| Author |
Message
|
| ArunSridharan |
 Posted: Tue Feb 12, 2008 4:51 am Post subject: AMQ8145: Connection broken when using runmqsc |
 |
|
Newbie
Joined: 12 Feb 2008
Posts: 5
|
Hi,
When I'm using runmqsc <mqmname> it says "AMQ8145: Connection broken". however runmqsc is working fine with the mqm id. My id is not in the mqm group, but permissions for connecting to mqm are provided using the setmqaut command. This problem is happening only after the MQ upgrade to V6 from 5.3. any comments on this is appreciated.
Also note that I've already restarted the qmanager a couple of times.
OS: SunOS 5.8
MQ:6.0.2.2
$ dspmqaut -m MY_MQM -t qmgr -p my_id
Entity my_id has the following authorizations for object MY_MQM:
inq
connect
dsp
setid
$ dspmqaut -m MY_MQM -t qmgr -g my_group
Entity my_group has the following authorizations for object MY_MQM
inq
connect
dsp
setid |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 12, 2008 5:02 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Why are you using runmqsc with a non-mqm id?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ArunSridharan |
| Posted: Tue Feb 12, 2008 5:08 am Post subject: |
|
|
Newbie
Joined: 12 Feb 2008
Posts: 5
|
| runmqsc is not restricted for use only by mqm id. It can be used by any id, provided the id has authorisation to connect to tht MQM. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 5:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Perhaps a better way of phrasing my question is what are you trying to achieve using a command line administrative tool with a non-administrative id?
Another question (which I'll attempt to phrase more carefully) is what does the queue manager log report at the time in question, if anything?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ArunSridharan |
| Posted: Tue Feb 12, 2008 5:29 am Post subject: |
|
|
Newbie
Joined: 12 Feb 2008
Posts: 5
|
The environment is more controlled and we cud just connect to the mqm using a non-mqm id and view the curdepth,channel status etc,etc.
There are lot of developers who would need to verify the depth and status of q's/channels, but should not alter any objects.
I did not see any error/warning in the mq log. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Feb 12, 2008 5:34 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
runmqsc is not a great tool for developers, in general.
If you have an enterprise monitoring solution for your queue managers, it should also provide a (web based, likely) tool for developers to browse queues and etc.
It will then also provide a lot more auditability of the access as well as granular security. In a centrally controlled location, no less.
That said, either you're having an MQ security problem, or you're having some other weird problem.
Enable Authority Events and see if you generate any when you get this 'connection broken' problem.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 5:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ArunSridharan wrote: |
The environment is more controlled and we cud just connect to the mqm using a non-mqm id and view the curdepth,channel status etc,etc.
There are lot of developers who would need to verify the depth and status of q's/channels, but should not alter any objects.
|
Under v5.3 (when this worked for you) was the access of the developers actually limited, i.e. if a non-mqm group member issued an ALTER or DEFINE command was it declined by the queue manager?
I'd say your non-mqm id can no longer open the command queue if I had to say, but I didn't think this worked under v5.3.
Shows what I know, and why I have the sig I do.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Feb 12, 2008 6:04 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| Quote: |
runmqsc is not restricted for use only by mqm id. It can be used by any id, provided the id has authorisation to connect to tht MQM.
|
This is not true. See IY95566.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| ArunSridharan |
| Posted: Tue Feb 12, 2008 6:34 am Post subject: |
|
|
Newbie
Joined: 12 Feb 2008
Posts: 5
|
We have been using MQV6.0.2.1 so far in other environments.
Does this (IY95566) mean from MQV6.0.2.2 non-mqm users cannot use the runmqsc command? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 6:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ArunSridharan wrote: |
| We have been using MQV6.0.2.1 so far in other environments. |
I repeat my earlier question-do these users have true limited access in that attempts they make to define queues, etc are declined?
It's sounding more and more like you have a security problem.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| markt |
| Posted: Tue Feb 12, 2008 6:57 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
| Quote: |
| runmqsc is not restricted for use only by mqm id. It can be used by any id, provided the id has authorisation to connect to tht MQM. |
Since that is not true of the product, as shipped, you must have done something to change the file permissions. And if you don't do it right, it won't work. (And whether it's supported or recommended are other matters.) |
|
| Back to top |
|
|
| ArunSridharan |
| Posted: Tue Feb 12, 2008 6:59 am Post subject: |
|
|
Newbie
Joined: 12 Feb 2008
Posts: 5
|
Yes its a true limited access acheived using setmqaut.
The non mqm users are given display access only to the queues that they need to support. If they try to alter the q or view the depth of other q's in the same mqm it wud result in 2035 err. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 7:01 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ArunSridharan wrote: |
| it wud result in 2033 err. |
It should result in a 2035 if you're using setmqaut! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 12, 2008 7:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| markt wrote: |
(And whether it's supported or recommended are other
matters.) |
And only IBM can answer that. I wouldn't be surprised to discover there was a "feature" in a previous version that allowed this to work.
FWIW I've never seen runmqsc used outside the admin team. Not sure I'd be comfortable with it in the wild, but maybe I'm just paranoid as well as jaded.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Feb 12, 2008 7:11 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
|
|
