| Author |
Message
|
| vishBroker |
 Posted: Mon Feb 04, 2013 12:28 pm Post subject: 2035 error for PCF command execution on channel status |
 |
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Hi There,
I have following setting on MQ v 7.0.1. On same AIX box
QM1 , QM2 and QM3.
QM2 and QM3 are clusttered. QM1 is separate.
I have created a user 'rfuser' with following permissions on all the 3 QMs.
Code is for the 1st QM.
| Code: |
DEF CHL(MQRF.SVRCONN) CHLTYPE(SVRCONN) DESCR('xxxx channel') MCAUSER('rfuser') scyexit('sexitip(sexitip)') scydata('/var/mqm/IpDef') maxinst(20) maxinstc(20)
setmqaut -m QM1-t qmgr -g rfuser+connect +inq +dsp
setmqaut -m QM1 -n "**" -t queue -g rfuser+dsp
setmqaut -m QM1 -n SYSTEM.AUTH.DATA.QUEUE -t queue -g rfuser+dsp
setmqaut -m QM1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g rfuser +browse +inq +put +dsp
setmqaut -m QM1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g rfuser +get +inq +dsp
|
Now, we do some checks using PCF commands.
e.g. display pub/sub status, QM status etc - these are done succesfully.
But
Now, when we do a 'channel status' check - I get errors for QM2 and QM3 only. QM1 returns result successfully.
I get 2035 error on QM2 and QM3.
+++
Exception Occured while querying Channel Status of Queue Manager : UNSQMP03. Exception Details are : CompCode: 2, Reason: 2035
++++
Long story short - QM1 returns channel status but QM2 and QM3 do not(these two are clusterred).
I have checked the 'dspmqaut' - I get same resutls for all the 3.
++++
Entity rfuser has the following authorizations for object QM1:
inq
connect
dsp
++++
I refreshed security multiple time.
The security exit - is IP filtering and all the 3 QMs point to same file.
I do not see any error in the QM log (/var/mqm/qmgrs/%QM_NAME%/errors/*.LOG
Kindly suggest, what I am missing.
Let me know, if more info is required.
Here is the part of code - calling PCF commands
| Code: |
request = new PCFMessage(CMQCFC.MQCMD_INQUIRE_CHANNEL_STATUS);
request.AddParameter(MQC.MQCACH_CHANNEL_NAME, "*");
request.AddParameter(CMQCFC.MQIACH_CHANNEL_INSTANCE_ATTRS, new int[] { MQC.MQCACH_CHANNEL_NAME, MQC.MQIACH_CHANNEL_TYPE, MQC.MQCACH_CHANNEL_START_DATE, MQC.MQIACH_CHANNEL_STATUS }); ;
|
Thanks !! |
|
| Back to top |
|
 |
| mvic |
| Posted: Mon Feb 04, 2013 4:13 pm Post subject: Re: 2035 error for PCF command execution on channel status |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
Try using this approach: http://www.ibm.com/support/docview.wss?uid=swg21299319
| vishBroker wrote: |
MCAUSER('rfuser')
setmqaut -m QM1-t qmgr -g rfuser+connect +inq +dsp
|
I guess your user "rfuser" is in a group "rfuser" ? A more scalable approach would be to have a group named after a role that the user "rfuser" performs... but it's not important for this particular problem. |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Feb 05, 2013 5:53 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Thanks for the reply.
you are right. I DO have rfuser as group.
What I do NOT understand is - same settings are there on QM1.
That is returning valid response(getting authenticated and executing PCF commands -> query channel status)
But, when I run on Clusterred QM - query channel status - it is failing.
But when I check pub/sub status on clusterred QMs -> it is giving valid response.
So I wonder, is it something to do with checking status of all the channels of cluster, which is going wrong?
FYI - when I query status of the channels of QM1 (NON-clusterred) - it is successful.
Again, thanks for the response. I will try to debug as suggested. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Feb 05, 2013 5:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| So you don't seem to have granted +inq or +dsp for channels? |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Feb 05, 2013 6:27 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Thanks for the response.
well..same is the settings for QM1.
I mean.. rfuser group has exact the same settings on QM1, QM2 and QM3.
I did run dspmqaut on QM1, qm2 and QM3 -
| Code: |
command - dspmqaut -m QM1-t qmgr -g rfuser
result - Entity rfuser has the following authorizations for object QM1:
inq
connect
dsp
command - dspmqaut -m QM1-n MQRF.SVRCONN -t chl -g rfuser
result - Entity mqrfb has the following authorizations for object MQRF.SVRCONN:
|
++There is NOTHING getting printed for second command after response heading+++
We do not have set any authorization for channel on QM1, QM2 and QM3.
