| Author |
Message
|
| tkaravind |
 Posted: Tue Mar 16, 2004 1:27 am Post subject: Microsoft Security Patch MS04-007 on MQSeries Server |
 |
|
Acolyte
Joined: 24 Jul 2001
Posts: 62
|
Dear Folks,
Recently we applied a security patch to our production MQSeries server on Windows NT.
The patch applied was a fully tested MS04-007 (NT version).
However none of the client machines could make an MQ request after this.
The error thrown was an MQRC = 2063 / MQRC_SECURITY_ERROR.
After that we were forced to remove this patch to resume production.
Has someone faced this problem (or anything similar) earlier ?
Since the security policies here mandate that we MUST apply this patch asap, can someone please let us know any steps to be followed on the client or server end on the MQSeries configuration (if any) if this patch should not create trouble ?
I checked up the FDCs generated on that particluar day. No clues there. These were highly crytpic and only reported an internal MQSeries error .
Thanks in advance.
Aravind |
|
| Back to top |
|
 |
| JasonE |
| Posted: Tue Mar 16, 2004 2:33 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| This is not a problem which has reached IBM Service as far as I can tell, and lots of people have applied that security patch. Chances are there's other things going on at the same time. Take a trace of the 2063 (MQRC_SECURITY_ERROR) - Whats the first hit across the traces for "SECURITY_ERROR"? |
|
| Back to top |
|
|
| tkaravind |
| Posted: Tue Mar 16, 2004 2:48 am Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 62
|
Hi Jason,
Many thanks for the response.
Should I use some utility to get the trace you are referring to ?
As of now I only have the AMQ* FDCs for that server.
Can you please elaborate ?
Thanks & Regards,
Aravind |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Mar 16, 2004 2:54 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Whats in the FDC's? Clear them all out, and generate the error - Can you paste in here the header box + callstack (the top paragraph after the header box) for the first fdc produced (look at the timestamps if there is more than one).
Hold off trace until I've seen the fdcs, but you generate it with strmqtrc -t detail -t all, recreate problem, endmqtrc. |
|
| Back to top |
|
|
| tkaravind |
| Posted: Tue Mar 16, 2004 3:45 am Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 62
|
Hi Jason,
Here goes ...
+-----------------------------------------------------------------------------+
| |
| MQSeries First Failure Symptom Report |
| ===================================== |
| |
| Date/Time :- Thu March 11 08:36:49 Singapore Standard Time 2004 |
| Host Name :- APRSSGPFPNMBP02 (NT Version 4.0 Build 1381: Service |
| Pack 6) |
| PIDS :- 5639B43 |
| LVLS :- 5200 |
| Product Long Name :- MQSeries for Windows NT and Windows 2000 |
| Vendor :- IBM |
| Probe Id :- ZF077020 |
| Application Name :- MQM |
| Component :- zfu_as_GetGroupSidList |
| Build Date :- Mar 27 2002 |
| CMVC level :- p520-CSD04G |
| Build Type :- IKAP - (Production) |
| UserID :- MUSR_MQADMIN |
| Process Name :- G:\MQM\BIN\amqzlaa0.exe |
| Process :- 00000070 |
| Thread :- 00000348 |
| QueueManager :- SGGATEP1 |
| Major Errorcode :- xecF_E_UNEXPECTED_SYSTEM_RC |
| Minor Errorcode :- OK |
| Probe Type :- MSGAMQ6119 |
| Probe Severity :- 2 |
| Probe Description :- AMQ6119: An internal MQSeries error has occurred |
| (rc=1722: NetUserGetLocalGroups: (null) |
| Comment1 :- rc=1722: NetUserGetLocalGroups: (null): |
| |
| |
+-----------------------------------------------------------------------------+
MQM Function Stack
zlaMainThread
zlaProcessMessage
zlaProcessSPIRequest
zlaSPIAdoptUser
zsqSPIAdoptUser
kpiSPIAdoptUser
kqiAuthorityChecks
gpiCheckObjectAuthority
zfu_as_checkobjectauthority
zfu_as_calculateauthority
zfu_as_GetGroupSidList
xcsFFST
.
.
.
Tx & Regards,
Aravind |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Mar 16, 2004 8:41 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Hmmm - 1722 ("The RPC server is unavailable"). You would have to take that one up with Microsoft. We've hit 1722 a handful of times, one did result in a fix (Q281312), and if you say you hit the problem with a hot fix and when you remove it you dont, it does look like the hotfix is the culprit.
I can add I havent seen or heard of this through the support channel so I dont know why you are different but its probably something environmental. |
|
| Back to top |
|
|
| tkaravind |
| Posted: Wed Mar 17, 2004 3:15 am Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 62
|
Hi Jason,
Yes. It looks like we will have to recreate the problem. We plan to apply the patch on another NT server and check whether the RPC service is stuck somehow.
Should we turn on the MQSeries trace also ? Will it offer some more help ?
I checked up the Microsoft website on this particular error (i.e RPCX server unavailable) ... It states this may be due to :
a) The RPC service may not be started.
b) You are unable to resolve a DNS or NetBIOS name.
c) An RPC channel cannot be established.
Thanks & Regards,
Aravind |
|
| Back to top |
|
|
| JasonE |
| Posted: Wed Mar 17, 2004 4:52 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| I dont think MQ trace will help - it really is a low level o/s thing. Chances are its coming from NetUserGetLocalGroups, and if the o/s cant perform the call, MQ is stuck. I dont like to pass on problems, but this really would need to go to Microsoft support. If you raise a problem with IBM support as well, you can get a contact for MS to work with if they need technical info about what MQ is doing, but I suspect they can diagnose without that. |
|
| Back to top |
|
|
|
|
