button at the top of the screen. This makes it easier for us to help you. Please don't embed and hide URLs. What is keralalotteries? With no explanation, why would I want to visit that website?

Jacki123 wrote:
SVRCONN channels are completely unrelated to MQ clusters.

SVRCONN channels and MQ clusters may be "unrelated," but they are not mutually exclusive.
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Securityamq4036
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.