| Author |
Message
|
| smeunier |
 Posted: Fri Jan 15, 2016 9:24 am Post subject: Permanent Dydnamic Queue issues |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
I have run into some problems with using PCF and performing a inquiry on the Permanent Dynamic Queue. The result is a MQRC 2035 error. Ordinarily this should be an easy issue to solve, but it has been elusive.
The MODELQ that the dynamic queue is created from has DISPLAY/INQUIRY authorizations set, this should have been the authorizations that the dynamic queue is given. Which when doing a DISPLAY AUTHREC PROFILE(qname) it shows that the dynamic queue has proper authorization for the group the application runs under. QMGR EVENT records are generated indicating the 2035 error against the application. There are no corresponding log records, which I find odd, as normally(if not PCF commands) there would be.
Also when trying to dig into this, I found that MQExplorer does not display the PERM DYNAMIC queues. I'm using V7.5.0.5 of MQExplorer. My understanding, is that after V7.1 PERM DYNAMIC queues would be displayed in a folder. I see no such folder(perhaps MQExplorer using PCF is getting 2035 as well on these queues and cannot display them?)
How can I get to a lower level to determine what the exact issue is? Do I have to go back to the old days and run a MQTrace to find this issue, or are there any thoughts on alternatives? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Jan 15, 2016 11:35 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
For clarity, a permanent dynamic queue is the result of a successful MQOPEN or MQPUT1 of a QModel definition.
So, is the 2035 ReasonCode from the QModel? Or, is it from the resulting dynamic queue name?
Are you saying that the MQExplorer does NOT display the QModel definition? Or, the resulting permanent dynamic queue?
Can you successfully use the runmqsc DISPLAY command to display the QModel? The resulting permanent dynamic queue?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jan 15, 2016 12:43 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There is a button/switch thing in MQE to show dynamic queues.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smeunier |
| Posted: Mon Jan 18, 2016 1:38 pm Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| Quote: |
| So, is the 2035 ReasonCode from the QModel? Or, is it from the resulting dynamic queue name? |
From what I can determine, it is against the dynamic queue name.
| Quote: |
| Can you successfully use the runmqsc DISPLAY command to display the QModel? The resulting permanent dynamic queue |
Yes I can display the Permanent Dynamic Queues using RUNMQSC, but using dspmqaut for those queues, say they are not found, but I can dspmqaut on the MODEL queue itself, which has inq,dsp set. MQE show's Temporary dynamic queues, but not the Permanent ones. I would like to see those through MQE and see what the object authorities say about them.
I'm just having a problem getting to the true reason for the 2035. Maybe Permanent Dynamic queues cannot be inquired? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 19, 2016 5:29 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
May be they are just being created with different permissions than what you expect.
If the name scheme of the perm dynamic queue does not match one of your permission profiles, the user/primary group of the user having created them has full authority.... Anybody else not member of the same group, nor member of a privileged group will have no authorization, hence the 2035... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| umatharani |
| Posted: Sat Jan 23, 2016 10:23 pm Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
There should be an error message for 2035 in the queue manager errors logs in MQ version >= 7.1. Your initial update indicates no error message was found in the queue manager error logs. It looks like we are only left with the trace option. It is worth checking whether any error message is generated on MQ 8.0. If not, open a ticket/PMR with IBM MQ support to report the problem for queue manager not generating error message. Please find the details on tracing 2035 errors on queue manager trace.
Using MQ trace(All MQ versions):
Search for NOT_AHTORIZED in the trace files and check for the following
in the MQ agent( amqzlaa0/amqzlsa0) trace files.
11:43:23.290472 12792.10 CONN:00000c ---------} xcsDisplayMessageForSubpool rc=OK
11:43:23.290490 12792.10 CONN:00000c Entity testusr has insufficient authority to access object MQ71QMGR
11:43:23.290500 12792.10 CONN:00000c The following requested permissions are unauthorized: connect
11:43:23.290510 12792.10 CONN:00000c ---------{ xcsIsEnvironment
11:43:23.290522 12792.10 CONN:00000c xcsIsEnvironment[MQSAUTHERRORS] = FALSE
11:43:23.290530 12792.10 CONN:00000c ---------} xcsIsEnvironment rc=OK
11:43:23.290538 12792.10 CONN:00000c --------}! zfu_as_checkobjectauthority rc=MQRC_NOT_AUTHORIZED |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jan 24, 2016 7:07 am Post subject: Re: Permanent Dydnamic Queue issues |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
| smeunier wrote: |
| I have run into some problems with using PCF and performing a inquiry on the Permanent Dynamic Queue. The result is a MQRC 2035 error. Ordinarily this should be an easy issue to solve, but it has been elusive. |
Are you running this with mqm authority? Or non-mqm authority?
