| Author |
Message
|
| mqtablet |
 Posted: Thu Apr 19, 2012 11:14 pm Post subject: MQ 7.1 - Issue |
 |
|
Acolyte
Joined: 09 Jun 2009
Posts: 71
|
Hi all,
I'm facing a very strange issue in MQ 7.1 (Fedora Core 10 and Windows).
When I install MQ 7.1, the installation steps complete successfully, however after that when I try to set the MQ service account using 'Prepare WebSphere MQ Wizard' - it does not identify my domain user ID. It says 'A WebSphere MQ Error Occured' and the configuration wizard reaches the end.
These are the conditions I checked.
1. The Windows Active Directory Domain ID is a member of local computers 'mqm' group.
2. The Windows Active Directory Domain ID is a member of local computers 'administrators' group.
3. Restart the windows machine.
4. crtmqm <qmgrname> from the domain user id works.
5. strmqm <qmgrname> from the domain user id works.
6. runmqsc <qmgrname> from the domain user id DOES NOT work. It throws MQRC 2035.
However,
7. When I create a local user and add the newly created local ID to the local administrators group, the points - 4, 5, 6 above from the local user ID just work fine.
Since MQ 7.1 supports multiple instances of MQ installations , is there any thing which needs to be configured or set (which I may be missing) for the domain user ID to work?
8. Also, if I create a new server connection channel with the mcauser id as 'mqm' - even then I'm not able to connect to the queue manager using an MQ client application. This is occuring in Linux (Fedora Core 10) as well.
9. If I remove MQ 7.1 and install back 7.0.1.5, the same settings just work fine.
Any inputs / thoughts / comments / advise?
Thanks. |
|
| Back to top |
|
 |
| mvic |
| Posted: Fri Apr 20, 2012 6:28 am Post subject: Re: MQ 7.1 - Issue |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Which part of your system is Windows, and which part Linux? I can't see this from the description. |
|
| Back to top |
|
|
| mqtablet |
| Posted: Fri Apr 20, 2012 8:09 am Post subject: |
|
|
Acolyte
Joined: 09 Jun 2009
Posts: 71
|
I did not understand what you say - what 'part' of windows and what 'part' of linux.
Do you mean 'part' as which version of OS?
If yes,
Windows is XP and 2003.
Linux is Fedora Core 10 (which I have already mentioned in my initial post)
No matter what 'part' it is, I said - it works fine with MQ 7.0.1.X on the same 'part' but does not work with MQ 7.1 on the same 'part'.
Thanks. |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Apr 20, 2012 8:31 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
You said you had a system "in MQ 7.1 (Fedora Core 10 and Windows)". I deduce from this that your system has at least two real or virtual machines, one running Windows, one running Linux.
So, two parts.
I was not asking about the versions of the OS, but about how your system is designed in order to bring these two separate machines together.
To make any comment, I think I would need to understand what MQ connectivity there is between the two, and how the "domain" aspect of the user names you are using relates to the problem you see. |
|
| Back to top |
|
|
| mqtablet |
| Posted: Fri Apr 20, 2012 11:14 am Post subject: |
|
|
Acolyte
Joined: 09 Jun 2009
Posts: 71
|
mvic:
1. There are 3 different physical machines in this testing.
2. First has Fedora Core 10 Linux + MQ 7.1, the second has Windows XP SP3 (domain member computer) + MQ 7.1, the third has Windows 2003 Enterprise Edition (domain member computer) + MQ 7.1.
3. The Fedora machine is NOT a member of the Windows Active Directory Domain.
4. All these 3 computers have stand alone MQ Server 7.1 installations without any sender / receiver channels connecting in between, and in a non-clustered environment.
Its just I have 3 physical servers with MQ 7.1 installed.
