Topic
  • 4 replies
  • Latest Post - ‏2013-02-14T12:40:44Z by SystemAdmin
mortenb
mortenb
19 Posts

Pinned topic WMQ 7.1 linux - Not authorized for access

‏2012-12-14T15:52:11Z |
Hi all

installed new mqserver to replace old one, using port listener to srvchannel from a mqclient.
Worked fine on WMQv6.1 but not working on WMQv7.10, I'm unable to spot any changes in config.
No firewall, all users are member of mqm group on both client and server.


/opt/s3/bin/WebsphereMQ/MQinfo.pl -s=192.168.1.38 -qm=mqmbj -q=secana.queue -channel=secana.open -p=6666 MQCONN failed (Reason = 2035) (Not authorized 

for access.) at /opt/s3/bin/WebsphereMQ/MQinfo.pl line 189. Unable to connect to queuemanager: mqmbj


I see the /opt/mqm/mqs.ini has got a Installation name, If I remove it it just says the
queuemanager mqmbj belongs to another installation installation0 and refuses to do anything.

QueueManager: Name=mqmbj Prefix=/var/mqm Directory=mqmbj InstallationName=Installation1

The definition for the channel:

[mbj@mqmbj WebsphereMQ]$ echo 
"dis channel('secana.open') all" | runmqsc mqmbj 5724-H72 (C) Copyright IBM Corp. 1994, 2011.  ALL RIGHTS RESERVED. Starting MQSC 

for queue manager mqmbj.     1 : dis channel(
'secana.open') all AMQ8414: Display Channel details. CHANNEL(secana.open)                    CHLTYPE(SVRCONN) ALTDATE(2012-12-14)                     ALTTIME(05.00.55) COMPHDR(NONE)                           COMPMSG(NONE) DESCR( )                                DISCINT(0) HBINT(300)                              KAINT(AUTO) MAXINST(999999999)                      MAXINSTC(999999999) MAXMSGL(4194304)                        MCAUSER( ) MONCHL(QMGR)                            RCVDATA( ) RCVEXIT( )                              SCYDATA( ) SCYEXIT( )                              SENDDATA( ) SENDEXIT( )                             SHARECNV(10) SSLCAUTH(OPTIONAL)                      SSLCIPH( ) SSLPEER( )                              TRPTYPE(TCP) One MQSC command read. No commands have a syntax error. All valid MQSC commands were processed.


the listener is running, is this ipv6 and no ipv4?

[root@mqmbj ~]# netstat -nap | grep :6666 tcp        0      0 :::6666                     :::*                        LISTEN      4061/runmqlsr


On the old server working it looks like this:

mbj@mbjlinux:/opt/s3/bin/WebsphereMQ> sudo netstat -nap | grep :6666 root
's password: tcp        0      0 0.0.0.0:6666            0.0.0.0:*               LISTEN      28425/runmqlsr



1 : dis listener(
'listener') all AMQ8630: Display listener information details. LISTENER(listener)                      CONTROL(QMGR) TRPTYPE(TCP)                            PORT(6666) IPADDR( )                               BACKLOG(0) DESCR(TCP/IP Listener 

for 

this queue-manager) ALTDATE(2012-12-14)                     ALTTIME(07.41.43) One MQSC command read. No commands have a syntax error. All valid MQSC commands were processed.


I'm unable to see any differences comparin new and old server regarding queues,listener,channels

There is nothing in /var/mqm/error on both client or server related to this.

Any Ideas? and how can I increase logging?
Often the debug- and error-message is way too brief.

Thanks
--
Morten Bjoernsvik, Developer Evry CardServices AS, Oslo Norway
Updated on 2014-03-06T12:19:25Z at 2014-03-06T12:19:25Z by Morag Hughson
  • fjb_saper
    fjb_saper
    175 Posts

    Re: WMQ 7.1 linux - Not authorized for access

    ‏2012-12-15T15:53:33Z  
    Working as designed. Read up on the new channel authorization concepts in V 7.1.x
  • mortenb
    mortenb
    19 Posts

    Re: WMQ 7.1 linux - Not authorized for access

    ‏2012-12-16T22:37:21Z  
    • fjb_saper
    • ‏2012-12-15T15:53:33Z
    Working as designed. Read up on the new channel authorization concepts in V 7.1.x
    Thanks

    I found this article that was rather enlightning:
    http://www.ibm.com/developerworks/websphere/techjournal/1003_mismes/1003_mismes.html

    The relnotes and documentation was rather thin on the subject though.
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: WMQ 7.1 linux - Not authorized for access

    ‏2012-12-19T23:51:33Z  
    • mortenb
    • ‏2012-12-16T22:37:21Z
    Thanks

    I found this article that was rather enlightning:
    http://www.ibm.com/developerworks/websphere/techjournal/1003_mismes/1003_mismes.html

    The relnotes and documentation was rather thin on the subject though.
    > http://www.ibm.com/developerworks/websphere/techjournal/1003_mismes/1003_mismes.html
    A good article, but it pre-dates MQ 7.1, so it doesn't mention CHLAUTH.

    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.doc/mi67590_.htm
    describes the default CHLAUTH records, one of which blocks administrative access on all SVRCONN channels. This applies to you because the channel has a blank MCAUSER. There is detailed discussion on CHLAUTH in the new IBM Redbooks for WMQ security and WMQ V7.1/7.5 new features.

    Look for CHLAUTH and OAM failures in the queue manager error logs.

    HTH, G.
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: WMQ 7.1 linux - Not authorized for access

    ‏2013-02-14T12:40:44Z  
    > http://www.ibm.com/developerworks/websphere/techjournal/1003_mismes/1003_mismes.html
    A good article, but it pre-dates MQ 7.1, so it doesn't mention CHLAUTH.

    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.doc/mi67590_.htm
    describes the default CHLAUTH records, one of which blocks administrative access on all SVRCONN channels. This applies to you because the channel has a blank MCAUSER. There is detailed discussion on CHLAUTH in the new IBM Redbooks for WMQ security and WMQ V7.1/7.5 new features.

    Look for CHLAUTH and OAM failures in the queue manager error logs.

    HTH, G.
    For future readers of this thread - please see I am being blocked by CHLAUTH - how can I work out why?

    Cheers
    Morag