| Author |
Message
|
| sraghukumar |
 Posted: Thu Jun 09, 2011 9:32 am Post subject: You are not authorized to perform this operation. |
 |
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
Hi There,
I have created a Server connection channel, i have set all permission to that channel for my ID using setmqaut command, I am still not able to connect to Remote queue manager using the server con channel i have created.
I get below error all the time.
AMQ4036
Severity
10 : Warning
Message
Access not permitted. You are not authorized to perform this operation.
Explanation
The queue manager's security mechanism has indicated that the userid associated with this request is not authorized to access the object.
---------------------------------------------------------------------------------
But if i try connecting using mqm then i will be able to connect to that queue manager.
--------------------------------------------------------------------------------- |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jun 09, 2011 9:41 am Post subject: Re: You are not authorized to perform this operation. |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sraghukumar wrote: |
| i have set all permission to that channel for my ID using setmqaut command |
I would put it to you that you have attempted to do this, but have been unsuccessful. As you've provided no details about the setmqaut you issued, the user id you're using and it's group membership (or indeed what OS this is) it's hard to give you any advice.
Except the usual steps in diagnosing a security problem.
| sraghukumar wrote: |
| But if i try connecting using mqm then i will be able to connect to that queue manager. |
And you felt that telling us you can successfully connect using the admin id which bypasses the security checks would surprise us? Or was in some way relevant to the problem with your other id? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 10:14 am Post subject: hi |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@ Vitor,
Thank you for your response.
'my' user id is not a part of 'mqm' group,
'my' user id is part of group 'dev' group.
group 'dev' is not a part of 'mqm' group.
I am not able to connect using 'my' id.
My primary question is, Always i should be a part of mqm qroup or
the group i belong should be part of mqm group.
I am using MQ 7, on Solaris,
Thank you,
Raghu |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 10:19 am Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
Sorry i forgot give setmqaut command.
Channel:
setmqaut -m MQ1 -n "my" -t chl -g dev -remove
setmqaut -m MQ1 -n "my" -t chl -g dev +chg +dlt +dsp +ctrl +ctrlx
Queue Manager:
setmqaut -m MQ1 -t qmgr -g dev -all
setmqaut -m MQ1 -t qmgr -g dev +chg +dlt +dsp +setall +setid +altusr +connect +inq +set +system
MY id is part of 'dev' group and not part of 'mqm' group
'dev' group is not part of 'mqm' group
Thank you |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 09, 2011 10:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| And do you get the MQRC 2035 on the MQCONN or on an MQOPEN? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 09, 2011 10:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| And do you get the MQRC 2035 on the MQCONN or on an MQOPEN? |
You've not posted the command you used to authorize use of queue objects.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 10:30 am Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@ Jeff
No i dont get any of that. I get "Access not permitted. You are not authorized to perform this operation."
I am trying to connect to that queue manager using toolkit, I have set mca user id = dev (group name which i am part of)
I belive group 'dev' should be part of mqm? am i correct? |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 10:34 am Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@Vitor
I am not using any command to authorize for queue object.
"I am not sure why should i need to queue authorization to connect to queue manager" Do i really need it? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 09, 2011 10:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sraghukumar wrote: |
@ Jeff
No i dont get any of that. I get "Access not permitted. You are not authorized to perform this operation."
I am trying to connect to that queue manager using toolkit, I have set mca user id = dev (group name which i am part of)
I belive group 'dev' should be part of mqm? am i correct? |
What toolkit?
WebSphere Message Broker Toolkit?
No, 'dev' should not be part of mqm.
You should enable authority events on the queue manager.
Then you should connect again.
Then you should review the event messages and validate the missing accesses, which I'm sure include at least one object with a name like "SYSTEM.BROKER".
If this is indeed Message Broker Toolkit. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 09, 2011 10:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sraghukumar wrote: |
@Vitor
I am not using any command to authorize for queue object.
"I am not sure why should i need to queue authorization to connect to queue manager" Do i really need it? |
If you have no authority against any of the queue objects, what exactly are you going to do once you've connected to the queue manager? What exactly is the point of connecting to the queue manager in that circumstance? What do you plan to do without queue access?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 11:01 am Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@Jeff
Yes i am talking about WMB Toolkit.
You should enable authority events on the queue manager. Can you just tell me what all should be enabled. Are you talking about "queue manager and channel" thats all i believe right |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 09, 2011 11:07 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sraghukumar wrote: |
| mqjeff wrote: |
| You should enable authority events on the queue manager. |
Can you just tell me what all should be enabled. |
Authority events should be enabled. That's all. Look them up in the InfoCenter.
| sraghukumar wrote: |
| Are you talking about "queue manager and channel" thats all i believe right |
Wrong. I repeat my previous point - if all you have is authority to connect to the queue manager, and no authority to use any objects the queue manager owns, what exactly are you planning to do? What can you do in a queue manager without access to any queues?
And certainly WMB Toolkit won't work without the queue access indicated in the documentation. Nor will it work if you've not set WMB security up by whatever means are relevant for your version of WMB (it differs radically between WMBv6 & WMBv7)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 11:30 am Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@Vitor
That queue manager is a part of message broker which i am trying to connect to tool kit. To connect to Message broker toolkit, we need server connection channel. I have created server connection chl, I am trying to connect to that with my id, it is failing. If i try using mqm i am able to connect it. (I am stooped at this point)
But yes, i need to have access to any objects the queue manager which i am connect.
Raghu |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 09, 2011 12:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sraghukumar wrote: |
| I am trying to connect to that with my id, it is failing. |
So what you're saying is that when you try and establish a connection to the config manager or broker (depending on broker version which you've still not seen fit to share), you get a message box up saying you're not authorised to perform the operation.
And you're utterly convinced that this is failing on the connection to the queue manager not when it tries to open the queues that Toolkit will try to open once the connection is established.
Despite the fact you don't seen to have taken the suggestion to enable authority events and see exactly what's failing. Like the open calls against the queues.
I don't think there's much else to say.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sraghukumar |
| Posted: Thu Jun 09, 2011 12:59 pm Post subject: |
|
|
Apprentice
Joined: 15 Feb 2011
Posts: 49
|
@ Vitor,
Thank you for your response.
I am using Message Broker 7, MQ 7.
I enabled authority events, i am checking that.
Should my id be a part of mqm group always to connect to queue manager ? |
|
| Back to top |
|
|
|
|