With that said,
1. On Windows XP Machine
Scenario 1 :
1. I login to the windows xp box with a domain user id, who is a member of administrators group and mqm group in the windows xp box.
a. I run the command - crtmqm <qmgrname> - This works.
b. I run the command - strmqm <qmgrname> - This also works.
c. I run the command - runmqsc <qmgrname> - This Fails stating a WebSphere MQ Error Occured.
d. If I uninstall MQ 7.1, install MQ 7.0.1.x in this machine, and try to do the steps mentioned above in this scenario - 1, a, b, c - The point c just works fine.
Scenario 2 :
1. I login to the windows xp box with a local user id, who is a member of administrators group and mqm group in the windows xp box.
a. I run the command - crtmqm <qmgrname> - This works.
b. I run the command - strmqm <qmgrname> - This also works.
c. I run the command - runmqsc <qmgrname> - This Works Fine. I successfully get into the runmqsc prompt and can run mqsc commands.
2. On Windows 2003 Enterprise Server machine
Scenario 1 :
1. Same as Windows XP machine.
Scenario 2 :
1. Same as Windows XP machine.
3. On Fedora Core 10 (Linux) machine
Scenario 1 :
1. I login directly as 'root'.
2. Add the 'root' user to the 'mqm' group.
a. I run the command - crtmqm <qmgrname> - This works.
b. I run the command - strmqm <qmgrname> - This also works.
c. I run the command - runmqsc <qmgrname> - This Fails stating a WebSphere MQ Error Occured.
d. If I uninstall MQ 7.1, install MQ 7.0.1.x in this machine, and try to do the steps mentioned above in this scenario - 1, 2, a, b, c - The point c just works fine.
Scenario 2 :
1. I login as 'mqm'.
a. I run the command - crtmqm <qmgrname> - This works.
b. I run the command - strmqm <qmgrname> - This also works.
c. I run the command - runmqsc <qmgrname> - This Works Fine. I successfully get into the runmqsc prompt and can execut runmqsc commands.
Scenario 3 :
1. I'm trying to connect to the queue manager present and running in the Fedora Core 10 (Linux) machine from an MQ client application in the Windows XP machine.
2. I'm using the client bindings mode in this case (MQSERVER=channelname/tcp/hostname(portnumber) is set on the windows machine). The host name is the name of the Fedora Core 10 (Linux) machine running the queue manager, and port number is the port on which the linux queue manager is running.
3. The channel - 'channelname' is a server connection channel defined at the linux queue manager, and has the 'mcauser' property set to 'mqm'.
4. When I try to make a connection using the client now, I get a 2035 exception.
5. If I remove MQ 7.1 and install MQ 7.0.1.x and with as said in the points 1, 2, 3, 4 in this scenario - if I try to connect to the linux queue manager using the same channelname, with the same 'mcauser' set to 'mqm' with the same MQ client application from the windows xp machine - It connects without any error.
Hope I've elaborated enough. I would like to stop here before the moderaters shoot me. 
If you have any further questions / doubts, please let me know.
Appreciate your time. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 20, 2012 11:23 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
On the 2 Windows machines, is the WMQ service & the user running it correctly set up & authorized to the domain in accordance with the InfoCenter? With all the rights indicated? I've heard anecotally than while the instructions are the same, 7.0 is more tollerant of missing permissions than 7.1.
On Linux, why are you trying to execute runmqsc as root? Rather than as su - mqm from root?
As to the client connection, security is at the group level not as principle. What is the primary group of the mqm id?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqtablet |
| Posted: Fri Apr 20, 2012 11:32 am Post subject: |
|
|
Acolyte
Joined: 09 Jun 2009
Posts: 71
|
| Quote: |
On the 2 Windows machines, is the WMQ service & the user running it correctly set up & authorized to the domain in accordance with the InfoCenter? With all the rights indicated?
|
This is what I'm unable to do. When I run the 'Prepare WebSphere MQ Wizard' to set the domain user id for MQ to run, it fails and does not complete at all. I mentioned this in my first post of this thread.
| Quote: |
On Linux, why are you trying to execute runmqsc as root? Rather than as su - mqm from root?
|
Even though I sudo su - mqm, I get the same result. I tried this earlier.
| Quote: |
As to the client connection, security is at the group level not as principle. What is the primary group of the mqm id?
|
I reiterate. The same settings, configuration work in MQ 7.0.1.x. There is no change in the linux groups or ids, but the change is only the MQ version.
