Hi Ian, your explanation makes sense. It looks like the only way to get around this would be to write a security exit and explicitly override the userid field with a local user id based on a proper security policy. I'll keep you posted on my solution.
many thanks. Ben x.2474 "Chan, Ian M" <[EMAIL PROTECTED] To: [EMAIL PROTECTED] M> cc: Sent by: Subject: Re: Puzzled - remote MQSC commands land in DeadQ MQSeries List <[EMAIL PROTECTED] en.AC.AT> 04/04/2004 09:02 PM Please respond to MQSeries List Hi Ben, I think the commands were processed using the context in the user id field of MQMD and thus caused the security error. I remember (not sure though) escape PCF uses UserIdentifier field for authority checking and your id is not in the remote system. To answer your first question, the reply should go to the xmit queue directly at the remote qmgr and landed at the SYSTEM.MQSC.REPLY.QUEUE in the local qmgr. Cheers, Ian -----Original Message----- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Benjamin F. Zhou Sent: Saturday, 3 April 2004 2:26 AM To: [EMAIL PROTECTED] Subject: Re: Puzzled - remote MQSC commands land in DeadQ Hi Ian, many thanks for the insight. I tested by disabling GET on SYSTEM.ADMIN.COMMAND.QUEUE, then the command msg stays on this queue, which confirmed the receiving MCA does successfully put the request into the command queue. As soon as I enable the GET on this queue, the same number of msg appear on the deadQ. However, they are all of msg type "request" , not reply, as they should be. But why should the command server not populate the userid field with its own id when putting a reply? A few related questions: * where does the command server put the reply msg to? (SYSTEM.MQSC.REPLY.QUEUE? ) * Why are commands sent to command server from MQExplorer on NT got processed and replied correctly? * Where do these command reply msg go to before being picked up my the remote MQExplorer? Rao, I do use DEF on the channel's PUTAUT field. I must admit I'm more confused now. Any more idea? thanks, Ben "Chan, Ian M" <[EMAIL PROTECTED] To: [EMAIL PROTECTED] M> cc: Sent by: Subject: Re: Puzzled - remote MQSC commands land in DeadQ MQSeries List <[EMAIL PROTECTED] en.AC.AT> 04/01/2004 08:38 PM Please respond to MQSeries List Ben, I set this remote MQSC 2 years ago and I remembered I had the same problem. If I remembered correctly, it was caused by the reply message using the ID in the MQMD, which is your XP logon id. If that's not defined to AIX, you get the NOT_AUTHORIZED error. The MCAUSER specified in your RCVR only affects the authority for MQ to put to the request command queue. I ended up by setting a single id across the platforms and grant appropriate rights to achieve this. I am not good in the context security and may be someone have a better idea. Cheers, Ian -----Original Message----- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Benjamin F. Zhou Sent: Friday, 2 April 2004 5:37 AM To: [EMAIL PROTECTED] Subject: Puzzled - remote MQSC commands land in DeadQ Hi, I setup a qmgr NTQM on XP serving as remote admin server, another qmgr AIXQM on AIX to which I submit MQSC commands. Both MQ5.3, CSD04. All the channels are defined, and specifically, I set the receving MCAUSER field on AIX qmgr to 'mqm', which is the same as I did with SYSTEM.ADMIN.SVRCONN channel on AIX for me to access the qmgr objects from MQExplorer on NT, which is working fine. But the mqsc commands I sent to AIXQM all end up in the SYSTEM.DEAD.LETTER.QUEUE in AIXQM, with reason code NOT_AUTHORIZED. What puzzles me most is that under context, the userid is still the NT machines' userid. I tried the same in MO71, the userid in context became musr_mqadmin, command msg land in DeadQ as well. I don't see any reason the receiving channel should fail in replacing the userid field in the msg header with 'mqm'. Has anyone experienced this? What could I be missing. thanks, Ben Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive