| Author |
Message
|
| gpklos |
 Posted: Thu Apr 12, 2007 5:42 am Post subject: runmqtmc authority |
 |
|
Centurion
Joined: 24 May 2002
Posts: 108
|
I'm curious, we are trying to run the runmqtmc program on a client platform. However when we run the program it says something like "running the trigger monitor is not authorized". Depending on the id we use, sometimes it works and sometimes it doesn't. It seems like as long as the id that runs the trigger monitor is in the mqm group of the MQ server, it runs, but if not it fails. However since it seems like the id that runs the runmqtmc command is also the id that the process when it triggers I didn't want that id to be in the mqm group because now it can get to everything. Is there some special permission that can be given to that id so that it can run the trigger monitor, but only have access to specific queues?
Thanks,
Gary |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Apr 12, 2007 5:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Does it say something like "running the trigger monitor is not authorised" or something exactly like that?
It sounds like the trigger monitor is not authorised to use the initq under a non-mqm id. You should check the permissions of the user id you're using, or not use the system init queue.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 12, 2007 5:48 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Vitor wrote: |
| You should check the permissions of the user id you're using, or not use the system init queue. |
I would say "AND not use the system init queue".
Don't use it, please. Don't use *any* SYSTEM. objects for any application purposes.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Apr 12, 2007 8:39 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Maybe you can tell us which op sys and post the exact message you're getting.
_________________
-wayne |
|
| Back to top |
|
|
| gpklos |
| Posted: Thu Apr 12, 2007 8:42 am Post subject: |
|
|
Centurion
Joined: 24 May 2002
Posts: 108
|
I'm not using the SYSTEM.*.initq. I'm using an application initiation queue. When I first ran the trigger monitor I expected to see a 2035 saying the id didn't have access to the initiation queue, since authority wasn't given for that. But I got that other message and it made me think maybe running the trigger monitor program might require some other security, like being in the mqm group, etc. Anyways I gave the id authority to PUT/GET/DISPLAY/INQ against the initiation queue and I think things are working ok. I will try a couple of more things shortly.
Thanks for your help,
Gary |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Apr 12, 2007 8:45 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
and I assume the ID has CONNECT authority to the qmgr.
_________________
-wayne |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 12, 2007 2:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gpklos wrote: |
I'm not using the SYSTEM.*.initq. I'm using an application initiation queue. When I first ran the trigger monitor I expected to see a 2035 saying the id didn't have access to the initiation queue, since authority wasn't given for that. But I got that other message and it made me think maybe running the trigger monitor program might require some other security, like being in the mqm group, etc. Anyways I gave the id authority to PUT/GET/DISPLAY/INQ against the initiation queue and I think things are working ok. I will try a couple of more things shortly.
Thanks for your help,
Gary |
Remember as well that you need put authority to the DLQ.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gpklos |
| Posted: Fri Apr 13, 2007 8:19 am Post subject: |
|
|
Centurion
Joined: 24 May 2002
Posts: 108
|
Thanks, I forgot about the PUT authority to the DLQ.
It is working great btw.
Gary |
|
| Back to top |
|
|
| gpklos |
| Posted: Fri Apr 13, 2007 11:48 am Post subject: |
|
|
Centurion
Joined: 24 May 2002
Posts: 108
|
Wayne,
I have a question. I got MA7K to work on my pc talking to a queue manager, however when we set up the service on a server that has only the client installed, when you try to start the service it fails with a 2277.
I'm using the MQCONNX option with the options below. Have you seen this error with the MQCONNX before?
Global:
ShortTmr=60
ShortRty=10
LongTmr=1200
LongRty=999999999
EventLevel=2
WaitInterval=60000
** The following is used to indicate where to find the key repository
** It is only relevant if one or more threads use MQCONNX (see "threads" below)
* KeyRepository=C:\mqm\Qmgrs\SSLTEST\ssl\key
** You can specify a service userid (in the form: domain\user) and password
** if ServiceUserid is specified but ServicePassword is NOT specified, then setup will
** prompt for it. If neither is specified, then "LocalSystem" is used.
** If the user is invalid, you will receive a "Error number 1057" at setup time
** Ensure the user has rights to logon as a service
ServiceUserid=HDQ\asetest
ServicePassword=password
**
** The following only applys to Lotus Notes agents, see the readme
**
AgentRedirStdout=Yes
**
** If you wish to run this with the server libraries, change the
** following line to:
**
* MQSeriesDLL=mqm.dll
**
MQSeriesDLL=mqic32.dll
** For each thread to run, there is a "thread" stanza, maximum 16 stanzas
** Queue Manager names and Notes ini file names are optional.
** This defines a simple thread to read from the default initiation queue
** Thread:
** TriggerQueueName=SYSTEM.DEFAULT.INITIATION.QUEUE
** This defines a thread to read from a initq on qmgr "Venus"
* Thread:
* TriggerQueueName=MY.INITQ
* TriggerQueueMgrName=Venus
** This allows us to use the qmgr group facility of the client
* Thread:
* TriggerQueueName=MY.INITQ
* TriggerQueueMgrName=*QmgrGroup
** We can explicity call out the Notes ini filename for this thread
* Thread:
* TriggerQueueName=MY.INITQ
* NotesIni=c:\lotus\notes\mynotes.ini
** Or we can say to get the name from the Envrdata field of the trigger message
* Thread:
* TriggerQueueName=MY.INITQ
* NotesIni=Envrdata
** Or we can say to get the name from the Userdata field of the trigger message
* Thread:
* TriggerQueueName=MY.INITQ
* NotesIni=Userdata
** Or we can say to get the name from the Trigdata field of the trigger message
* Thread:
* TriggerQueueName=MY.INITQ
* NotesIni=Trigdata
* This thread uses MQCONNX to make the connection to the remote qmgr.
* MQCONNX is used when the CONNAME and CHANNEL parameters are specified, everything else
* can be defaulted.
Thread:
TriggerQueueName=SB.SE_REGISTER_SYNC.INITQ
CONNAME=USTA.psc.uss.com
CHANNEL=CLTRIGMON.USTA.CL
* These are optional and default to values shown
* Please note that chained exits are not supported, so you can only specify one exit for each exit type.
* LOCLADDR=
* HBINT=300
* RCVDATA=
* RCVEXIT=
* SCYDATA=
* SCYEXIT=
* SENDDATA=
* SENDEXIT=
* USERID=
* SSLCIPH=
* SSLPEER=
* KAINT=AUTO
*
*** End of sample |
|
| Back to top |
|
|
|
|