But, when I ran channel status check on QM1 - I am getting responses.
and on clustered QMs - I get 2035. |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Feb 05, 2013 6:30 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
| I missed to mention earlier - We are using "MQRF.SVRCONN" channel to connet to QM from client (PCF commands use that channel name). |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Feb 05, 2013 6:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So the difference between the two commands you show is that one uses a bindings connection and one uses a client connection.
You don't show what user is executing the dspmqaut. But if it's a user that is mqm, and the rfuser USER is not a member of mqm, that would explain the distinction.
Remember that an MCAUSER has to be a *user* and not a *group*. The *primary group* of that *user* is what is used for authorization. |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Feb 05, 2013 7:00 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Thanks.
Well, I do not have complete access to QMs. Another admin group does that.
I use runmqadm and then runmqsc to check status etc.
This is for the given channel
++++
| Code: |
RMQSC >dis chl(MQRF.SVRCONN)
3 : dis chl(MQRF.SVRCONN)
AMQ8414: Display Channel details.
CHANNEL(MQRF.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2012-09-10) ALTTIME(21.27.14)
COMPHDR(NONE) COMPMSG(NONE)
DESCR(xxxxxnchannel) HBINT(300)
KAINT(AUTO) MAXINST(20)
MAXINSTC(20) MAXMSGL(4194304)
MCAUSER(rfuser) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA(/var/mqm/IpDef) SCYEXIT(sexitip(sexitip))
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
RMQSC >
|
+++++
| Code: |
$ grep -i rfuser /etc/group
rfuser :!:240:rfuser
|
So, the user is rfuser in MCAUSER property.
Group is rfuser and it has user 'rfuser'.
Auth permissions are given to 'rfuser' group.
About dspmqaut commands - I did not run them.
Another group did it. And they are member of MQM group. |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Tue Feb 05, 2013 9:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| vishBroker wrote: |
| Code: |
$ grep -i rfuser /etc/group
rfuser :!:240:rfuser |
|
The /etc/passwd file specifies the primary group for each user. The passwd and group files should not have extra space characters or other white space. |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Feb 05, 2013 10:40 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
There is NO extra space.
It was copy-paste thing. (I was masking actual user group/name so space got introduced).
| Code: |
rfuser:!:240:rfuser |
but thanks anyway.
As per mvic said
I thought about that, but it involves bouncing QM, and we are currently not allowed to do that. So, is there any other way- I can get the error logged.
FYI - when I get 2035 error, I am not gettng any error in qmgrs/$QM/errors folder, nor under /var/mqm/errors.
[/quote] |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Feb 05, 2013 3:02 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| vishBroker wrote: |
So, the user is rfuser in MCAUSER property.
Group is rfuser and it has user 'rfuser'.
Auth permissions are given to 'rfuser' group. |
This is very hard to understand. Can I suggest using "rfuser" as the username, and "rfgroup" as the groupname?
As others already said, the thing you put in MCAUSER is a *user*. But the things you grant authority to on Unix are *groups*.
And it's different from that on Windows. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Feb 05, 2013 3:08 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| vishBroker wrote: |
| I thought about that, but it involves bouncing QM, and we are currently not allowed to do that. |
But that is the approach most likely to get you to a solution in a quick time. Is it possible to replicate the needed environment on a test machine? I think you are going to have to solve this on your site - it is going to take too long (and too much effort for you and us) to keep Q&A going on this forum, making educated guesses. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Feb 05, 2013 3:55 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Just turn on Authority Event at the QM level - no need to restart the QM to make that happen. Run your test again and the event message will tell what ID is failing for what reason.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| vishBroker |
| Posted: Wed Feb 06, 2013 7:15 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Thanks for the help and advice.
| mvic wrote: |
This is very hard to understand. Can I suggest using "rfuser" as the username, and "rfgroup" as the groupname?
As others already said, the thing you put in MCAUSER is a *user*. But the things you grant authority to on Unix are *groups*.
And it's different from that on Windows. |
Point taken and as better practice and ease of understanding, we will try to follow the convention. But, that has been the setup and is correct technically. more ever we know that works. Again, point taken for convention.
FYI - And, I am talking about AIX OS. No windows.
| mvic wrote: |
But that is the approach most likely to get you to a solution in a quick time
|
Yes sir. But as that is Production env and we have these "PROCESSES" to follow - so ..I guess you know, what it means.
So, I will try to replicate problem in lower environment and do as suggested.
Thanks Peter, will try to do as suggested(enabling Authority event) on lower env. |
|
| Back to top |
|
|
|
|
