| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| 2063-security error and 2035-unauthorized access error |
« View previous topic :: View next topic » |
| Author |
Message
|
| schoubal |
 Posted: Thu Aug 23, 2001 2:23 am Post subject: |
 |
|
Newbie
Joined: 15 Aug 2001
Posts: 3
|
Hello - I am having the following problem - I am running a program under userid 'caclsdev' which does not belong to group mqm. We have a queue manager QM1 and an alias queue COS.AR.ALIAS.Q which maps to a local queue on another queue manager. Initially when we tried to put a message on the queue COS.AR.ALIAS.Q we got error '2035' which is MQRC_NOT_AUTHORIZED. Then using 'setmqaut' command I gave +allmqi for the alias queue and +all for the queue manager QM1 for userid caclsdev. After doing this I got error 2063 MQRC_SECURITY_ERROR. The connection to the queue manager does not give any error - the connection to the queue gives this error. When I do QM1.accessQueue with alternate user id as one that belongs to group mqm, i can easily put messages on the alias queue i.e. i use the following method : public synchronized MQQueue accessQueue
(
String queueName, int openOptions,
String queueManagerName,
String dynamicQueueName,
String alternateUserId
)
Throws MQException.
specifying alternate userid as one that belongs to group mqm. I checked the authority of the userid belonging to group mqm and the userid caclsdev using dspmqaut and they are the same except for the crt authority. Can anyone tell me why this is happening ? I have the .FDC file and I have also got the relevant section of the error log if anyone needs it to help resolve this problem. My mail id is schoubal@yahoo.co.uk. Thanks in advance ! |
|
| Back to top |
|
 |
| bduncan |
| Posted: Thu Aug 23, 2001 4:16 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
A couple of preliminary questions...
1) if you are running MQ5.2 or higher, have you tried issuing the REFRESH SECURITY command?
2) you say that dspmqaut shows the same permissions for your test user as well as mqm. Here's my question. Which queue did you run dspmqaut against? Was it the alias queue, or the queue that it is pointing to? Because as it turns out, you can give user "A" one set of permissions on alias queue "X", but that doesn't necessarily mean he'll have those same permissions on local queue "Y", the queue that alias queue "X" points to.
3) You mention that the alias queue points to "a local queue on another queue manager". Normally this is impossible; you cannot point an alias queue directly to a local queue on another queue manager. You CAN however point it to a remote queue on the local queue manager that ultimately resolves to a local queue on another queue manager though. Is this what you are doing? Because if so, you also have to worry about the permissions on the remote queue.
So, I think what we have here is a situation where you realized that the user in question didn't have the appropriate permissions to operate on a queue, but only provided permissions to that particular queue, without giving permissions on any and all intermediate queues.
Hope this helps...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| schoubal |
| Posted: Fri Aug 24, 2001 8:38 am Post subject: |
|
|
Newbie
Joined: 15 Aug 2001
Posts: 3
|
Thanks for the response.
I am sorry - i do not the mq series version -i shall look it up on monday and let u know.
I did 'dspmqaut' on the alias queue for both the userid belonging to the group mqm and for the userid caclsdev which does not belong to group mqm. They have the same permissions except for the create which only the userid belonging to group mqm has.
I am sorry about the misquote - u have guessed correctly - i meant to write that the alias queue maps to a remote queue. So do you mean that i have to give caclsdev specific permissions on the remote queue also ?
|
|
| Back to top |
|
|
| bduncan |
| Posted: Fri Aug 24, 2001 10:12 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Yes,
Try running the dspmqaut command against the name of your remote queue. You will notice that various users have permissions on remote queues just as if they were "real" queues. You should ensure that your test user has the appropriate authorities on the remote queue(s) that the alias queue(s) map to...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| schoubal |
| Posted: Sun Sep 02, 2001 6:16 am Post subject: |
|
|
Newbie
Joined: 15 Aug 2001
Posts: 3
|
Well I am terribly sorry - I have just discovered the cause of the error. Before giving the appropriate authority to caclsdev to put messages on the alias queue (pointing to the remote queue), I was using MQC.MQOO_ALTERNATE_USER_AUTHORITY while opening the queue and specifying the alternate userid as the user id beloging to mqm group while opening the alias queue. After giving the appropriate authority to caclsdev, I used the simple accessQueue(queue manager name, options) method but in the queue open options i forgot to comment out the alternate user id constant (specified above). As a result of that I was getting this security error.
I have tried the same program giving 'put' in addition to 'get', 'browse', 'inq' to user id caclsdev for the alias queue and caclsdev does not have 'put' permission for the remote queue to which the alias queue maps. And the program works. So the user id need not have the appropriate permissions for the queue to which the alias queue maps to.
Thanks a lot for your help!
[ This Message was edited by: schoubal on 2001-09-02 07:17 ] |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
