| Author |
Message
|
| AviD |
 Posted: Wed Sep 13, 2006 11:21 am Post subject: Remote SAVEQMGR from AIX to Windows = 2035 |
 |
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
$ saveqmgr -m Z -r Y -F Y.txt
SAVEQMGR V6.0.3
Compiled for Websphere MQ V6.0 on Aug 29 2006
Requesting attributes of the queue manager...
(mqutils.c) No reply msg, make sure command server is started (strmqcsv qmgr-name)
DLQ has a message with a 2035, but it is a dynamic queue and the message is being sent with the mqm User Id.
Reason: MQRC_NOT_AUTHORIZED
Destination Queue: SAVEQMGR.44B2DDEF20171301
What auth needs to be set here? Group mqm exists, and MUSR_MQADMIN belongs to it on the Windows server.
Command server is started, so the error message is misleading. |
|
| Back to top |
|
 |
| wschutz |
| Posted: Wed Sep 13, 2006 11:26 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Is this in the dlq on Z or Y?
_________________
-wayne |
|
| Back to top |
|
|
| AviD |
| Posted: Wed Sep 13, 2006 11:28 am Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
| On Y's DLQ (Windows qmgr) |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Sep 13, 2006 11:36 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
can you use amqsbcg to dump the entire message and paste it here?
_________________
-wayne |
|
| Back to top |
|
|
| AviD |
| Posted: Wed Sep 13, 2006 11:49 am Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
Here she is...
****Message descriptor****
StrucId : 'MD ' Version : 2
Report : 0 MsgType : 1
Expiry : 1707 Feedback : 0
Encoding : 546 CodedCharSetId : 437
Format : 'MQDEAD '
Priority : 0 Persistence : 0
MsgId : X'414D51205744313120202020202020200666DB442000956E'
CorrelId : X'000000000000000000000000000000000000000000000000'
BackoutCount : 0
ReplyToQ : 'SAVEQMGR.44B2DDEF20172001 '
ReplyToQMgr : 'UD01 '
** Identity Context
UserIdentifier : 'mqm '
AccountingToken :
X'0137000000000000000000000000000000000000000000000000000000000006'
ApplIdentityData : ' '
** Origin Context
PutApplType : '11'
PutApplName : 'ebSphere MQ\bin\AMQPCSEA.EXE'
PutDate : '20060913' PutTime : '19483207'
ApplOriginData : ' '
GroupId : X'000000000000000000000000000000000000000000000000'
MsgSeqNumber : '1'
Offset : '0'
MsgFlags : '0'
OriginalLength : '-1'
**** Message ****
length - 208 bytes
00000000: 444C 4820 0100 0000 F307 0000 5341 5645 'DLH ....ó...SAVE'
00000010: 514D 4752 2E34 3442 3244 4445 4632 3031 'QMGR.44B2DDEF201'
00000020: 3732 3030 3120 2020 2020 2020 2020 2020 '72001 '
00000030: 2020 2020 2020 2020 2020 2020 5544 3031 ' UD01'
00000040: 2020 2020 2020 2020 2020 2020 2020 2020 ' '
00000050: 2020 2020 2020 2020 2020 2020 2020 2020 ' '
00000060: 2020 2020 2020 2020 2020 2020 2202 0000 ' "...'
00000070: B501 0000 4D51 4144 4D49 4E20 0600 0000 'µ...MQADMIN ....'
00000080: 2020 2020 2020 2020 2020 2020 2020 2020 ' '
00000090: 2020 2020 2020 2020 2020 2020 3230 3036 ' 2006'
000000A0: 3039 3133 3139 3438 3332 3035 0100 0000 '091319483205....'
000000B0: 2400 0000 0100 0000 0200 0000 0100 0000 '$...............'
000000C0: 0100 0000 0000 0000 0000 0000 0000 0000 '................' |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Sep 13, 2006 12:44 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Okay, so the qmgr name is really "UD01" (no Z) correct? Is that the AIX qmgr? If so, is that also the name of a xmitq?
Would it be easier just to use saveqmgrc.aix and use a MQ client connection to the aix machine?
