| Author |
Message
|
| pfarrel |
 Posted: Fri Dec 03, 2010 9:08 am Post subject: Event Message for MQCMD_INQUIRE_Q |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I keep getting an event message written to SYSTEM.ADMIN.QMGR.EVENT, and I can't figure it out.
The reason is MQRQ_CMD_NOT_AUTHORIZED, the command is MQCMD_INQUIRE_Q. Also in the message is the queue manager name and the userid. There is no queue name in the event message. The userid is OP, and its primary group is SUPER. I have tried several setmqaut commands for group SUPER, but it won't stop.
Here are some I have tried:
setmqaut -m HPQMP1 -t qmgr -g SUPER +all +alladm +allmqi
setmqaut -m HPQMP1 -t q -n \*\* -g SUPER +all +alladm +allmqi
Any ideas ? |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Dec 03, 2010 9:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
As it's group SUPER, am I correct to assume this is HP-NSS?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Dec 03, 2010 11:17 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
Yes, it is WMQ version 5.3.1.5 on NSK.
It looks somewhat similar to MQ on other UNIX platforms. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 03, 2010 11:50 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pfarrel wrote: |
Yes, it is WMQ version 5.3.1.5 on NSK.
It looks somewhat similar to MQ on other UNIX platforms. |
What does a dump of the auths for the queue manager and queues show for SUPER.SUPER and SUPER.OP?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Dec 03, 2010 12:31 pm Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
Here it is:
/G/SYS1/MQSERIES: amqoamd -m HPQMP1 -s|grep SUPER
setmqaut -m HPQMP1 -n PMQR -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n PMQS -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n PMQX -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.WIRE.FROMBESS -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.SERVICE.REPLY -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.MAGNET.BAT.REPLY -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.WIRE.TOBESS -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.SERVICE.REQUEST -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.MAGNET.BAT.REQUEST -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.SAMEDAY.REPORTING -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid
setmqaut -m HPQMP1 -n BES.CIF.REPLY -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m HPQMP1 -n BES.BAL.REPLY -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m HPQMP1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m HPQMP1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m HPQMP1 -t qmgr -g SUPER +altusr +connect +inq +set +setall +setid +chg +dlt +dsp
setmqaut -m HPQMP1 -n ** -t queue -g SUPER +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m HPQMP1 -t qmgr -g SUPER +None
setmqaut -m HPQMP1 -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g SUPER +None
/G/SYS1/MQSERIES: |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 03, 2010 1:50 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I'd say that there is a better than even chance the queue being inquired upon is not in that list. Unfortunately, this being that 'funny' platform, you can't use the MQS_REPORT_NOAUTH variable to find out exactly which resource has the attempted access.
What did you use to read the event message, amqsbcg? Can you paste the output of what you got please?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Dec 03, 2010 2:19 pm Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I was using the utility MO71 to display and format the messages. Here is one of them:
[ 364 bytes] Message Descriptor (MQMD)
StrucId :'MD '
Version :2
Report :00000000
Message Type :8 (Datagram)
Expiry :-1
Feedback :0 (None)
MQEncoding :0x'111'
CCSID :819
Format :'MQEVENT '
Priority :0
Persistence :0 (Not Persistent)
Message Id :A M Q H P Q M P 1 . . . . . . . .
414D51204850514D50312020202020200F0DBEDEDDB7E0BA
'AMQ HPQMP1 ........'
Correl. Id :. . . . . . . . . . . . . . . . . . . . . . . .
000000000000000000000000000000000000000000000000
'........................'
Backout Cnt. :0
ReplyToQ :' '
ReplyToQMgr :'HPQMP1 '
UserId :' '
AccountingTkn:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0000000000000000000000000000000000000000000000000000000000000000
ApplIndentity:' '
PutApplType :7 (Queue Manager)
PutApplName :'HPQMP1 '
Put Date :'20101203'
Put Time :'16554797'
ApplOriginDat:' '
Group Id :. . . . . . . . . . . . . . . . . . . . . . . .
000000000000000000000000000000000000000000000000
Msg Seq No. :1
Offset :0
MsgFlags :00000000
Original Len.:-1
[ 168 bytes] Event Header (MQCFH)
Type :7 (Event)
Struc Length :36
Version :1
Command :44 (QMgr Event)
Sequence No. :1
Control :1 (Last)
CompCode :1 (Warning)
Reason :2035 (Not authorized.)
