Collecting information for security problems on Multiplatforms

If an IBM® MQ is incorrectly allowing or denying access to a user or application on Multiplatforms, you might need to collect troubleshooting information to include with your support case to help find a solution to the problem.

Before you begin

Before you start this task, answer the following questions about the problem:

What security problem did you observe on the system?
What time did the security problem start and when did it stop?
Which specific users or applications and queue manager objects are involved?
Was this system previously working?
What changed since it was working?
How long is your username and password that you are attempting to use?

About this task

If the security problem is happening right now or you are able to reproduce it, you can generate data to provide more information about the problem.

After collecting the troubleshooting information, you can send it to IBM.

Procedure

Generate a trace of the queue manager when the security problem occurs.
If possible, issue the runmqsc command REFRESH SECURITY just before tracing so that the trace will show the queue manager querying the operating system for details about the user.
Display information about the user, particularly the groups to which the user belongs.
For example:
- To display user watson on UNIX and Linux:
```
    sh> id watson > /tmp/watson.id.txt
    sh> groups watson > /tmp/watson.groups.txt
```
- To display user "Thomas Watson" on Windows:
```
C:\> NET USER "Thomas Watson" > %TEMP%\watson.user.txt
```
- To display user WATSON at the IBM i command line:
```
===> DSPUSRPRF USER(WATSON) OUTPUT(*PRINT)
```
  Then use WRKSPLF option 5 to display the joblog from QPUSRPRF
Collect the IBM MQ data.
You can collect do this either automatically or manually:
- Collect the data automatically by using the runmqras command as described in Collecting troubleshooting information automatically with runmqras. Be sure to collect the runmqras defs and trace (if the issue was traced) sections, and to specify your case number as shown in the following example:
```
runmqras -section defs,cluster,trace -qmlist QMA -caseno TS001234567
```
- Alternatively, collect the data manually as described in Collecting troubleshooting information manually.
Note: If one of the sides of this connection is not a queue manager, collect that client's applicable logs.
Send the information that you have collected to IBM.

A good description of the problem and the data is the most important information you can provide to IBM. Do not send data without providing a description!

For FTP and email instructions, see Exchanging information with IBM Software Support.

To open or update a case, go to the IBM My Support site.
Note: Always update your case to indicate that data was sent.

If you need to speak with IBM Software Support, contact your country representative. If you need to speak with IBM Support in the US, you can call 1-800-IBM-SERV.