To answer your question, the primary group of the 'mqm' id is 'mqm' in linux.
Thanks. |
|
| Back to top |
|
|
| mqtablet |
| Posted: Fri Apr 20, 2012 11:42 am Post subject: |
|
|
Acolyte
Joined: 09 Jun 2009
Posts: 71
|
This is what i found in the MQ error logs (not the queue manager error logs). No FDCs were generated.
| Code: |
04/20/12 03:57:26 - Process(3044.1) Program(runmqsc.exe)
Host(DEV01) Installation(DEV)
VRMF(7.1.0.0)
AMQ6119: An internal WebSphere MQ error has occurred (WinNT error 1115 from
GetUserName.)
EXPLANATION:
MQ detected an unexpected error when calling the operating system. The MQ error
recording routine has been called.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the MQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available. If you are unable to find a match, contact your
IBM support center. Do not discard these files until the problem has been
resolved.
|
Will raise a PMR on Monday..  |
|
| Back to top |
|
|
| mqseries0209 |
| Posted: Tue Apr 24, 2012 9:41 am Post subject: |
|
|
Voyager
Joined: 30 Mar 2006
Posts: 90
|
Can you check the permissions for runmqsc file in bin directory for version 7.1 ?
Make sure the group and owner has execute permissions.
When you run "Prepare Configuration Wizard", a file is generated under <installation Dir> called amqmjpse, this will have more detailed information.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 24, 2012 11:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| mqtablet wrote: |
Scenario 3 :
1. I'm trying to connect to the queue manager present and running in the Fedora Core 10 (Linux) machine from an MQ client application in the Windows XP machine.
2. I'm using the client bindings mode in this case (MQSERVER=channelname/tcp/hostname(portnumber) is set on the windows machine). The host name is the name of the Fedora Core 10 (Linux) machine running the queue manager, and port number is the port on which the linux queue manager is running.
3. The channel - 'channelname' is a server connection channel defined at the linux queue manager, and has the 'mcauser' property set to 'mqm'.
4. When I try to make a connection using the client now, I get a 2035 exception.
|
Working as designed. By default in V7.1 user/group mqm is locked out.
 in the infocenter about the new channel security in V7.1  and learn
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 24, 2012 11:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
Working as designed. By default in V7.1 user/group mqm is locked out.
in the infocenter about the new channel security in V7.1 and learn |
Things you learn ... 
Now that's a security hole which has been years in the closing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 24, 2012 12:06 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
to be clear, it's only blocked on client connections.
and it's easy to create another rule that specifically allows it on a specific channel or ip or etc. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 24, 2012 12:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
to be clear, it's only blocked on client connections.
and it's easy to create another rule that specifically allows it on a specific channel or ip or etc. |
Quite, quite, but at least it's blocked by default on the client.
I accept unreservedly that most sites on discovering this will create a rule to re-enable it on all connections & thus restore all their applications to full function.
Or is that accepting cynically? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| JasonE |
| Posted: Wed Apr 25, 2012 1:29 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Quote: |
| however after that when I try to set the MQ service account using 'Prepare WebSphere MQ Wizard' - it does not identify my domain user ID. It says 'A WebSphere MQ Error Occured' and the configuration wizard reaches the end |
On windows: Try logging in as a local (not domain) id and running the prepare wizard, OR manually setting the MQ service (the one with the installation name in its title) to be configured to run under the domain id you want to set it to run under (uid + pwd in the services control panel is simplest), THEN run the prepare wizard.... There is a known issue that might account for the failure you are seeing running the prepare wizard without it. |
|
| Back to top |
|
|
|
|
