| Author |
Message
|
| PeterPotkay |
 Posted: Fri Nov 07, 2008 6:30 am Post subject: Trigger Monitor Service - ID that it runs as |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Windows 2003, MQ 6.0.2.4
We have the trigger monitor configured to start and stop with the Queue Manager as a Server Service object, as explained here:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.amqzag.doc/fa11460_.htm
It works fine, but the triggered application then runs under the ID that MQSeries is running under. How do we avoid this? The issue is the application is telling us they need to have the password for our MQSeries account so that the triggered process can access various things (something with print drivers - more info pending). Can the Trigger Monitor run as a different ID or can the Trigger Monitor spawn the triggered processes under a different ID?
What about IBM Support Pack MA7K?
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24000149&loc=en_
US&cs=utf-8&lang=en
Its typically used for the Client Trigger Monitor, but the read me has the following:
Ability to specify service Userid and password at install time.
.
.
.
This SupportPac provides a trigger monitor (TM) which runs as a Windows service, and is intended to be used with the WebSphere MQ client (mqic32.dll).
(The service
can be run as a "local" WebSphere MQ program with some restrictions.) .
.
.
----------------------------------------------------
Running the trigger monitor as a local application:
----------------------------------------------------
MA7K may also run as a local program, instead of as an MQ client.
To run MA7K as a local program, edit the setup.ini file, changing the following keyword in the "Global" stanza:
MQSeriesDLL=mqm.dll
To run as a client, edit the key back to:
MQSeriesDLL=mqic32.dll
So this looks like a possibility too. We could just make the MA7K Service dependent on the MQSeries Service. But what are the restrictions mentioned when running it as a local Trigger Monitor? Has anyone used MA7K in bindings mode that cares to share their experience?
I would prefer to solve this inside base MQ if possible over using an "unsupported" Support Pack (no offense Jeff), but if MA7K is the easiest way, so be it.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Nov 07, 2008 6:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You should be able to configure the Server Service to run a script that does a contact admin of runmqtrm, to cause it to execute as a different user.
Then the TM is running as the application service user, and the program is also. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 07, 2008 6:53 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
You should be able to configure the Server Service to run a script that does a contact admin of runmqtrm, to cause it to execute as a different user.
|
I think the contact admin command will require that we hardcode the password in the script, a no-no.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 07, 2008 7:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I had a sense you'd raise that objection... 
But I'm not sure it's true. I haven't played with this.
You can also look at changing the program that gets started, instead of changing the trigger monitor service itself. You still end up having to deal with how to spawn a process under a different user, though.
You could also write a Scheduled Task to start the trigger monitor, instead of using svrany or the MQ Service, or maybe use the MQ Service to start the scheduled task. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 07, 2008 7:33 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
A wish-list item: trigger monitor attribute where we can specify the userid under which the triggered applications will execute.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 07, 2008 9:02 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Turning our attention back to MA7K, what are the "some restrictions" mentioned in the read me if I decide to run MA7K in bindings mode?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 07, 2008 10:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It didn't come up in the turnover discussions I had with Wayne.
I do not see anything specifically in the code that would impose any restrictions.
Likely, then, it's alluding to the fact that you won't be able to connect to remote queue managers from the same service instance if you run it as a bindings application. So if you need to do a trigger monitor to a local queue manager and another to a remote queue manager, you'll have to define two different service instances of MA7K.
I'm still pursing it though, and will update this thread if I find anything more. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 07, 2008 1:26 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| This may be obvious, but of course one can't use queue manager wildcards when connecting using bindings - because there's no CCDT to do the resolution against. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 07, 2008 2:18 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I wonder if there are any restrictions in MA7K bindings mode versus MA7K client mode, outside of any considerations that would apply to any and all applications considering client vs. bindings. I'm guessing / hoping not.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 07, 2008 4:47 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't see anything in the MA7K code that would indicate any imposed limitations, outside of the normal client/bindings limitations.
I was able to speak to Wayne as well, and nothing came to mind. |
|
| Back to top |
|
|
|
|
