| Author |
Message
|
| smdavies99 |
 Posted: Tue Oct 28, 2014 5:22 am Post subject: BIP8053E - What does it really mean |
 |
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Windows Server 2008R2 (same for the DC)
IIB V9.0.0.2
WMQ 7.5.0.4
with mqsicreatebroker in a Windows MSCS environment you have to use the -B option.
for example.
| Code: |
mqsicreatebroker NEWBK -i XXX-RMS-DEMO\mbservice -a Mumpty1admin -q NEWQM -B "XXX-RMS-DEMO\Domain Mb" -w S:\WBIDATA -e S:\WBIDATA
|
However you can get this response to the above command
| Code: |
mqsicreatebroker NEWBK -i XXX-RMS-DEMO\mbservice -a Mumpty1admin -q NEWQM -B "XXX-RMS-DEMO\Domain Mb" -w S:\WBIDATA -e S:\WBIDATA
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'NEWQM', Group 'XXX-RMS-DEMO\Domain Mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
|
If you take out the -B option it works so the problem must be with the "Domain Mb" group.
The Group exists and the mbservice account is a member of it.
The command is being run from a command windows started with Admin rights and logged in as the Domain administrator account. This account is also a member of the mqm and mqbrkrs groups.(if this is needed)
Does anyone know what Group security attributes for a WebSphere MQ Queue Manager actually means? Is there any way to verify that its requirements are met before running the command?
No event log information is recorded at all nor are there any MQ errors recorded.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Oct 28, 2014 7:49 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Review the mqsicreatebroker command.
You missed an attribute. The command for windows has a group attribute for MQ like the -B that gives the group attribute for the broker.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Oct 28, 2014 9:02 am Post subject: Q |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Ah, I see it now. the -Q option.
Strange that the command shown before was used successfully with many WMQ 7.5.0.3 Queue Managers.
I guess that something in 7.5.0.4 has been 'fixed'/tightened up.
I'll give it a try in the morning.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Oct 28, 2014 11:23 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
The -Q option did not change things at all.
To quote the output of mqsicreatebroker /?
| Quote: |
'-Q queueManagerDomainGroup' the Windows Domain Group that is used to secure the WebSphere MQ Queue Manager files in the sharedWorkPath of a multi instance broker. Only used in co
njunction with -e and if the queue manager does not exist and is to be created.
|
The Qmgr already exists.
Besides, using it seems to make no difference at all.
| Code: |
mqsicreatebroker NEWBK -i "XXX-RMS-DEMO\mbservice" -a Mumpty1admin -q NEWQM -B "XXX-RMS-DEMO\Domain Mb" -w S:\IIBDATA\NEWBK -e S:\IIBSHARE\NEWBK
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'NEWQM', Group 'XXX-RMS-DEMO\Domain Mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
Press any key to continue . . .
mqsicreatebroker NEWBK -i "XXX-RMS-DEMO\mbservice" -a Mumpty1admin -q NEWQM -Q "XXX-RMS-DEMO\Domain Mb" -B "XXX-AMS-DEMO\Domain Mb" -w S:\IIBDATA\NEWBK -e S:\IIBSHARE\NEWBK
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'NEWQM', Group 'XXX-RMS-DEMO\Domain Mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
mqsicreatebroker NEWBK -i "XXX-RMS-DEMO\mbservice" -a Mumpty1admin -q NEWQM -Q "XXX-RMS-DEMO\Domain mqm" -B "XXX-RMS-DEMO\Domain Mb" -w S:\IIBDATA\NEWBK -e S:\IIBSHARE\NEWBK
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'NEWQM', Group 'XXX-RMS-DEMO\Domain Mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
Press any key to continue . . .
S:\scripts\wbiscripts\NEWBK>
|
It does seem to be related to the -e option. Remove it and the broker is created. This is the critical bit of data that we need to be shared. Yet there are directories created in the S:\IIBSHARE\NEWBK\mqsi\...
this seems to indicate to me that there is write access to the directory.
This goes back to my initial question.
Just what is the mqsicreatebroker command trying to set in the way of secutiry attributes and where?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 29, 2014 6:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Well -B and -Q are mainly used when you create a multi-instance broker on top of a multi-instance qmgr.
