All geek questions in one place

Can create Websphere queue manager but not connect

I need to write a .Net connector for WebSphere MQ queues, so I installed a trial version of IBM WebSphere MQ on my computer running Windows 7. First, I installed several dummy queues in MQ Explorer to play with the installation process, and I was able to connect to these queue managers and create queues. I deleted these dummy queues and followed the first set of instructions to start Lesson 1.2 due to security issues, and now I cannot connect to any queue managers in MQ Explorer. when i try to connect i get an error

An unexpected error (2063) has occurred. (AMQ4999)
  • I am a local administrator on my machine.
  • I added myself to the mqm group that was created
  • I launched MQ Explorer with or without the “Run as administrator” option
  • I uninstalled MQ and installed it again
  • I rebooted several times.

I also noticed that when I create the queue manager in MQ Explorer, the last part fails with AMQ8135: not authorized. (see conclusion below)

Is there something obvious that I'm missing?

Is there a way so that I can solve the problem myself - the log files don't seem to give me an idea of ​​where to look

 **************************************** * Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\crtmqm" -sa QM1 **************************************** There are 90 days left in the trial period for this copy of WebSphere MQ. WebSphere MQ queue manager created. Directory 'C:\Program Files (x86)\IBM\WebSphere MQ\qmgrs\QM1' created. The queue manager is associated with installation 'Installation2'. Creating or replacing default objects for queue manager 'QM1'. Default objects statistics : 74 created. 0 replaced. 0 failed. Completing setup. Setup completed. exitvalue = 0 **************************************** * Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\strmqm" QM1 **************************************** There are 90 days left in the trial period for this copy of WebSphere MQ. WebSphere MQ queue manager 'QM1' starting. The queue manager is associated with installation 'Installation2'. 5 log records accessed on queue manager 'QM1' during the log replay phase. Log replay for queue manager 'QM1' complete. Transaction manager state recovered for queue manager 'QM1'. WebSphere MQ queue manager 'QM1' started using V7.1.0.0. exitvalue = 0 **************************************** * Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\runmqsc" QM1 * Input: DEFINE LISTENER('LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR) **************************************** 5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED. Starting MQSC for queue manager QM1. AMQ8135: Not authorized. No MQSC commands read. No commands have a syntax error. All valid MQSC commands were processed. exitvalue = 20
+6
source share
4 answers

If you have the latest trial version of WMQ, you are working with v7.1 QMgr. Starting with version v7.1, WMQ will only allow non-privileged remote connections. To connect to the administrator account, you must disable restrictions or, even better, define a new channel for administrative connection and authenticate it.

On Windows, the biggest problem is that WMQ authenticates domain identifiers and must look for its groups. One of the most common problems when working with WMQ in a corporate environment is that it tries to find an identifier or group and does not have domain rights for this. Domain accounts, even those with local administrator rights, often fail because they do not have access to the query in the SAM domain for group searches. It contains an entire section of Infocenter that describes the requirements for Windows accounts.

The workaround for this for a developer - only environment is to create a local administrator account, then log in and create QMgr. Or make sure that the default MUSR_MQADMIN has local administrator rights and login rights. Again, you have to log in with an account to do this job, because you never need to look for an account in Active Directory, because it goes to the local SAM database. Again, this is only for development! In the Production section, you want to use a real domain account and give it the correct access rights to search for SAM, but DO NOT make it a local administrator, as described in the Infocenter section above.

Assuming you were able to create QMgr, then create a new channel and allow it to accept your local connections using an administrator account:

 runmqsc * Define the channel, anyone connecting runs as MUSR_MQADMIN DEFINE CHL('DOTNET.SVRCONN') CHLTYPE(SVRCONN) MCAUSER(' MUSR_MQADMIN@hostname ') * Override default block-list - channel now allows ANYBODY SET CHLAUTH('DOTNET.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') * Block access from ALL IP addresses SET CHLAUTH('DOTNET.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) WARN(NO) ACTION(ADD) * Allow access from local host only SET CHLAUTH('DOTNET.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('127.0.0.1') USERSRC(CHANNEL) ACTION(ADD) END

Now you have a channel that will accept local connections ONLY, map them to the administrator account and then redefine the security that prevents administrative accounts from connecting remotely. Using an administrator account means that no queuing or QMgr authorization is required, and an account that is a local administrator means that there is no problem finding a domain. MCAUSER('MUSR_MQADMIN) converts each remote identifier into a local administrator identifier so that WMQ does not need to find remote identifiers. The mapping rule restricts connections to the local host only. Anyone who can connect to the channel will have a local administrator on the box with the ability to remotely execute OS code, so if you want to accept connections from other users, we recommend their authentication with certificates.

+14
source

You can read this post from T.Rob here . Also, other security related messages from him are very useful.

+4
source

I had a similar problem. My dektop office works with Windows xp 32 bit, and my project required installing Websphere MQ 7 (WMQ) on a local one. With the local administrator rights on my PC, I was able to install WMQ without configuring the domain controller and add quemanager, but could not add any local queues. After checking the error logs, I found that my user ID does not have sufficient permission.

So this is a fix - make sure your login ID is part of the Administrators group in your domain. Go to management -> user accounts to verify your user ID. If you have local administrator rights on your computer, you can add your user ID as part of the Administrator group. Now delete the previously created queue manager. Reboot WMQ and create queuemanager again. Now you should see all the options for adding local queues, topics, etc. Under the created queue manager.

0
source

An unexpected error occurred (2063). (AMQ4999)

The above error may also occur due to a permission problem, check with the permission groups and add users

-1
source

Source: https://habr.com/ru/post/907474/

More articles:


All Articles