ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Restored Server from Backup

Post new topic  Reply to topic
 Restored Server from Backup « View previous topic :: View next topic » 
Author Message
msf004
PostPosted: Sun Mar 12, 2023 1:39 pm    Post subject: Restored Server from Backup Reply with quote

Newbie

Joined: 11 Mar 2023
Posts: 4

First, I am not an MQ admin. I have been searching for one to help with this issue since last week.

The problem seems simple - Our IBM WebSphere MQ v8.0 server was corrupted. We restored it to a point prior to the corruption, assuming it would just start working as it was, but it did not start working as it was.

FLOW OF MESSAGES:
We have a partner with an MQ Server that sends messages to our MQ Server. We then have two (2) apps that pull messages out of the queue. Our partner's MQ server is still able to send messages to our MQ server. The messages show in the queue until the max queue is hit. Unfortunately the processes that pull from the queue is not able to do so for some reason.

I see many errors like this:

Code:
3/12/2023 16:17:32 - Process(5016.18) User(services) Program(amqrmppa.exe) Host(MQ1) Installation(Installation1) VRMF(8.0.0.9) QMgr(U00019PQM)

Queue Manager User ID initialization failed for 'svc_ibmmq'. 

The call to initialize the User ID 'svc_ibmmq' failed with CompCode 2 and Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. 


I have read about "CompCode 2 and Reason 2035" excessively and tried many things I found on Google. I understand, one of the reasons for this error is a privileged user attempting to access a queue. My conundrum is, being I restored from backup, the current state of the server should be how it was when everything was working. Further, the user account in question (svc_ibmmq) has not changed in AD.

I would appreciate any suggestions.

If you're willing to jump on a screen share and help, I am happy to pay for assistance.

I am happy for any help I can get.
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Mar 12, 2023 6:58 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

The error message you are showing, when reported in isolation without any other related errors, usually means that the user ID is not known.

You can quickly check if this is the case with an MQSC command something like this:

Code:
DISPLAY ENTAUTH PRINCIPAL('svc_ibmmq') OBJTYPE(QMGR)

If the user is not known, this will report:-
Code:
AMQ8871E: Entity, principal or group not known.

If the user is known, but simply has no authority to the queue manager object (the question that command is asking), this will report:-
Code:
AMQ8866I: Display entity authority details.                                                                               
  OBJNAME(MQG1)                           ENTITY(svc_ibmmq)                                                                 
  ENTTYPE(PRINCIPAL)                      OBJTYPE(QMGR)                                                                   
  AUTHLIST( )

This will at least give you some definitive thing to go after.

You are correct that 2035 is used for a variety of security failures, including a privileged user attempting to access the queue manager remotely, but in all cases where an application is returned 2035 there is more detail in the error log that you are looking at on the queue manager. That's why I made the remark about this error message in isolation. Have a look to see if this error has any others at the same time and if so post them here. If not, it means the queue manager asked the O/S about the user ID and was not able to find it.

You state definitively that this user account has not changed in AD. Has the queue manager's access to AD been affected in anyway?

You mention "the processes that pull from the queue ..." and then show error messages for an IBM MQ Channel (amqrmppa.exe is a channel). Are these queues transmission queues or are we just talking about client applications?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
msf004
PostPosted: Sun Mar 12, 2023 7:24 pm    Post subject: Reply with quote

Newbie

Joined: 11 Mar 2023
Posts: 4

Thank you for the reply!

Code:
DISPLAY ENTAUTH PRINCIPAL('svc_ibmmq') OBJTYPE(QMGR)


returned:

Code:

AMQ8866: Display entity authority details.
   OBJNAME(U00019PQM)                      ENTITY(svc_ibmmq)
   ENTTYPE(PRINCIPAL)                      OBJTYPE(QMGR)
   AUTHLIST(ALTUSR,CHG,CONNECT,CRT,DLT,DSP,INQ,SET,SETALL,SETID,CTRL,SYSTEM)


I do also see this information in the event log with the aforementioned errors:

Code:
3/12/2023 16:17:41 - Process(2352.26) User(services) Program(amqzlaa0.exe) Host(AZMQ-01) Installation(Installation1) VRMF(8.0.0.9) QMgr(U00019PQM)

The failed authentication check was caused by the queue manager CONNAUTH CHCKCLNT(REQDADM) configuration. 

The user ID 'svc_ibmmq' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). &P This message  accompanies a previous error to clarify the reason for the user ID and password check. 


Regarding the process that pulls from the queue, I was not sure what else to call it. There are two applications, both written in C#, that connect to the MQServer and look for new messages. As new messages are found, they are downloaded (taken off the queue?) and processed.

I have the C# code for both of the apps and I have noticed that no where in the code is a username or password being passed to the MQ Server. However, the executables are being ran as user svc_ibmmq. I was reading about certificates for auth today, not knowing if maybe that is how the auth was being handled, but I am not certain.

Regarding, "Has the queue manager's access to AD been affected in anyway?" - I have used the "Prepare WebSphere MQ Wizard" to "reauthenticate" MQ to AD. ...again, not 100% certain if that would help or not; however, I do know the credentials I entered were successfully accepted and that those are the credentials of the user who is running the WebSphere MQ services on Windows.