This means that for the multi-instance qmgr the -Q domaingroup has all necessary rights to the qmgrs data and logs and the -B domaingroup has all rights to the workpath and shared data for the broker.
Your case being that of a broker on top of the MSCS qmgr, you might have some additional constraints...
It doesn't look like your qmgr was built using the -a domaingrp flag and that might well be the problem here.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Oct 29, 2014 11:09 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Well, the qmgr was created with the -a option.
The script I am using is an edited copy of what has been working in our MQ7.5.0.3/IIB 9.0.0.2 production environment since June 2014.
Sadly I think this problem can go down to the old Microsoft 'Did you reboot?' event. Sure the nodes in the cluster had been rebooted many times but the DC hadn't. I know this sounds illogical but... hey, this is Windows. 
Sometimes I'd like to [redacted] the whole company for producing such [redacted] software.
I updated MS Office 2011 on my MacBook last night. Why on earth does the updater have to kill 'firefox'? There are NO dependencies betweent Office and Firefox so why? Answers on a pin-head please.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Oct 30, 2014 12:50 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
This exercise has raied one question
Suppose you have an environment (QMGR + BKR) that is happily chugging away using WMQ 7.0.1.6/Broker 7.0.0.4 and you want to upgrade.
Sure, you have to delete and re-create the broker BUT you can't ever get the new broker (say 9.0.0.2) to work with the existing QMGR because the V7 qmgr was not built using the -a option.
You have no option but to delete everything and build it again.
So my POC has proved one important thing.
You can't migrate a two node MSCS active/passive environment from MQ 7/Bkr 7 to MQ 7.5 or 8/Broker 8 or 9 with one node active. You have to have a total service outage.
That is going to cause one site of mine a big problem.
If anyone knows a way forward with this I am sure that I would not be alone in welcoming its discovery.
Here is an example or what I mean
MIGQM - Qmgr create with WMQ 7.0.1.6 and migrated to V7.5.0.4
NEWQM - Qmgr created with V7.5.0.4 and with the -a option
| Code: |
S:\scripts\wbiscripts\NEWBK>cre_broker.bat
mqsicreatebroker NEWBK -i "XXX-RMS-DEMO\mbservice" -a Pluggh1 -q NEWQM -B "XXX-RMS-DEMO\Domain mb" -w S:\IIBDATA\NEWBK -e S:\IIBSHARE\NEWBK
BIP8071I: Successful command completion.
Press any key to continue . . .
S:\scripts\wbiscripts\NEWBK>mqsistart NEWBK
BIP8096I: Successful command initiation, check the system log to ensure that the component started without problem and that it continues to run without problem.
S:\scripts\wbiscripts\NEWBK>mqsilist
BIP1295I: Broker 'NEWBK' is an active multi-instance or High Availability broker that is running on queue manager 'NEWQM'.
BIP8071I: Successful command completion.
S:\scripts\wbiscripts\NEWBK>mqsicreateexecutiongroup NEWBK -e EG_0
BIP1124I: Creating execution group 'EG_0' on broker 'NEWBK'...
BIP1117I: The execution group was created successfully.
The broker has initialized the execution group.
BIP8071I: Successful command completion.
S:\scripts\wbiscripts\NEWBK>cd ..\MIGBK
S:\scripts\wbiscripts\MIGBK>cre_broker.bat
mqsicreatebroker MIGBK -i "XXX-RMS-DEMO\mbservice" -a Pluggh1 -q MIGQM -B "XXX-RMS-DEMO\Domain mb" -w S:\IIBDATA\MIGBK -e S:\IIBSHARE\MIGBK
BIP8053E: Unable to set the security attributes for WebSphere MQ Queue Manager 'MIGQM', Group 'XXX-RMS-DEMO\Domain mb'.
This command attempts to set the Group security attributes for a WebSphere MQ Queue Manager.
Ensure that the required Group is available and that the user issuing this command is a member of the mqm group.
S:\scripts\wbiscripts\MIGBK>
|
One broker (NEWBK) created and working while the Create for the migrated QMGR fails.
As a further step, I added the following to the QM.INI of the MIGQM
| Code: |
AccessMode:
SecurityGroup=XXX-RMS-DEMO\Domain mqm
RemoveMQMAccess=FALSE
|
and restarted the QMGR.
The create broker still fails.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
