| Author |
Message
|
| zhanghz |
 Posted: Tue Jul 01, 2008 2:41 am Post subject: MQ Explorer to administer QMGR on z/OS: not authorised |
 |
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
I got this error when I tried to connect from my MQ Explorer on windows to a QMGR on z/OS:
Explorer cannot administer the queue manager because the user is not authorised to open the queue 'SYSTEM.MQEXPLORER.REPLY.MODEL'. (AMQ4401)
Is it possible to resolve this without touching RACF?
Thanks. |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Tue Jul 01, 2008 8:39 pm Post subject: Re: MQ Explorer to administer QMGR on z/OS: not authorised |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| zhanghz wrote: |
Explorer cannot administer the queue manager because the user is not authorised to open the queue 'SYSTEM.MQEXPLORER.REPLY.MODEL'. (AMQ4401)
Is it possible to resolve this without touching RACF? |
So, you want us to help you breach your mainframe MQ security setup?
Wouldn't it be better to talk to your z/OS MQAdmin?
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jul 01, 2008 11:08 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
I have a TSO ID and can access the z/OS qmgr's MQ objects in TSO. How can I run MQ Explorer under my TSO ID from my computer ? I assume in that way i will be able to connect to qmgr on z/OS as I will be connecting to it using my TSO id, right? I tried to run MQ Explorer by suing "Run as..." my TSO id (i created this user in my computer with the same name as my TSO id and added it to mqm group), but only the dos window showed and disappeared and the MQ Explorer window was not loaded..
don't want to go to RACF for this as RACF is controlled by the company we are supporting. They would probably say, why you want to use what mq explorer, you have been always checking from z/OS itself, haven't you..
thanks. |
|
| Back to top |
|
|
| AkankshA |
| Posted: Tue Jul 01, 2008 11:10 pm Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
which version of MQ at z/OS and of explorer ??
_________________
Cheers |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jul 01, 2008 11:14 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
MQ version on z/OS is v6
MQ version on my computer is v6.0.2.4. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 02, 2008 1:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zhanghz wrote: |
MQ version on z/OS is v6
MQ version on my computer is v6.0.2.4. |
You'll probably need an SSL client setup with a corresponding svrconn chl with your zOS user in the chl mcauser. Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zhanghz |
| Posted: Wed Jul 02, 2008 9:12 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
fjb reminded me.. The MCAUSER...
I simply altered the SYSTEM.ADMIN.SRVCONN of my QMGR on z/OS to use my TSO id as the MCAUSER. Now I can connect!
No wonder I saw somewhere saying that MCAUSER opens some security concerns...
fjb, is it why you also mentioned to use SSL?
[edit] oh, yes, i think that's what fjb meant.. sorry that i just had lunch and felt sleepy and didn't quite understand fully fjb's post at first.. hahaha, thanks fjb. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 03, 2008 12:57 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
hi fjb, can shed some light on how to enable ssl? I added ciphspec on admin.svrconn, but don't know how to add for client side (my MQ Explorer).. Now i am getting:
CSQX639E CSQXRESP No cipher specification for remote channel SYSTEM.ADMIN.SVRCONN
Thanks. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jul 03, 2008 4:59 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
SSL is not needed, just run Explorer under a Windows id that matches the RACF one with the necessary access.
Lower case id will work providing you have at least CSD 1 on V6 client. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 03, 2008 6:43 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
better add SSL, otherwise whoever knows my TSO id will be able to use MQ Explorer to connect to QMGRs on z/OS. I will be in trouble if they change any settings.
Based on my limited knowledge on client connection, there are 2 methods for a client to connect to a QMGR, one is to use MQSERVER variable and svrconn defined on QMGR, the other is to define both svrconn and clntconn on QMGR and use client channel definition table on client side. My guess is ......
[EDIT]Found some info. Trying... |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 03, 2008 8:41 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
er, i gave up, for now. Cant get it work still. Now get "CSQX634E CSQXRESP SSL certificate failed remote check". Seems my MQ Explorer can't validate the cert sent by my z/OS QMGR..
z/OS QMGR Cert is self-signed. I extracted it and downloaded to my computer. I then created a jks keystore, added the z/OS cert as a "Signer cert" into the jks keystore in the correct format "ibmwebspheremq<zos qmgr name>". I can't add the z/OS cert as a "personal cert" into the jks keystore, is it why i failed?
Thanks. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Jul 05, 2008 7:59 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Is it possible to resolve this without touching RACF? |
No. If there isn't a RACF rule (profile) granting you access to this resource, you can't access it.
Adding SSL around the edges will not circumvent RACF. RACF manages SSL stuff on z/OS.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 10, 2008 7:42 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
i opened my MQ Explorer and tried to connect to z/OS QMGR, now can connect already! I didn't change anything since last time I "gave up"... Maybe the jks keystore on my computer was not refreshed last time....
happy that it's working now. haha.
next thing is, how can I connect to muliple QMGRs using client channel definition table... |
|
| Back to top |
|
|
|
|
