MQSeries.net :: View topic - MQ Permissions were missing when switching the nodes in MSCS

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ Permissions were missing when switching the nodes in MSCS

MQ Permissions were missing when switching the nodes in MSCS

« View previous topic :: View next topic »

Author

Message

ashokt

Posted: Sat Sep 09, 2023 10:31 pm Post subject: MQ Permissions were missing when switching the nodes in MSCS

Novice

Joined: 09 Oct 2022
Posts: 18

Dear team,

Recently i've configured MQ in MSCS cluster in windows environment , but here i've configured users and groups in local level in both nodes and added permissions in single node , then all the applications and QMGRS were running in NODE1 . We recently switched the QMGR from node1 to node2 from failover manger ,Application running in node2 and getting issues permissions related, then i found that permissions were not added in node 2 . then i immediately respective permissions were added manually in node2. All these things happen in production environment.

here my problem is whenever QMGR objectes created newly i needs to add QMGR/QUEUES permissions in two nodes manually (which is very difficult everytime for me ) , after i google this issue and find the solution for needs to create the users and groups in domain level .

Now currently all applications running in production , if i create the users and groups in domain level and add the permissions in domain users and groups for qmgr level and queue level , is there any impact happens for productioin services ?

please advise.

Regards,
Ashok.

bruce2359

Posted: Sun Sep 10, 2023 1:30 pm Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.

Which permissions? Did you get any error messages? If so, please post them here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

gbaddeley

Posted: Sun Sep 10, 2023 3:30 pm Post subject:

Jedi

Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia

If you grant MQ authorities to local groups or users on a MSCS Windows node, they will not be valid for the same local groups or uses on the other node in the cluster. This is because they have different SIDs, and MQ authorities use the SID, not the actual group or user name.

Either grant the permissions to the queue manager when it is running on each node, or use Active Directory groups or users.
_________________
Glenn

ashokt

Posted: Sun Sep 10, 2023 8:44 pm Post subject:

Novice

Joined: 09 Oct 2022
Posts: 18

Dear @gbaddeley

Thank you very much for the response, if i grant the permissions domain level without revoking existing local users and group QMGR,Queue level permissions , is it work properly without any issue ?, why because currently all were running in production environment.

ashokt

Posted: Sun Sep 10, 2023 8:49 pm Post subject:

Novice

Joined: 09 Oct 2022
Posts: 18

bruce2359 wrote:

Which permissions? Did you get any error messages? If so, please post them here.

Dear Bruce ,

Since all the permissions have been under local user and groups and when we did the switching from one node to another node , then existing permissions were removing automatically since those SID's were different as @gbaddeley told below ,

As verified in the logs it shows "2035 or not having required permissions", this time we manually used grant the permissions.

Thanks!

gbaddeley

Posted: Mon Sep 11, 2023 3:40 pm Post subject:

Jedi

Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia

ashokt wrote:

bruce2359 wrote:

Which permissions? Did you get any error messages? If so, please post them here.

The MQ authority records and SIDs are not removed, they remain stored in MQ's authority queue. You should be able to see records for the local mqm group etc. for both nodes. One of these will be shown as a SID, because the node can't resolve SIDs that only exist on the other node.

eg.

Code:

Object Profile Name Object Type Entity Name Entity Type Authorisation List
========================================= =========== ================================================== =========== ===================================================================================================================
SYSTEM.DEFAULT.LOCAL.QUEUE Queue S-1-5-21-9122744-1558073900-1550850067-442016@ 3 Browse; Change; Clear; Delete; Display; Input; Inquire; Output; Pass All; Pass Identity; Set; Set All; Set Identity
SYSTEM.DEFAULT.LOCAL.QUEUE Queue mqm@MYHOSTNAME Group Browse; Change; Clear; Delete; Display; Input; Inquire; Output; Pass All; Pass Identity; Set; Set All; Set Identity

_________________
Glenn

bruce2359

Posted: Mon Sep 11, 2023 3:59 pm Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.

ashokt wrote:

bruce2359 wrote:

Which permissions? Did you get any error messages? If so, please post them here.

When posting, when asking for help, please be precise and complete.

Permissions for what, exactly? Include messages from system and queue-manager logs, and from applications.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » MQ Permissions were missing when switching the nodes in MSCS

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP