| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AMQ4036 Issue |
« View previous topic :: View next topic » |
| Author |
Message
|
| vishBroker |
 Posted: Thu Oct 16, 2014 2:36 pm Post subject: AMQ4036 Issue |
 |
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
MQ Server - MQv8.0.0.1 on Linux
MQ Client(Explorer) - MQv7.5.0.1 on Windows.
Not able to connect to remote queue manager.
Configuration on explorer:
QMname, HOST:PORT, Channel (SYSTEM.BKR.CONFIG)
Here is o/p from server -
| Quote: |
DISPLAY CHANNEL(SYSTEM.BKR.CONFIG) ALL
1 : DISPLAY CHANNEL(SYSTEM.BKR.CONFIG) ALL
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.BKR.CONFIG) CHLTYPE(SVRCONN)
ALTDATE(2014-10-16) ALTTIME(17.44.56)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(104857600)
MCAUSER(mqsiadm) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(OPTIONAL)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
|
So, when I connect via SYSTEM.BKR.CONFIG channel - the authorization will happen as per the mqsiadm user's group.
For the mqsiadm user
| Quote: |
[mqsiadm@HOST:errors]$ grep mqsiadm /etc/group
mqsiadm:x:1018:
mqm:x:1020:mqsiadm
mqbrkrs:x:1021:mqsiadm
[mqsiadm@tesoawsmb03q:errors]$ id
uid=1017(mqsiadm) gid=1018(mqsiadm) groups=1018(mqsiadm),1020(mqm),1021(mqbrkrs)
[mqsiadm@HOST:errors]$
|
This means - the user mqsiadm is member of mqsiadm, mqm and mqbrkrs groups (all 3)
So, I did setmqaut for all the 3 groups on the queue manager as well as 'SYSTEM.BKR.CONFIG' SVRCONN channel.
| Quote: |
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -t qmgr -g mqsiadm
Entity mqsiadm has the following authorizations for object QMQ3POS:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
ctrl
system
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -t qmgr -g mqm
Entity mqm has the following authorizations for object QMQ3POS:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
ctrl
system
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -t qmgr -g mqbrkrs
Entity mqbrkrs has the following authorizations for object QMQ3POS:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
system
[mqsiadm@HOST:errors]$
|
All the 3 groups have same authority over queue manager
Same goes for SYSTEM.BKR.CONFIG channel
| Quote: |
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -n SYSTEM.BKR.CONFIG -t channel -g mqsiadm
Entity mqsiadm has the following authorizations for object SYSTEM.BKR.CONFIG:
crt
dlt
chg
dsp
ctrl
ctrlx
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -n SYSTEM.BKR.CONFIG -t channel -g mqbrkrs
Entity mqbrkrs has the following authorizations for object SYSTEM.BKR.CONFIG:
crt
dlt
chg
dsp
ctrl
ctrlx
[mqsiadm@HOST:errors]$ dspmqaut -m QMQ3POS -n SYSTEM.BKR.CONFIG -t channel -g mqm
Entity mqm has the following authorizations for object SYSTEM.BKR.CONFIG:
crt
dlt
chg
dsp
ctrl
ctrlx
[mqsiadm@HOST:errors]$
|
I tried with SSLCAUTH as OPTIONAL and REQUIRED - same error.
Kindly suggest, what I am missing here. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Oct 16, 2014 7:21 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20703
Location: LI,NY
|
|
| Back to top |
|
|
| vishBroker |
| Posted: Thu Oct 16, 2014 7:56 pm Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
+I know, posting twice is not allowed - hence I had put the note.+
I have tried disabling CHLAUTH.
And also tried applying two rules as mentioned here
http://www-01.ibm.com/support/docview.wss?uid=swg21577137
I am still getting same error.
I ran following commands-
+++
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')
4 : SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')
AMQ8877: WebSphere MQ channel authentication record set.
SET CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')
5 : SET CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')
AMQ8877: WebSphere MQ channel authentication record set.
REFRESH SECURITY
+++
o/p
++
5 : DISPLAY CHLAUTH (*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER)
USERLIST(nobody)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(nobody
,*MQADMIN)
++ |
|
| Back to top |
|
|
| vishBroker |
| Posted: Thu Oct 16, 2014 8:28 pm Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Solved.
The issue was with CHCKCLNT
+++
4 : DISPLAY AUTHINFO (SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ALL
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(NONE) FAILDLAY(1)
ALTDATE(2014-10-14) ALTTIME(15.26.23)
++++
Once I changed it to CHCKCLNT to NONE, I was able to connect.
A deeper look into the logfile helped.
Thanks for the inputs. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 16, 2014 8:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20703
Location: LI,NY
|
Surely you do realize that you did not read Morag's post with any comprehension! Otherwise you would have known that allowing priviledged users on SYSTEM.ADMIN.* will not solve your problem on SYSTEM.BKR.CONFIG. Nor will the backstop for all SYSTEM.* channels allow you access to SYSTEM.BKR.CONFIG unless you define a more specific rule for that.
My suggestion: Define a channel outside of the SYSTEM.* space, set it up for privileged access and try with that...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
