| Author |
Message
|
| narayanarvr |
 Posted: Mon Sep 25, 2023 2:59 am Post subject: cluster queue issue MQRC 2035 |
 |
|
Voyager
Joined: 09 Oct 2012
Posts: 84
|
Hi All,
Thanks in advance.
I have set up a cluster between 2 queue managers QM1 and QM2, both full repositories, I have created one cluster queue which is remote queue, physically defined in QM1 and visible in QM2, one application should access this queue and put messages, application uses OS user to connect to this cluster queue and put messages, I used channel authentication record with clntuser to access this queue, I am able to access from QM1, but when I try to access from QM2 I am getting MQRC 2035 error MQRC_NOT_AUTHORIZED even though I have enough permissions to access it, I am able to access thus cluster remote queue and open and put messages using mqm user but not able to put using other OS user which application is using.
Thanks, |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Mon Sep 25, 2023 7:58 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
Where/when is the MQRC 2035 occuring? At the attempt to connect to the qmgr? Or, at the attempt to open the queue object?
On QM2 did you restart the qmgr OR do a REFRESH SECURITY? Either would refresh QM2 cache to recognize the O/S-defined userid.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Sep 25, 2023 5:20 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
Did you look for an authorization error message in the error log for QM2 ?
_________________
Glenn |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 25, 2023 7:04 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
| narayanarvr wrote: |
| when I try to access from QM2 I am getting MQRC 2035 error MQRC_NOT_AUTHORIZED even though I have enough permissions to access it |
| gbaddeley wrote: |
| Did you look for an authorization error message in the error log for QM2 ? |
Remember that MQRC 2035 covers a number of security failures. If you are certain you have enough permissions to access it, then it is not an authority failure, but one of the other security failures.
The queue manager AMQERR01.LOG has the definitive reason. Until you look there, you will not be certain, and we should not guess for you without first seeing that.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| narayanarvr |
| Posted: Mon Sep 25, 2023 8:09 pm Post subject: |
|
|
Voyager
Joined: 09 Oct 2012
Posts: 84
|
Bruce2359 / Glenn / Morag,
Thank you for your time and help.
@Bruce2359 - I am getting this issue at the time of opening cluster queue in QM2 (physically the queue is a remote in QM1, available to QM2), the error is unable to open queue MQRC 2035 error.
@Glen - the exact error MQRC 2035, please note I am able to put using mqm user.
@Morag - I gave permissions +passall +passid +setall +setid +all +browse +get +inq +put +set -dlt -dsp -clr -chg , this is a cluster queue and remote queue, physically defined in QM1 and I am accessing from QM2, I created a OS user in QM2, I created one channel authentication record SET CHLAUTH('SAMPLE.SVRCONN') TYPE(USERMAP) CLNTUSER('testuser') USERSRC(CHANNEL) DESCR('channel record') ACTION(ADD), application deployed in JBOSS trying to access this cluster queue, application and MQ and JBOSS all are in Sampe server, I am using MQ 9.1.0.7, I am getting issue while opening the queue MQRC 2035, please hel me. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 26, 2023 2:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
You need to look at the security stanza in the qm.ini to know if you need to authorize the queue on the QM2 or if you need to authorize the SCTQ or SCT.Channelname... or whatever you use as SCTQ for the qmgr QMA...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 26, 2023 2:23 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
Please, please, look in the AMQERR01.LOG - it will tell you the exact reason for the failure. All we (or you) can do if you don't view the error is guess.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| narayanarvr |
| Posted: Tue Sep 26, 2023 5:37 am Post subject: |
|
|
Voyager
Joined: 09 Oct 2012
Posts: 84
|
Hi Morag,
Thank you so much for your reply and help. I checked queue manager error logs, I could see the error 'Entity 'someuser' has insufficient authority to access object SYSTEM.CLUSTER.TRANSMIT.QUEUE', I gave permissions for this object for user, I will check from app side for any errors.
Thank you. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 26, 2023 11:03 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Sep 27, 2023 3:08 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| narayanarvr wrote: |
Hi Morag,
Thank you so much for your reply and help. I checked queue manager error logs, I could see the error 'Entity 'someuser' has insufficient authority to access object SYSTEM.CLUSTER.TRANSMIT.QUEUE', I gave permissions for this object for user, I will check from app side for any errors.
Thank you. |
Where do you want 'someuser' to go in your cluster (or clusters) today? Consider what happens security-wise when you give carte blanche access to a queue that may service multiple clusters.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| narayanarvr |
| Posted: Thu Sep 28, 2023 3:22 am Post subject: |
|
|
Voyager
Joined: 09 Oct 2012
Posts: 84
|
Hi Exerk,
Thanks for your reply.
I have only single cluster, when I check MQ error logs I see the permission issue with my user on queue SYSTEM.CLUSTER.REPOSITORY.QUEU, I gave ne3cessary permissions, I did not understand your question sorry, could you please help me is that not correct process?
Thanks. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 28, 2023 5:06 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Giving a user direct access to the SYSTEM.CLUSTER.TRANSMIT.QUEUE (SCTQ) allows that user to put messages to any queue that can be resolved within the cluster serviced by the SCTQ.
If the queue manager is a member of multiple clusters, and you are using a single SCTQ for all those clusters, the user will be able to put messages to any and all queues that can be resolved within all the clusters.
I suggest reading the Access control and multiple cluster transmission queues page within the Knowledge Centre for more detailed information.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Sep 28, 2023 5:57 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
| exerk wrote: |
Giving a user direct access to the SYSTEM.CLUSTER.TRANSMIT.QUEUE (SCTQ) allows that user to put messages to any queue that can be resolved within the cluster serviced by the SCTQ.
|
Maybe. Maybe not. Depends what the CLUSRCVR channel's PUTAUT parameter is set to and/or what it's MCAUSER is.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Sep 29, 2023 4:41 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| exerk wrote: |
Giving a user direct access to the SYSTEM.CLUSTER.TRANSMIT.QUEUE (SCTQ) allows that user to put messages to any queue that can be resolved within the cluster serviced by the SCTQ.
|
Maybe. Maybe not. Depends what the CLUSRCVR channel's PUTAUT parameter is set to and/or what it's MCAUSER is. |
Absolutely, and that is addressed within the link I provided, but my answer was given within the context of addressing someone who appears to have a rudimentary understanding of queue manager clustering, would therefore likely set up their cluster(s) in a "vanilla" fashion, and not be using MCAUSER etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 02, 2023 1:41 pm Post subject: Re: cluster queue issue MQRC 2035 |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
| narayanarvr wrote: |
| I have created one cluster queue which is remote queue, physically defined in QM1 and visible in QM2 ? |
Please post the cluster queue definition here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
