| Author |
Message
|
| mqprimerib |
 Posted: Tue Jun 18, 2019 9:32 am Post subject: source of connection |
 |
|
Apprentice
Joined: 30 Mar 2016
Posts: 36
Location: Detroit Rock City
|
So I'm moving a new MQ 9.0.0.4 instance (from MQ8).
I did the dump, the authrecs everything looks good. But now I'm seeing errors in my /var/mqm/qmgrs/QM\!EC1\!1\!DEV02/errors/AMQERR01.LOG
About a user 'routeone' trying to connect. The app should be connecting as 'mqm'.
Is there a way to identify what the source of these errors are? I don't see a remote IP or hostname in the error.
| Code: |
06/18/2019 04:31:02 PM - Process(22705.303) User(mqm) Program(amqzlaa0)
Host(mq9.r1dev.com) Installation(Installation1)
VRMF(9.0.0.4) QMgr(QM.EC1.1.DEV02)
AMQ8077: Entity 'routeone' has insufficient authority to access object
'QM.EC1.1.DEV02'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1542 -------------------------------------------------------
06/18/2019 04:31:02 PM - Process(18885.4022) User(mqm) Program(amqrmppa)
Host(mq9.r1dev.com) Installation(Installation1)
VRMF(9.0.0.4) QMgr(QM.EC1.1.DEV02)
AMQ9557: Queue Manager User ID initialization failed for 'routeone'.
EXPLANATION:
The call to initialize the User ID 'routeone' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2407 -------------------------------------------------------
|
|
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jun 18, 2019 10:12 am Post subject: Re: source of connection |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqprimerib wrote: |
| About a user 'routeone' trying to connect. The app should be connecting as 'mqm'. |
No it shouldn't. For one thing, no application should be using the administrative id or have administrative rights. For another thing, for this to work you'd have to remove the security rule that prevents mqm connecting via a client channel.
| mqprimerib wrote: |
| Is there a way to identify what the source of these errors are? |
Check to see who's raised a ticket saying their application can't connect post-migration.
Check your site's application inventory for an application called "Route One".
See who owns the queue "QM.EC1.1.DEV02" (and consider a more descriptive naming standard).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 18, 2019 7:57 pm Post subject: Re: source of connection |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
See who owns the queue "QM.EC1.1.DEV02" (and consider a more descriptive naming standard). |
Pay attention Vitor. This is not the name of the queue but the name of the qmgr and thus the missing +connect permission is correct. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Jun 18, 2019 9:04 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Ouch. I felt that from here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jun 19, 2019 4:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| Ouch. I felt that from here. |
You should have felt it from here. 
Valid point, though in rebuttal the OP wasn't asking about missing permissions, but about how to identify the user.
 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 19, 2019 9:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| Valid point, though in rebuttal the OP wasn't asking about missing permissions, but about how to identify the user. |
Good point and no flaming meant. Just a cranky time of day to answer post...
Well one of the investigative techniques could be to grant only access to the queue manager and then check connections and channels to narrow down the one using routeone.
I'm going to lean very far out the window here and assume that his original version 8 was before 8.0.0.4 where the behavior of the user and user passed via the MQCSP structure was still somewhat in flux and the behavior on how this was resolved in the channel authentication records was not set either.
I'd say chalk it up to a learning curve and either have the application changed to use the MQCSP structure or change the Java start up parms to force the MQCSP Structure... You should also look at the channels stanza on your qm.ini to verify EarlyAdoptChannelAuth is on and possibly mitigate this behavior through a channel auth record. Especially if the routeone user does not exist on the queue manager's domain...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 20, 2019 5:00 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Just a cranky time of day to answer post... |
We've all been there. Grab  and make sure you have enough crystals round you.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