Try two more things:
What happens when you use runmqsc script commands to DEFINE a QL using the same name that you specified in the QModel name? With the same name that you specified in the dynamic queue name field?
Also, ensure that authority events are enabled at the qmgr so that an auth event message will be created.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| smeunier |
| Posted: Mon Jan 25, 2016 7:46 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| Quote: |
| Are you running this with mqm authority? Or non-mqm authority? |
The id failing authentication is running with non-mqm authority. It is in a group, which has browse authority( +inq +dsp).
| Quote: |
Also, ensure that authority events are enabled at the qmgr so that an auth event message will be created.
|
Authority Events are enabled and it does catch them.
Event Type : Queue Manager
Queue Manager Name : TCI005
Reason Qualifier : Command Not Authorized [4]
Command : Inquire Queue
User Identifier : mqviewer
This user id can inquire all other queues without issue.
| Quote: |
| What happens when you use runmqsc script commands to DEFINE a QL using the same name that you specified in the QModel name? |
I was able to define a LocalQ with the same name as the ModelQ, with no issue.
| Quote: |
| With the same name that you specified in the dynamic queue name field? |
I could not do this without getting:
WebSphere MQ cannot process your request because the object name specified is not valid. (AMQ4176)
WebSphere MQ cannot process your request because the object name specified is not valid. (AMQ4176)
Severity: 20 (Error)
Explanation: Only certain combinations and values are valid for the object your are trying to alter or create. You might also see this message if you have specified a QSG disposition that is not valid or if you have specified an invalid topic object for a subscription.
Response: Check all values are valid for this type of object and try again. If you have altered the disposition of this object, check that the value is correct. If you are creating a new subscription, check that the topic object exists. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 25, 2016 8:11 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
What is the dynamic queue name?
Does it follow a pattern that has been authorized for inquiry, display?
Authorizing the model queue is meaningless for authorizing the dynamic queue.
The dynamic queue will give full authorization to the primary group of the creator... Unless its naming follows a pattern that has been authorized, the system is working as designed...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smeunier |
| Posted: Mon Jan 25, 2016 9:51 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Finally ran a MQ trace. The result is a little surprising, with the OBJECT_NOT_FOUND ERROR.
It fails on not having +dsp, but I have two generic profiles set showing I have this covered.
AMQ8864: Display authority record details.
PROFILE(QREP.SPILL.MODELQ.**) ENTITY(mqbrowse)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(DSP,INQ)
AMQ8864: Display authority record details.
PROFILE(**) ENTITY(mqbrowse)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(DSP,INQ)
11:22:03.542049 9044030.9 CONN:000002 ------------}! zfuLocateObject rc=zrcF_NOT_FOUN
D
11:22:03.542053 9044030.9 CONN:000002 Authorization(0)
11:22:03.542056 9044030.9 CONN:000002 -----------}! zfu_as_retrieveauth rc=arcE_OBJEC
T_NOT_FOUND
11:22:03.542059 9044030.9 CONN:000002 -----------{ zfuUnlockHashTable
11:22:03.542063 9044030.9 CONN:000002 ------------{ xcsReleaseMutexSem
11:22:03.542066 9044030.9 CONN:000002 -------------{ xlsReleaseMutex
11:22:03.542069 9044030.9 CONN:000002 MutexId: 19
11:22:03.542073 9044030.9 CONN:000002 -------------} xlsReleaseMutex rc=OK
11:22:03.542076 9044030.9 CONN:000002 ------------} xcsReleaseMutexSem rc=OK
11:22:03.542079 9044030.9 CONN:000002 -----------} zfuUnlockHashTable rc=OK
11:22:03.542083 9044030.9 CONN:000002 Principal(mqviewer ) EntityType(1)
11:22:03.542083 9044030.9 CONN:000002 ObjectName(QREP.SPILL.MODELQ.0.14.3
) ObjectType(1)
11:22:03.542083 9044030.9 CONN:000002 PrimaryOnly(0) AccessTemplate(40000) Autho
rization(0)
11:22:03.542087 9044030.9 CONN:000002 ----------}! zfu_as_calculateauthority rc=arcE_
OBJECT_NOT_FOUND
11:22:03.542090 9044030.9 CONN:000002 ---------}! zfu_as_checkobjectauthority rc=MQRC
_UNKNOWN_OBJECT_NAME
11:22:03.542094 9044030.9 CONN:000002 ---------{ zfp_ss_getnext_component
11:22:03.542097 9044030.9 CONN:000002 ---------}! zfp_ss_getnext_component rc=zrcF_NO
T_FOUND
11:22:03.542100 9044030.9 CONN:000002 ---------{ zfp_ss_unlock_service
11:22:03.542104 9044030.9 CONN:000002 ---------} zfp_ss_unlock_service rc=OK
11:22:03.542107 9044030.9 CONN:000002 --------}! gpiCheckObjectAuthority rc=arcE_OBJE
CT_NOT_FOUND
11:22:03.701421 9044030.9 CONN:000002 The following requested permissions are un
authorized: dsp |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jan 25, 2016 10:27 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
Please answer questions you are asked.
