| Author |
Message
|
| Mangesh1187 |
 Posted: Fri Jun 13, 2014 5:26 am Post subject: MQ Clinet not able to connect to QM with 2035 error |
 |
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
I have a ETL(ExtractTransformLoad) application using MQ Client running on Linux with user id root.
When trying to connect to remote queue manager on Windows server (MQ7.5) its failing with
AMQ8075: Authorization failed because the SID for entity 'root' cannot be
obtained.
My SVRCONN channel defnition :
dis channel(CHANNEL2)
6 : dis channel(CHANNEL2)
AMQ8414: Display Channel details.
CHANNEL(CHANNEL2) CHLTYPE(SVRCONN)
ALTDATE(2014-06-13) ALTTIME(18.05.14)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(OPTIONAL) SSLCIPH( )
SSLPEER( ) TRPTYPE(TCP)
Its because userid 'root' is not present on Windows MQ server.
On MQ Client side how can we set any user id e.g. abc (which is not present on MQ CLient server & othe than with which service is runnning) while makking MQCONN and create the same userid on MQ Server with enough previlages, so that connection will get successful ?
I remembred in my previous project Application team has done this knid of settings somewhere in there configurations. But I am not sure.
Need your valuable inputs... |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Jun 13, 2014 5:55 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
When you looked at the WMQ error logs on the 7.5 server, what did you discover?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Jun 13, 2014 5:55 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Running any application (ETL etc) under root is not a good idea.
Run under some other suitable application id, preferable one that is common between unix (lower case id) and windows (upper case id).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Fri Jun 13, 2014 6:27 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Below is the log in MQ server.
AMQ9245: Unable to obtain account details for channel MCA user ID.
EXPLANATION:
WebSphere MQ was unable to obtain the account details for MCA user ID 'dsadm'.
This user ID was the MCA user ID for channel 'CHANNEL2' on queue manager 'QM1'
and may have been defined in the channel definition, or supplied either by a
channel exit or by a client.
ACTION:
Ensure that the user ID is correct and that it is defined on the Windows local
system, the local domain or on a trusted domain. For a domain user ID, ensure
that all necessary domain controllers are available. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jun 16, 2014 10:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Well that seems self explanatory
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 17, 2014 2:54 am Post subject: Re: MQ Clinet not able to connect to QM with 2035 error |
|
|
Padawan
Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand
|
| Mangesh1187 wrote: |
| On MQ Client side how can we set any user id e.g. abc (which is not present on MQ CLient server & othe than with which service is runnning) while makking MQCONN and create the same userid on MQ Server with enough previlages, so that connection will get successful ? |
Well done for finding the cause of your error by reading the error logs. This is always the best starting point for MQ problem diagnosis.
Now to answer the question that you have which was prompted by your discovery.
Rather than setting the user ID on the MQ Client side (since it may not be present on the MQ Client machine as you rightly point out), instead I suggest you set it on the queue manager side.
The best way to do this would be to make a CHLAUTH rule that will identify the client connection and assign the MCAUSER for it to use when it is seen connecting to that queue manager.
The assigned MCAUSER can then be granted the appropriate authorities it requires. You may like to read the following step-by-step guide to help you through your first use of CHLAUTH.
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/fg17050_.htm
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 17, 2014 6:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Um..
The error message in the logs indicates that there is an MCAUSER on the server side. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 18, 2014 5:09 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
The whole point might be here between local and AD account
dsadm = local account needs to exist on the MQ SERVER.
dsadm@domain = domain account. Needs to be authorized and MQ needs to run with a domain service account with the adequate domain permissions...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