_________________
-wayne |
|
| Back to top |
|
|
| AviD |
| Posted: Wed Sep 13, 2006 12:52 pm Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
Yeah the client one works, it's just a matter of enabling it across our infrastructure and getting SVRCONN channels set up on all queue managers for this purpose. It can be done, just weighing out the options right now and testing the newest SAVEQMGR.
We have centralized hubs in place for all regions that already have the sender/receiver channels setup to communicate between all internal queue managers. So from a management perspective this would be easier (?).
Yes, UD01 is the AIX qmgr in this example, WD11 the Windows one. I gave up obscuring after the first few pastes! 
The XMIT queue names are the same WD11 (XMIT) in this case is defined on UD01. UD01 is the local queue manager we are running on/through. |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Sep 13, 2006 1:05 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
If it windows, you should have an Event message in the event log detailing exactly what the security error was .....
_________________
-wayne |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 13, 2006 1:34 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| AviD wrote: |
| The XMIT queue names are the same WD11 (XMIT) in this case is defined on UD01. UD01 is the local queue manager we are running on/through. |
Is there an XMITQ named UD01 on WD11?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| AviD |
| Posted: Thu Sep 14, 2006 6:02 am Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
wayne:
I didn't see anything in the Event Viewer logs (App/Security/System) indicating any issue. Is that where you mean?
jeff:
Yes there is an XMIT UD01 on WD11 and the respective triggering for channel initiation with appropriate sender/receiver channels to/from WD11 and UD01.
The message is landing on the DLQ on WD11 with a 2035 security error, yet the 'mqm' group exists on the WD11 Windows server with MUSR_MQADMIN belonging to it (per the installation).
How can I trace where the security error is? I don't see any security errors in the Windows Event Viewer logs. |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Sep 14, 2006 7:14 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Okay, I've looked at the message and the DLQ in detail and am a bit confused, as I would expect to see a REPLY message from the command server (whats there is a request message) and it appears that the cmdserver is just sending back the message it got from saveqmgr (ie MQCMD_INQUIRE_Q_MGR).
Can you try creating a different ID on the unix system (like: ms03), create that id in windows and give it the right mq authorities?
_________________
-wayne |
|
| Back to top |
|
|
| AviD |
| Posted: Thu Sep 14, 2006 7:36 am Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
wayne:
Some more info. I enabled authority events and grabbed the following off the SYSTEM.ADMIN.QMGR.EVENT queue by using the MO71 support pac:
Command :44 (QMgr Event)
Reason :2035 (Not authorized.)
Parameter Id :2015 (QMgr Name)
Value :'WD11 '
Parameter Id :1020 (Reason Qualifier)
Value :2 [0x'2'] MQRQ_OPEN_NOT_AUTHORIZED
Parameter Id :2016 (Q Name)
Value :'SAVEQMGR.44B2DDEF20174501 '
Parameter Id :1022 (Open Options)
Value :4368 [0x'1110']
Parameter Id :3025 (User Identifier)
Value :'mqm '
Parameter Id :1 (Appl Type)
Value :11 [0x'B'] MQAT_WINDOWS_NT
Parameter Id :3024 (Appl Name)
Value :'ebSphere MQ\bin\AMQPCSEA.EXE'
Parameter Id :3023 (Object QMgr Name)
Value :'UD01 '
Looks like mqm can't open the dynamic queue for the SAVEQMGR? |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Sep 14, 2006 8:01 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
do you have a userid 'mqm' on that machine (windows)? afaik, you can't have a local user called 'mqm' and a group called 'mqm' in windows..which is why I suggested creating a different userid (ms03)
_________________
-wayne |
|
| Back to top |
|
|
| AviD |
| Posted: Thu Sep 14, 2006 9:03 am Post subject: |
|
|
Acolyte
Joined: 06 Apr 2004
Posts: 62
|
Right, you can't have an mqm user id and group, there is only the mqm group.
So you are saying to create a separate id under AIX and add that user to the Windows box under the mqm group, essentially an application id. |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Sep 14, 2006 9:45 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Precisely...
_________________
-wayne |
|
| Back to top |
|
|
|
|
