| Author |
Message
|
| MQ_Lover |
 Posted: Tue Dec 10, 2013 9:43 am Post subject: MQ Security Error - 2063 |
 |
|
Acolyte
Joined: 15 Jul 2013
Posts: 67
|
Hi All,
We are seeing a strange error in MQ logs for which not much details are available the error in Queue Manager logs is as below
----- cmqxrsrv.c : 1972 -------------------------------------------------------
10/12/2013 16:39:35 - Process(132132.39) User(test) Program(amqzlaa0.exe)
Host(GBW07543) Installation(Installation1)
VRMF(7.5.0.1) QMgr(Qmgr)
AMQ7227: WebSphere MQ encountered the following network error: The RPC server
is unavailable.
EXPLANATION:
MQ failed to successfully complete a network operation due to the specified
error. If the error is encountered on systems that are part of a Windows 2000
domain it can indicate incorrect DNS or WINS configuration.
ACTION:
Ensure that your network is functioning correctly. On the Windows platform
check DNS and/or WINS settings to ensure that domain controllers, used for
authentication or authorisation functions, are accessible.
----- amqzfubn.c : 4018 -------------------------------------------------------
10/12/2013 16:39:35 - Process(133076.37958) User(test) Program(runmqlsr.exe)
Host(GBW07543) Installation(Installation1)
VRMF(7.5.0.1) QMgr(Qmgr)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2063.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 1972 -------------------------------------------------------
I have changed the user domain id above from original to User(test) but that is domain account under which MQ Queue Manager is running. Everything else works except these couple of queues which are not working and throwing the error above for rest all connectivity there isn't any issues.
What is being tested here is a user in a local group on the server which has all necessary permissions to connect to MQ Queue Manager tries to put a message on the queue using serverconn channel the channel is clean no security exit, no mca user but as they test they get this error apprantely in the old server they are running MQ 7.0 and no issues seen there and I have checked all MQ permissions at Queue Manager and Queues level and all are same but only difference is MQ version and server, any advise appreciated. Old server has MQ 7.0.1.7 and this new one is MQ 7.5.0.1
Thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Dec 10, 2013 8:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20703
Location: LI,NY
|
|
| Back to top |
|
|
| MQ_Lover |
| Posted: Fri Dec 13, 2013 2:36 am Post subject: |
|
|
Acolyte
Joined: 15 Jul 2013
Posts: 67
|
Hi sjp_saper,
Thanks for the reply, but I have already disabled the channelauth as part of the build of the new servers, now we have kind of come closer to the issue cause but unable to resolve yet.
It looks like this 2063 error is only thrown for users in Asia Pacific domain and works fine for any users in Europe domain. The strange bit is I can grant permission to the same user on old server but not on the new servers
On New server I get the error as below
Unknown User 'abc@hbap'. (AMQ4808)
Unknown User 'abc@hbap'. (AMQ4808)
Severity: 10 (Warning)
Explanation: The named entity for the given type is not defined on the system.
Response: Make sure the entity is defined and it matches the type of entity.
It's a asis pacific domain account not sure what needs to be done here any idea on this? |
|
| Back to top |
|
|
| MQ_Lover |
| Posted: Fri Dec 13, 2013 4:14 am Post subject: |
|
|
Acolyte
Joined: 15 Jul 2013
Posts: 67
|
In the Queue Manager error logs see this error.
AMQ7227: WebSphere MQ encountered the following network error: The RPC server
is unavailable.
EXPLANATION:
MQ failed to successfully complete a network operation due to the specified
error. If the error is encountered on systems that are part of a Windows 2000
domain it can indicate incorrect DNS or WINS configuration.
ACTION:
Ensure that your network is functioning correctly. On the Windows platform
check DNS and/or WINS settings to ensure that domain controllers, used for
authentication or authorisation functions, are accessible.
----- amqzfubn.c : 4018 ------------------------------------------------------- |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 13, 2013 7:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What cross-domain trusts are set up?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| MQ_Lover |
| Posted: Fri Dec 13, 2013 8:07 am Post subject: |
|
|
Acolyte
Joined: 15 Jul 2013
Posts: 67
|
Hi exerk,
| Quote: |
| What cross-domain trusts are set up? |
how do I check that please? |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 13, 2013 8:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| MQ_Lover wrote: |
Hi exerk,
| Quote: |
| What cross-domain trusts are set up? |
how do I check that please? |
Speak with your Domain Security Administrators, they will be able to tell you which trusts exist.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 15, 2013 12:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20703
Location: LI,NY
|
Also note that the MQ service account needs to be able to read the group membership of an account. This is a setting on the domain server.... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