Parm Count :4
[ 132 bytes] String (MQCFST)
Type :4 (String)
Struc Length :68
Parameter Id :2015 (QMgr Name)
CCSID :0
String Length:48
Value :'HPQMP1 '
[ 64 bytes] Integer (MQCFIN)
Type :3 (Integer)
Struc Length :16
Parameter Id :1020 (Reason Qualifier)
Value :4 [0x'4'] MQRQ_CMD_NOT_AUTHORIZED
[ 48 bytes] Integer (MQCFIN)
Type :3 (Integer)
Struc Length :16
Parameter Id :1021 (Command)
Value :13 [0x'D'] MQCMD_INQUIRE_Q
[ 32 bytes] String (MQCFST)
Type :4 (String)
Struc Length :32
Parameter Id :3025 (User Identifier)
CCSID :0
String Length:12
Value :'OP ' |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Dec 03, 2010 2:53 pm Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| I should probably add that the program this is attempting this access is HP/Openview, it is supposed to be reporting on queue depths for some queues. So it is probably trying to inspect the current depth of all queues. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 03, 2010 3:13 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What does the Openview documentation state in relation to setting it up for WMQ, and was there anything in the 'payload' of the event message? Does amqsbcg throw up any further information?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Mon Dec 06, 2010 4:40 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
Here is a printout of one of the messages using the MA96 utility:
MD:(364=x16C bytes)
00000000:4D442020 02000000 00000000 08000000 [MD ............]
00000010:FFFFFFFF 00000000 11010000 33030000 [............3...]
00000020:4D514556 454E5420 00000000 00000000 [MQEVENT ........]
00000030:414D5120 4850514D 50312020 20202020 [AMQ HPQMP1 ]
00000040:0F0DBF17 902E4D72 00000000 00000000 [..¿..Mr........]
00000050:00000000 00000000 00000000 00000000 [................]
00000060:00000000 20202020 20202020 20202020 [.... ]
00000070:20202020 20202020 20202020 20202020 [ ]
00000080-0000008F same as above
00000090:20202020 4850514D 50312020 20202020 [ HPQMP1 ]
000000A0:20202020 20202020 20202020 20202020 [ ]
000000B0-000000CF same as above
000000D0:00000000 00000000 00000000 00000000 [................]
000000E0-000000EF same as above
000000F0:20202020 20202020 20202020 20202020 [ ]
00000100-0000010F same as above
00000110:07000000 4850514D 50312020 20202020 [....HPQMP1 ]
00000120:20202020 20202020 20202020 20202020 [ ]
00000130:32303130 31323036 31323334 32303234 [2010120612342024]
00000140:20202020 00000000 00000000 00000000 [ ............]
00000150:00000000 00000000 00000000 01000000 [................]
00000160:00000000 00000000 FFFFFFFF [............]
|> Version : 2
|> Report : (none)
|> MsgType : DATAGRAM
|> Expiry : -1
|> Feedback : 0
|> Encoding : 273 INTEGER_NORMAL / DECIMAL_NORMAL / FLOAT_IEEE_NORMAL
|> CodedCharSetId : 819 (ISO 8859-1 ASCII)
|> Format : MQEVENT (Event)
|> Priority : 0
|> Persistence : NOT_PERSISTENT
|> MsgId : 414D5120 4850514D 50312020 20202020 0F0DBF17 902E4D72 [AMQ HPQMP1 ..¿..Mr]
|> CorrelId : (null)
|> BackoutCount : 0
|> ReplyToQ :
|> ReplyToQMgr : HPQMP1
|> UserIdentifier :
|> AccountingToken : (null)
|> ApplIdentityData :
|> PutApplType : queue manager
|> PutApplName : HPQMP1
|> PutDate : 20101206
|> PutTime : 12342024
|> ApplOriginData :
|> --- MD version 2----------
|> GroupId : (null)
|> MsgSeqNumber : 1
|> Offset : 0
|> MsgFlags : (none)
|> OriginalLength : -1
DataLength:168
Buffer:(168=xA8 bytes)
00000000:00000007 00000024 00000001 0000002C [.......$.......,]
00000010:00000001 00000001 00000001 000007F3 [...............ó]
00000020:00000004 00000004 00000044 000007DF [...........D...ß]
00000030:00000000 00000030 4850514D 50312020 [.......0HPQMP1 ]
00000040:20202020 20202020 20202020 20202020 [ ]
00000050-0000005F same as above
00000060:20202020 20202020 00000003 00000010 [ ........]
