ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration Supportsource of connection

Post new topicReply to topic
source of connection View previous topic :: View next topic
Author Message
mqprimerib
PostPosted: Tue Jun 18, 2019 9:32 am Post subject: source of connection Reply with quote

Apprentice

Joined: 30 Mar 2016
Posts: 29
Location: Detroit Rock City

So I'm moving a new MQ 9.0.0.4 instance (from MQ8).

I did the dump, the authrecs everything looks good. But now I'm seeing errors in my /var/mqm/qmgrs/QM\!EC1\!1\!DEV02/errors/AMQERR01.LOG

About a user 'routeone' trying to connect. The app should be connecting as 'mqm'.

Is there a way to identify what the source of these errors are? I don't see a remote IP or hostname in the error.


Code:

06/18/2019 04:31:02 PM - Process(22705.303) User(mqm) Program(amqzlaa0)
                    Host(mq9.r1dev.com) Installation(Installation1)
                    VRMF(9.0.0.4) QMgr(QM.EC1.1.DEV02)

AMQ8077: Entity 'routeone' has insufficient authority to access object
'QM.EC1.1.DEV02'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1542 -------------------------------------------------------
06/18/2019 04:31:02 PM - Process(18885.4022) User(mqm) Program(amqrmppa)
                    Host(mq9.r1dev.com) Installation(Installation1)
                    VRMF(9.0.0.4) QMgr(QM.EC1.1.DEV02)

AMQ9557: Queue Manager User ID initialization failed for 'routeone'.

EXPLANATION:
The call to initialize the User ID 'routeone' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2407 -------------------------------------------------------
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jun 18, 2019 10:12 am Post subject: Re: source of connection Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25841
Location: Texas, USA

mqprimerib wrote:
About a user 'routeone' trying to connect. The app should be connecting as 'mqm'.


No it shouldn't. For one thing, no application should be using the administrative id or have administrative rights. For another thing, for this to work you'd have to remove the security rule that prevents mqm connecting via a client channel.

mqprimerib wrote:
Is there a way to identify what the source of these errors are?


Check to see who's raised a ticket saying their application can't connect post-migration.

Check your site's application inventory for an application called "Route One".

See who owns the queue "QM.EC1.1.DEV02" (and consider a more descriptive naming standard).
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 18, 2019 7:57 pm Post subject: Re: source of connection Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20119
Location: LI,NY

Vitor wrote:

See who owns the queue "QM.EC1.1.DEV02" (and consider a more descriptive naming standard).

Pay attention Vitor. This is not the name of the queue but the name of the qmgr and thus the missing +connect permission is correct.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Tue Jun 18, 2019 9:04 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8513
Location: US: west coast, almost. Otherwise, enroute.

Ouch. I felt that from here.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jun 19, 2019 4:54 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25841
Location: Texas, USA

bruce2359 wrote:
Ouch. I felt that from here.


You should have felt it from here.

Valid point, though in rebuttal the OP wasn't asking about missing permissions, but about how to identify the user.


_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jun 19, 2019 9:27 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20119
Location: LI,NY

Vitor wrote:
Valid point, though in rebuttal the OP wasn't asking about missing permissions, but about how to identify the user.


Good point and no flaming meant. Just a cranky time of day to answer post...

Well one of the investigative techniques could be to grant only access to the queue manager and then check connections and channels to narrow down the one using routeone.

I'm going to lean very far out the window here and assume that his original version 8 was before 8.0.0.4 where the behavior of the user and user passed via the MQCSP structure was still somewhat in flux and the behavior on how this was resolved in the channel authentication records was not set either.

I'd say chalk it up to a learning curve and either have the application changed to use the MQCSP structure or change the Java start up parms to force the MQCSP Structure... You should also look at the channels stanza on your qm.ini to verify EarlyAdoptChannelAuth is on and possibly mitigate this behavior through a channel auth record. Especially if the routeone user does not exist on the queue manager's domain...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Thu Jun 20, 2019 5:00 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25841
Location: Texas, USA

fjb_saper wrote:
Just a cranky time of day to answer post...


We've all been there. Grab and make sure you have enough crystals round you.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration Supportsource of connection
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.