| Author |
Message
|
| smdavies99 |
 Posted: Mon Aug 11, 2014 4:34 am Post subject: IIB 9.0.0.2 Create broker problem |
 |
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I'm doing a POc test with the following
-Windows Server 2012 R2
- MQ V8.0.0.0
- IIB 9.0.0.2
In a clustered setup (MSCS).
I can create and run a broker normally (no -w or -e) no problems.
now I'm trying to create a broker with the -w & -e options pointing to the shared storage drive.
I get the following when trying to create the broker.
| Code: |
S:\temp>mqsicreatebroker MQTEST -i mbservice -a Pluggh001 -q MQTEST -B "XXX-AMS-DEMO\Domain mb" -w S:\IIBDATA\MQTEST -e S:\IIBSHARE\MQTEST
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'MQTEST', Group 'XXX-AMS-DEMO\Domain mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
|
The Group is available and was created on the domain controller using the same set of steps used for IIB 9.0.0.1 ans MQ 7.5.0.3
The use issuing the command is a member of the domain Admins and explicity mqm and mqbrkrs as well as domain mb.
Is the error message trying to say that the create broker command is trying to set some security attributes for the 'Domain mb' group? That group is also a member of the 'mqm' group so I'm rather puzzled as to what is going on here.
anyone have any thoughts? This is a new error for me.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Aug 11, 2014 4:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Stupid Windows Question: Did you reboot after installing MQ?
Stupid thing to try: REFRESH SECURITY on the queue manager. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 4:50 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Not a stupid set of questions. good points.
Yes and Yes.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 11, 2014 5:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
"Stupid" becuase you'd probably already tried them... And because it'd be stupid if they fixed the problem... 
Some more nuts+bolts things to check...
Are you otherwise able to run setmqauth commands for the user running mqsicreatebroker? (I know you've said they're in mqm, but... )
Try creating a test queue and giving the user some permissions on it.
Can you confirm that the user running mqsicreatebroker has permissions to what I'm guessing would be "S:\MQDATA\MQTEST" ?
Is the S drive mounted manually? or in some way that it would/should be visible in the background? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 5:14 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
"Stupid" becuase you'd probably already tried them... And because it'd be stupid if they fixed the problem...
|
Fair enough but you never know if they would fix the problem unless you tried them.
| mqjeff wrote: |
Are you otherwise able to run setmqauth commands for the user running mqsicreatebroker? (I know you've said they're in mqm, but... )
Try creating a test queue and giving the user some permissions on it.
|
| Code: |
S:\temp>setmqaut -m MQTEST -n A.IN -t queue -g mqbrkrs +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
The setmqaut command completed successfully.
S:\temp>
|
| mqjeff wrote: |
Can you confirm that the user running mqsicreatebroker has permissions to what I'm guessing would be "S:\MQDATA\MQTEST" ?
|
Domain Admin ok for you? The user that will run the broker has full controll to the directories on S:
| mqjeff wrote: |
Is the S drive mounted manually? or in some way that it would/should be visible in the background? |
S: is the shared drive in the cluster so the Failover cluster manager handled that. Explorer sees it perfectly. the command I run to create the broker is in a .bat file held on the shared drive.
I set the queue Manager property CONNAUTH to '' this disabling the username/password validation. My next pass on the POC was to enable it.
This was done before trying to create any broker.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 11, 2014 5:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Ok.
Are there any other errors in any of the windows logs (event viewer, application or security particularly) at or near the same time you run mqsicreatebroker and get a failure?
Any fdcs, or etc in mq? anything in broker error directories?
Otherwise, out of ideas. Take a trace (of mqsicreatebroker) and see what it complains about. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 5:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Was the broker properly created with a domain user being part of the broker domain referenced in the creation command?
Remember just like MQ when creating in an MSCS cluster all things sid & gid must match on both sides.
Has the domain broker group been duly authorized on MQ?
And finally did you run the mqsicreate command from an elevated mqsi command prompt (run as administrator), or simply as logged on as the broker domain user? 
_________________
MQ & Broker admin
Last edited by fjb_saper on Mon Aug 11, 2014 5:33 am; edited 1 time in total |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 5:33 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
Ok.
Are there any other errors in any of the windows logs (event viewer, application or security particularly) at or near the same time you run mqsicreatebroker and get a failure?
Any fdcs, or etc in mq? anything in broker error directories?
Otherwise, out of ideas. Take a trace (of mqsicreatebroker) and see what it complains about. |
no errors or fdc's anywhere (windows, MQ or broker)
Yep it looks like I'll have to take a trace. 
Never had to do it for anything other than broker though
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Last edited by smdavies99 on Mon Aug 11, 2014 5:36 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 5:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| smdavies99 wrote: |
| mqjeff wrote: |
Ok.
Are there any other errors in any of the windows logs (event viewer, application or security particularly) at or near the same time you run mqsicreatebroker and get a failure?
Any fdcs, or etc in mq? anything in broker error directories?
Otherwise, out of ideas. Take a trace (of mqsicreatebroker) and see what it complains about. |
no errors or fdc's anywhere (windows, MQ or broker)
Yep it looks like I'll have to take a trace. That is something I haven't done before. |
This is windows. What type of command prompt (mqsi...) did you run that command from? Remember in windows to run as administrator!...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 5:37 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
This is windows. What type of command prompt (mqsi...) did you run that command from? Remember in windows to run as administrator!... |
Yep. This was done after starting an IIB command window and entering the
command
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 5:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| smdavies99 wrote: |
| fjb_saper wrote: |
This is windows. What type of command prompt (mqsi...) did you run that command from? Remember in windows to run as administrator!... |
Yep. This was done after starting an IIB command window and entering the
command |
I usually don't do that. Too much confusion as to which command prompt you are actually using...
What I do is right click the mqsiconsole icon and choose run as Administrator.
This way only one icon on the taskbar with mqsilogo. No confusion with other MSDOS sessions.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 6:05 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
I usually don't do that. Too much confusion as to which command prompt you are actually using...
What I do is right click the mqsiconsole icon and choose run as Administrator.
This way only one icon on the taskbar with mqsilogo. No confusion with other MSDOS sessions. |
agreed. however it makes no difference which way I get to the command prompt, the answer is the same.
Removing the -B option allows the broker to be created. This is great except the this option is needed in order to get the broker to run on the other node.
I'll go through the setup of the group etc in fine detail tomorrow.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 6:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I created MI broker at V9.0.0.1 with the -B option without problems on Windows 2012 server... for what it's worth...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Aug 11, 2014 6:36 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
| I created MI broker at V9.0.0.1 with the -B option without problems on Windows 2012 server... for what it's worth... |
That's what I was wondering. "Should I revert to 9.0.0.1?"
I've done that before without problem
What version of MQ were you using?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 6:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| smdavies99 wrote: |
| fjb_saper wrote: |
| I created MI broker at V9.0.0.1 with the -B option without problems on Windows 2012 server... for what it's worth... |
That's what I was wondering. "Should I revert to 9.0.0.1?"
I've done that before without problem
What version of MQ were you using? |
WMQ 7.5.0.3 , the qmgr had already been created and the security flag for the broker was not set. (not that I think it would have mattered)
The broker was created as an MQ Service...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