00000070:000003FC 00000004 00000003 00000010 [...ü............]
00000080:000003FD 0000000D 00000004 00000020 [...ý........... ]
00000090:00000BD1 00000000 0000000C 4F502020 [...Ñ........OP ]
000000A0:20202020 20202020 [ ]
|> ----- offset 0-167 (=x0-xA7) length 168 (=xA8) - MQCFH (PCF header and parameters)
|> Type : EVENT
|> StrucLength : 36
|> Version : 1
|> Command : 44 (Q_MGR_EVENT)
|> MsgSeqNumber : 1
|> Control : LAST
|> CompCode : 1
|> Reason : 2035 (MQRC_NOT_AUTHORIZED)
|> ParameterCount : 4
|> ------------------------ : --- 1 --- offset 36-103 (=x24-x67) length 68 (=x44)
|> (parm) - Type : STRING
|> (parm) - Length : 68
|> (parm) - Parameter : 2015 (Q_MGR_NAME)
|> (parm) - CodedCharSetId : 0 (default / queue_manager)
|> (parm) - Length : 48
|> (parm) - Value : HPQMP1
|> ------------------------ : --- 2 --- offset 104-119 (=x68-x77) length 16 (=x10)
|> (parm) - Type : INTEGER
|> (parm) - Length : 16
|> (parm) - Parameter : 1020 (IACF_REASON_QUALIFIER)
|> (parm) - Value : 4 (cmd not authorized)
|> ------------------------ : --- 3 --- offset 120-135 (=x78-x87) length 16 (=x10)
|> (parm) - Type : INTEGER
|> (parm) - Length : 16
|> (parm) - Parameter : 1021 (IACF_COMMAND)
|> (parm) - Value : 13 (INQUIRE_Q)
|> ------------------------ : --- 4 --- offset 136-167 (=x88-xA7) length 32 (=x20)
|> (parm) - Type : STRING
|> (parm) - Length : 32
|> (parm) - Parameter : 3025 (CACF_USER_IDENTIFIER)
|> (parm) - CodedCharSetId : 0 (default / queue_manager)
|> (parm) - Length : 12
|> (parm) - Value : OP |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Dec 06, 2010 4:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
OK. I'm all out of ideas as to how to identify the 'offending' resource, sorry 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Dec 06, 2010 2:32 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| exerk wrote: |
| OK. I'm all out of ideas as to how to identify the 'offending' resource, sorry |
Could it be that user 'OP' does not have authority to open the Queue Manager object for inquiry?
Its very common for monitoring s/w to do this, to obtain the actual qmgr name, version, description, ccsid, etc.
_________________
Glenn |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Dec 06, 2010 3:06 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gbaddeley wrote: |
| Could it be that user 'OP' does not have authority to open the Queue Manager object for inquiry? |
Also my last thought, but for...
| Quote: |
| The userid is OP, and its primary group is SUPER |
...and
| Quote: |
| setmqaut -m HPQMP1 -t qmgr -g SUPER +altusr +connect +inq +set +setall +setid +chg +dlt +dsp |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Dec 06, 2010 7:53 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| exerk wrote: |
| I'd say that there is a better than even chance the queue being inquired upon is not in that list. Unfortunately, this being that 'funny' platform, you can't use the MQS_REPORT_NOAUTH variable to find out exactly which resource has the attempted access. |
Refer to http://www-01.ibm.com/support/docview.wss?uid=swg21299319
MQS_REPORT_NOAUTH environment variable can be used to better diagnose return code 2035 (MQRC_NOT_AUTHORIZED)
and http://www-01.ibm.com/support/docview.wss?uid=swg21377578
Using MQSAUTHERRORS to generate FDC files related to RC 2035 (MQRC_NOT_AUTHORIZED)
MQ trace can show where the authorization error occurs. Look for kqiAuthorityChecks in trace of amqzlaa0 process, and text like
| Code: |
Principal(fredb ) EntityType(1)
ObjectName(SYSTEM.DEAD.LETTER.QUEUE ) ObjectType(5)
PrimaryOnly(0) AccessTemplate(8) Authorization(100018) |
EntityType 1=Userl 2=Group
AccessTemplate is auths needed (sum of MQZAO_ values)
Authorization is auths they have
I haven't used this technique for a long time!
_________________
Glenn |
|
| Back to top |
|
|
|
|