| fjb_saper wrote: |
| What is the dynamic queue name? |
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| smeunier |
| Posted: Mon Jan 25, 2016 10:48 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Dynamic Queue name is: QREP.SPILL.MODELQ.0.14.3
Model Queue Name is: QREP.SPILL.MODELQ |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jan 25, 2016 12:20 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
| smeunier wrote: |
AMQ8864: Display authority record details.
PROFILE(QREP.SPILL.MODELQ.**) ENTITY(mqbrowse)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(DSP,INQ)
AMQ8864: Display authority record details.
PROFILE(**) ENTITY(mqbrowse)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(DSP,INQ)
11:22:03.542049 9044030.9 CONN:000002 ------------}! zfuLocateObject rc=zrcF_NOT_FOUN
D
11:22:03.542053 9044030.9 CONN:000002 Authorization(0)
11:22:03.542056 9044030.9 CONN:000002 -----------}! zfu_as_retrieveauth rc=arcE_OBJEC
T_NOT_FOUND
11:22:03.542059 9044030.9 CONN:000002 -----------{ zfuUnlockHashTable
11:22:03.542063 9044030.9 CONN:000002 ------------{ xcsReleaseMutexSem
11:22:03.542066 9044030.9 CONN:000002 -------------{ xlsReleaseMutex
11:22:03.542069 9044030.9 CONN:000002 MutexId: 19
11:22:03.542073 9044030.9 CONN:000002 -------------} xlsReleaseMutex rc=OK
11:22:03.542076 9044030.9 CONN:000002 ------------} xcsReleaseMutexSem rc=OK
11:22:03.542079 9044030.9 CONN:000002 -----------} zfuUnlockHashTable rc=OK
11:22:03.542083 9044030.9 CONN:000002 Principal(mqviewer ) EntityType(1)
11:22:03.542083 9044030.9 CONN:000002 ObjectName(QREP.SPILL.MODELQ.0.14.3
) ObjectType(1)
11:22:03.542083 9044030.9 CONN:000002 PrimaryOnly(0) AccessTemplate(40000) Autho
rization(0)
11:22:03.542087 9044030.9 CONN:000002 ----------}! zfu_as_calculateauthority rc=arcE_
OBJECT_NOT_FOUND
11:22:03.542090 9044030.9 CONN:000002 ---------}! zfu_as_checkobjectauthority rc=MQRC
_UNKNOWN_OBJECT_NAME
11:22:03.542094 9044030.9 CONN:000002 ---------{ zfp_ss_getnext_component
11:22:03.542097 9044030.9 CONN:000002 ---------}! zfp_ss_getnext_component rc=zrcF_NO
T_FOUND
11:22:03.542100 9044030.9 CONN:000002 ---------{ zfp_ss_unlock_service
11:22:03.542104 9044030.9 CONN:000002 ---------} zfp_ss_unlock_service rc=OK
11:22:03.542107 9044030.9 CONN:000002 --------}! gpiCheckObjectAuthority rc=arcE_OBJE
CT_NOT_FOUND
11:22:03.701421 9044030.9 CONN:000002 The following requested permissions are un
authorized: dsp |
You've granted authority to a group, principal is being evaluated.
Windows? Or, UNIX?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| smeunier |
| Posted: Mon Jan 25, 2016 1:59 pm Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
This is UNIX.
I believe, that is probably a nomenclature issue within the trace. principle/mcauser
the asserted id is really: cms, but a CHLAUTH intercepts and hanges the mcauser to: mqviewer
mqviewer is a UNIX id in the group: mqbrowse, which is the group the authorizations are set up for. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 26, 2016 5:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
And if you are at MQ8 check the qmgr's qm.ini file and make sure authorization still happens at group level and has not been switched to check the principal...
Also verify that the principal is indeed part of the expected group on the qmgr's server
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
