| Author |
Message
|
| smeunier |
 Posted: Wed Nov 06, 2013 8:22 am Post subject: RUNMQADM (MS0E Support pac) |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Greetings,
While I know that the MS0E support pac is no longer supported (I think after V6 of MQ), there are many installations which use it. I know that it works in MQ V7.0.x with no issues, but recently we updated to MQ V7.5 and it now fails with the following:
| Code: |
MS0E: MQSeries Administration Wrapper
(C) Copyright IBM Corp. 2000. ALL RIGHTS RESERVED
Username : tcidb
Authorisation Level: 3
MQADM >runmqsc TCI002
RUNMQADM (E): Cannot execute command 'runmqsc'. Errno is 2 (A file or directory in the path name does not exist.) |
The only change is the upgrade to MQ version V7.5. We have tried to uninstall and then re-install the support pac as a last ditch effort with no difference. We are running with QMGR CHLAUTH(ENABLED), but have also run it with QMGR CHLAUTH(DISABLED) with the same results.
Has anyone run into this issue and know of a fix? We have many shell scripts that were written using RUNMQADM. Adding the users to the MQ sudo group to use runmqsc is NOT an option as there is no protection against commands issued. Writing Java/C programs using PCF is probably the right direction, but is not a quick resolution. Is there a replacement package, I'm not aware of which would allow user level authentication of MQ Commands?
The purpose for the usage of RUNMQADM (our usage) was to execute query commands against the environment as part of a home grown infrastructure monitoring dashboard.
The environment is:
AIX OSLevel 6.1
MQ Version V7.5.1
Thanks in advance for any advise/direction |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Nov 06, 2013 8:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Sounds like the mq 7.5 install is not the primary installation.
Or that it's not running in a shell that has the setmqenv for the right installation. |
|
| Back to top |
|
|
| smeunier |
| Posted: Tue Dec 10, 2013 11:03 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Need to cast this out again for some more trolling...........
| Code: |
| Sounds like the mq 7.5 install is not the primary installation. |
Result of dspmqinst
InstName: Installation1
InstDesc:
Identifier: 1
InstPath: /usr/mqm
Version: 7.5.0.1
Primary: Yes
State: Available
| Code: |
| Or that it's not running in a shell that has the setmqenv for the right installation. |
I run . /var/mqm/bin/setmqenv -n Installation1 just before issuing the runmqadm command. The result are the same. The only way I can make some progress, is to add a stanza item under OSCOMMANDS in the runmqadm.cfg file which has an entry of /usr/mqm/bin/runmqsc and enter that as the command. This starts the MQSC process, but the commands do not display anything, I'm not even sure it is accepting them, or output is going somewhere else (not in the runmqadm.log). I can only exit with a CTRL-C.
This works (runmqadm) on only one instance of a V7.5 installation, but dang if I can see why. What I have compared between the installations is identical, but obviously something is different somewhere. User environments are identical at invocation. One thing to note, is even under mqm id, runmqadm fails with the same error. |
|
| Back to top |
|
|
| tkane |
| Posted: Thu Jan 02, 2014 2:17 pm Post subject: |
|
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 03, 2014 10:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
if memory serves right, one of the other big differences that you will find is that the symlinks for the commands are no longer created...
May be if you did recreate the symlinks for the mq commands your wrapper might work as expected...??? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Jan 10, 2014 8:05 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
I think this shows that the symlinks are in place:
lrwxrwxrwx 1 root system 21 Jul 15 14:20 /usr/bin/runmqadm -> /usr/mqm/bin/runmqadm
lrwxrwxrwx 1 root system 20 Jul 16 08:12 /usr/bin/runmqsc -> /usr/mqm/bin/runmqsc |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Jan 10, 2014 8:14 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
@ Tom
I followed the instruction in the link.
added a user to a group, which has permission to connect to QMGR and display MQ objects. When running I receive:
$ runmqsc TCI002
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager TCI002.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
This id is authorized, as I can use it to connect and browse MQ object via MQExplorer. I suspect the AMQ8135 means I can't execute the runmqsc itself. I made another copy of runmqsc on /usr/mqm/bin and called it runmqsc2 with the following permissions in place.
$ ls -al /usr/mqm/bin/runmqsc*
-rwxrwxrwx 1 mqm mqm 16899 Aug 07 11:14 /usr/mqm/bin/runmqsc
-r-sr-sr-x 1 mqm mqm 16899 Aug 07 11:14 /usr/mqm/bin/runmqsc2
the permissions on runmqsc are not what you would expect and not what they are on other servers ( r-sr-s---), but thats the way it was. The new one: runmqsc2 is set the way as described in the link.
trying to work through it, as i think this solution would work, but not there yet. |
|
| Back to top |
|
|
| markt |
| Posted: Fri Jan 10, 2014 1:23 pm Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
As a setuid sensitive program, runmqadm removes all kinds of things from the environment like LIBPATH for security reasons before executing any child programs like runmqsc.
It also hardcodes the path to runmqsc to be /usr/bin/runmqsc which is no longer true from V7.1 unless you have set a primary install to have all the /usr links.
So there's no way it will possibly work unless you've got the primary install set. And even then I wouldn't be surprised if it doesn't work.
signed: the author. |
|
| Back to top |
|
|
|
|