...what else can I provide that may help?
Back to top
View user's profile Send private message
msf004
PostPosted: Sun Mar 12, 2023 7:36 pm    Post subject: Reply with quote

Newbie

Joined: 11 Mar 2023
Posts: 4

I'll also add that I checked the server's groups and the mom group does exist and the user 'svc_ibmmq' is in the group.
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Mar 12, 2023 9:47 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

msf004 wrote:
I do also see this information in the event log with the aforementioned errors:

Code:
3/12/2023 16:17:41 - Process(2352.26) User(services) Program(amqzlaa0.exe) Host(AZMQ-01) Installation(Installation1) VRMF(8.0.0.9) QMgr(U00019PQM)

The failed authentication check was caused by the queue manager CONNAUTH CHCKCLNT(REQDADM) configuration. 

The user ID 'svc_ibmmq' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). &P This message  accompanies a previous error to clarify the reason for the user ID and password check. 


OK - that's great - I believe we have all we need now. Since there was another message accompanying the first one that you provided, the first is not saying the the user id cannot be found (as is also proved by the output from the DISPLAY ENTAUTH command) but instead is simply saying there was another reason for the failure to use this user id - and this message is the details.

You have recreated a queue manager that was damaged, and recreated it at V8. This means that the brand new queue manager has some slightly different configuration to the old queue manager that was created at an earlier release and migrated to V8. One of those differences is the configuration that controls password checking.

For a queue manager created at V8 or higher this feature is on by default.

For a queue manager created at a release earlier than V8 and -migrated up to V8, that feature is off by default.

I assume your situation is the latter and so, I suggest to get back to where you were before the recreate of the queue manager, you issue the following two commands.

Code:
ALTER QMGR CONNAUTH(' ')


To turn off the feature, and then

Code:
REFRESH QMGR TYPE(CONNAUTH)


To inform the queue manager to act on the change.

Hopefully this should put your queue manager back to where it was before since, from what you say, it sounds like you weren't using the password checking feature.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
msf004
PostPosted: Mon Mar 13, 2023 3:58 am    Post subject: Reply with quote

Newbie

Joined: 11 Mar 2023
Posts: 4

On the 2nd command, I am getting an error:

Code:
REFRESH QMGR TYPE(CONNAUTH)
     1 : REFRESH QMGR TYPE(CONNAUTH)
AMQ8405: Syntax error detected at or near end of command segment below:-
REFRESH QMGR TYPE(CONNAUTH

AMQ8427: Valid syntax for the MQSC command:

  REFRESH QMGR TYPE ( CONFIGEV )
     [ INCLINT( integer ) ]
     [ NAME( string ) ]
     [ OBJECT( ALL      | AUTHINFO | AUTHREC  | CHANNEL  | CHLAUTH  |
               COMMINFO | LISTENER | NAMELIST | POLICY   | PROCESS  |
               QALIAS   | QLOCAL   | QMGR     | QMODEL   | QREMOTE  |
               QUEUE    | SERVICE  | TOPIC ) ]

  REFRESH QMGR TYPE ( PROXYSUB )


The 1st command did work.
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Mar 13, 2023 5:01 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

msf004 wrote:
On the 2nd command, I am getting an error:

Code:
REFRESH QMGR TYPE(CONNAUTH)
     1 : REFRESH QMGR TYPE(CONNAUTH)
AMQ8405: Syntax error detected at or near end of command segment below:-
REFRESH QMGR TYPE(CONNAUTH

AMQ8427: Valid syntax for the MQSC command:

  REFRESH QMGR TYPE ( CONFIGEV )
     [ INCLINT( integer ) ]
     [ NAME( string ) ]
     [ OBJECT( ALL      | AUTHINFO | AUTHREC  | CHANNEL  | CHLAUTH  |
               COMMINFO | LISTENER | NAMELIST | POLICY   | PROCESS  |
               QALIAS   | QLOCAL   | QMGR     | QMODEL   | QREMOTE  |
               QUEUE    | SERVICE  | TOPIC ) ]

  REFRESH QMGR TYPE ( PROXYSUB )


The 1st command did work.

Try:

Code:
REFRESH SECURITY TYPE(CONNAUTH)


I suspect it was getting late for Morag when she answered
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Mar 13, 2023 11:57 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

exerk wrote:
Try:

Code:
REFRESH SECURITY TYPE(CONNAUTH)


I suspect it was getting late for Morag when she answered

Thank you @exerk - yes, last posting before bedtime should always be read more carefully. You are quite right, that is what I meant to say!

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Mar 14, 2023 6:38 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

@mfs004

Why are you running on MQ8 ? Make sure your hardware is up to date and run with MQ9.3. Please remember that MQ8 has been out of support for quite some time now. The lowest version in support is MQ9.1 and this is going out of support end of September...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gbaddeley
PostPosted: Tue Mar 14, 2023 2:29 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Restoring MQ (queue managers) from a backup has a few caveats.

If the queue manager was running when the backup was taken, the recovery log files may not be consistent in the backup, and it may miss some files because the queue manager had exclusive read/write locks.

After restoring, the queue manager may not start, most commonly due to an issue with the recovery logs. It may be necessary to do a cold start (recreate the logs as empty).

There may be application messages on the queues that are no longer relevant or possibly even dangerous (eg. result in duplicate financial transactions). Normal DR practice is to clear all application and transmission queues before handing over the queue manager for use.

It is also likely that channels will not start due to sequence number mismatches or an in-doubt situation. The sequence numbers will need to be reset or the channel resolved.
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Restored Server from Backup
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.