| Author |
Message
|
| dprogwmb |
 Posted: Thu Sep 15, 2011 1:11 pm Post subject: Problem Connecting MQClient -MQServer in Different machines |
 |
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
Hi all
I'm trying to connect an client, with MQ Client installed, to one MQ Server (in different Machines, and different IP adresses) ... Both Machines run under Win XP SP2.
When I try to issue this comand:
"amqsputc QUEUE1 MB7QMGR"
I get this error:
"Sample AMQSPUT0 start
MQCONN ended with reason code 2035"
Which means my user has no permissons to put in the queue "QUEUE1".
I try to issue the command setmqaut on the server... but it didn't recognize the user because it's not in the same machine (it's in the client machine).
What can I do in order to solve it?
Any ideas?
Regards |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Sep 15, 2011 1:37 pm Post subject: Re: Problem Connecting MQClient -MQServer in Different machi |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Read carefully the things I've highlighted and made big. It's the MQCONN that failed, not the MQPUT.
| dprogwmb wrote: |
Hi all
I'm trying to connect an client, with MQ Client installed, to one MQ Server (in different Machines, and different IP adresses) ... Both Machines run under Win XP SP2.
When I try to issue this comand:
"amqsputc QUEUE1 MB7QMGR"
I get this error:
"Sample AMQSPUT0 start
MQCONN ended with reason code 2035"
Which means my user has no permissons to put in the queue "QUEUE1".
I try to issue the command setmqaut on the server... but it didn't recognize the user because it's not in the same machine (it's in the client machine).
What can I do in order to solve it?
Any ideas?
Regards |
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Last edited by bruce2359 on Thu Sep 15, 2011 1:41 pm; edited 2 times in total |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Sep 15, 2011 1:39 pm Post subject: Re: Problem Connecting MQClient -MQServer in Different machi |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dprogwmb wrote: |
| What can I do in order to solve it? |
Find a way of putting messages using a user authorised to do so on the target machine. There are a number of such methods documented.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| dprogwmb |
| Posted: Fri Sep 16, 2011 4:56 am Post subject: Re: Problem Connecting MQClient -MQServer in Different machi |
|
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
| Vitor wrote: |
| dprogwmb wrote: |
| What can I do in order to solve it? |
Find a way of putting messages using a user authorised to do so on the target machine. There are a number of such methods documented. |
Can you help me telling me the simplest method for that in Windows?
I testes using: setmqaut , but It didn't work because it's not in the same machine the user (it "lives" in the client machine)... please any help? REGARDS |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 5:04 am Post subject: Re: Problem Connecting MQClient -MQServer in Different machi |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dprogwmb wrote: |
| Can you help me telling me the simplest method for that in Windows? |
It's the same as the simplest method for Unix - the one that fits best with your application architecture and site standards. The obvious method (MCAUser) will cause problems if your site / application / security standards choose to use channels in a way that doesn't match with it.
| dprogwmb wrote: |
I testes using: setmqaut , but It didn't work because it's not in the same machine the user (it "lives" in the client machine) |
No it didn't & for the reasons you give, but you'll still need it unless there's a pre-existing account for your use (see my comments above on site standards).
Whoever runs your WMQ estate should be able to help.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 5:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You *could* simply create a new user with the same name on the qmgr server, and then issue setmqaut against that user.
Or you *could* spend a bit more time looking around here for other posts about security and the recommended ways of handling security.
Or you *could* admit to your boss that you need help, and get her to hire a consultant. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Sep 16, 2011 5:07 am Post subject: Re: Problem Connecting MQClient -MQServer in Different machi |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| dprogwmb wrote: |
I testes using: setmqaut, ... |
Post here the setmqaut command you used.
| dprogwmb wrote: |
but It didn't work because it's not in the same machine the user (it "lives" in the client machine)... please any help? REGARDS |
What is the 'it' that lives in the client machine? In future posts, please replace 'it' with the exact name of the thing you referring to.
Examine the error logs on BOTH the client platform and qmgr platform. Which (client or qmgr) issued the 2035? That is the platform where you need to grant (setmqaut) authority to connect to the qmgr.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 5:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| and get her to hire a consultant. |
Projecting? Inside knowledge? Wishful thinking? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 5:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqjeff wrote: |
| and get her to hire a consultant. |
Projecting? Inside knowledge? Wishful thinking? |
Feminism. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Fri Sep 16, 2011 5:47 am Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
alter the queue you are trying to put message on and set the mcauser valuve to mqm (remember its a string value so when you mention it do it with '' quotes )
then try and tell what u get. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 5:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| ankurlodhi wrote: |
alter the queue you are trying to put message on and set the mcauser valuve to mqm (remember its a string value so when you mention it do it with '' quotes )
then try and tell what u get. |
Yes, it will be interesting to see the response to ALTER QLOCAL(...) MCAUSER(...) |
|
| Back to top |
|
|
| dprogwmb |
| Posted: Fri Sep 16, 2011 6:10 am Post subject: |
|
|
Voyager
Joined: 19 Jul 2011
Posts: 96
|
| ankurlodhi wrote: |
alter the queue you are trying to put message on and set the mcauser valuve to mqm (remember its a string value so when you mention it do it with '' quotes )
then try and tell what u get. |
Thanks for your answer ankurlodhi!!
I tried using MQ Explorer v7, setting MCAUser to user "admin" CHANNEL1 (SVRCONN), and I'm also getting the same error... "2035" in client side.
Some definitions:
User "admin" , is the user where the MQ client runs ... in machine A (Win XP)....
Machine B,is where runs the MQ server (also Win XP)...
Any other -"constructive"- suggestion? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 6:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ankurlodhi wrote: |
| set the mcauser valuve to mqm |
Suggesting this as a solution to any security problem is irresponsible at best. It solves any security with the same reliability and effectiveness that removing a door solves the problem of finding which is the right key to open it. And the same undesireable side effects.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 16, 2011 6:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dprogwmb wrote: |
Some definitions:
User "admin" , is the user where the MQ client runs ... in machine A (Win XP)....
Machine B,is where runs the MQ server (also Win XP)...
Any other -"constructive"- suggestion? |
Did you look up what MCAUser does? If so, why are you surprised that specifing a user valid on Machine A not B still gives a 2035? If you didn't look it up, why did you specify a user id your application is already using and not take the dangerous advice of ankurlodhi?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 6:22 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| dprogwmb wrote: |
I tried using MQ Explorer v7, setting MCAUser to user "admin" CHANNEL1 (SVRCONN), and I'm also getting the same error... "2035" in client side.
Some definitions:
User "admin" , is the user where the MQ client runs ... in machine A (Win XP).... |
right, so at least you figured out that ankurlodhi's response was meant to apply to the SVRCONN and not to the QUEUE.
The MCAUSER value needs to be set to a value that represents a user on the QUEUE MANAGER machine, not on the client.
This is because the MCAUSER always replaces the client side userid. This means that everyone who can establish a network connection to this channel is always authorized as the mcauser.
So if, in particular, you had set MCAUSER to "mqm" (or at least to "MUSR_MQADMIN" on windows...), then you would have made your entire queue manager network open to full administrative control from every machine that can establish an IP connection to the MQ listener and port for the queue manager.
You need to go back and do a lot more research on this whole area - in particular look for other threads and discussions here talking about how to SECURE your qmgrs. |
|
| Back to top |
|
|
|
|
