Re: Security problem on new qmgr
Title: Message Hi Nadi I expect, security switch(es...) have been defined but no access profiles... Try this one first: Define in theclass MQADMIN the profile .NO.SUBSYS.SECURITYwhere is the subsystem name. After refreshing the profile, recycle the queue manager. This should turn off any security check. I expect, everything will then work, as this way, no security check should happen. Afterwards, switch on security to fit your needs. Eg, if you dont needconnection to be checked, define in MADMIN.NO.CONNECT.CHECKS. For all type of resources without a '.NO.' profile, security will be checked and you have to define corrsponding rules, eg. 'RDEFINE MQCMDS .CLEAR.QLOCAL UACC(NONE)' and 'PERMIT .CLEAR.QLOCAL CLASS(MQCMDS) ACCESS(ALTER) ID(group_which_is_allowed_to_do_so)'. Dont forget to delete the .NO.SUBSYS.SECURITY... ;-) Check your system setup guid, chapter 'using RACF classes and profile', hope, it's also useful with top secret... Regards Guido -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khan, Nadi NSent: Montag, 26. April 2004 08:34To: [EMAIL PROTECTED]Subject: Security problem on new qmgr Hi All, I have created a new qmanager on Z/os. My starter task for the qmamager starts up ok. When I try and execute any command I get a security problem. Our security people have checked and said that there is nothing that they can do and that I should talk to IBM. The security people have put everything in warn mode and say that I should be running.The security guys say as they dont see anything in their logs the problem is in mq.We use top secret a CA product for security. When I do a command from the command line using the mq cpf I get the following response from MQ RESPONSE=RC35 CSQ9016E +MQ35 DIS COMMAND REJECTED, UNAUTHORIZED REQUEST when I try and access the mq panels I get CSQO013I Not authorized to use queue manager. also get this response from one of the other panels MQM Queue Browse - Entry Pan 0002 2035 MQCONN when the channel initaiator tries to start up it abends and gives me the following messages +CSQX007E +MQ35 CSQXADPI Unable to connect to queue manager MQ35, MQCC=2 MQRC=2035 I would appreciate any help as I am now holding up everything and we would have to backout because of mq. thanks __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___ The content of this e-mail is intended only for the confidential use of the person addressed. If you have received this message in error, please notify us immediately by electronic mail, by telephone or by fax at the above num- bers. E-mail communications are not secure and therefore we do not accept any res- ponsibility for the confidentiality or altered contents of this message. Please be aware that SIS Group and its subsidiary companies cannot accept any orders or other legally binding correspondence with a participant as part of an E-mail. The views expressed above are not necessarily those held by SIS Group and its subsidiary companies and not binding for them. ***hexfe
Re: SSL and certificate expiry
Hi, I can't (won't!) answer the first question, beyond that root certificates should last an order of magnitude longer than end-users. If you have a number of queue managers, managing them with self-signed certificates can become a nightmare. To add/renew one certificate would then require you to change every connected queue manager's key repository. The best way forward is to introduce a Certificate Authority. It is well worth putting in the effort to become familiar with PKI. OpenSSL (www.openssl.org) is a good open resource for playing with PKI/SSL. You can then introduce a CA and its root PKI certificate. Each key repository then needs its queue managers key pair and certificate plus a copy of the root certificate. With a CA, adding a queue manager, or replacing an end-user certificate, involves changes to only its key repository. Other queue managers will accept the new certificate, because it has been signed by the CA. When the CA time is up (or at least 6 months before), you will need to create a new CA, and distribute its root certificate across all the participating queue managers. Once they all know about the new CA, you can then begin replacing queue manager keys certificates, one at a time. Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Lawrence Coombs Sent: 23 April 2004 17:54 To: [EMAIL PROTECTED] Subject: Re: SSL and certificate expiry Anyone care to share the lifetime they assign to a certificate used by a queue manager that has SSL channels? Also, how do you handle certificates expiring when a OS/390 queue manager communicates with many distributed queue managers? Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: fixed - Security problem on new qmgr
Title: Message thanks Guido for the input. We managed to start the channel initiator fromthe master console which started giving out security errors, combined with you input all is now running thanks -Original Message-From: Rechsteiner, Guido [mailto:[EMAIL PROTECTED]Sent: 26 April, 2004 09:05To: [EMAIL PROTECTED]Subject: Re: Security problem on new qmgr Hi Nadi I expect, security switch(es...) have been defined but no access profiles... Try this one first: Define in theclass MQADMIN the profile .NO.SUBSYS.SECURITYwhere is the subsystem name. After refreshing the profile, recycle the queue manager. This should turn off any security check. I expect, everything will then work, as this way, no security check should happen. Afterwards, switch on security to fit your needs. Eg, if you dont needconnection to be checked, define in MADMIN.NO.CONNECT.CHECKS. For all type of resources without a '.NO.' profile, security will be checked and you have to define corrsponding rules, eg. 'RDEFINE MQCMDS .CLEAR.QLOCAL UACC(NONE)' and 'PERMIT .CLEAR.QLOCAL CLASS(MQCMDS) ACCESS(ALTER) ID(group_which_is_allowed_to_do_so)'. Dont forget to delete the .NO.SUBSYS.SECURITY... ;-) Check your system setup guid, chapter 'using RACF classes and profile', hope, it's also useful with top secret... Regards Guido -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khan, Nadi NSent: Montag, 26. April 2004 08:34To: [EMAIL PROTECTED]Subject: Security problem on new qmgr Hi All, I have created a new qmanager on Z/os. My starter task for the qmamager starts up ok. When I try and execute any command I get a security problem. Our security people have checked and said that there is nothing that they can do and that I should talk to IBM. The security people have put everything in warn mode and say that I should be running.The security guys say as they dont see anything in their logs the problem is in mq.We use top secret a CA product for security. When I do a command from the command line using the mq cpf I get the following response from MQ RESPONSE=RC35 CSQ9016E +MQ35 DIS COMMAND REJECTED, UNAUTHORIZED REQUEST when I try and access the mq panels I get CSQO013I Not authorized to use queue manager. also get this response from one of the other panels MQM Queue Browse - Entry Pan 0002 2035 MQCONN when the channel initaiator tries to start up it abends and gives me the following messages +CSQX007E +MQ35 CSQXADPI Unable to connect to queue manager MQ35, MQCC=2 MQRC=2035 I would appreciate any help as I am now holding up everything and we would have to backout because of mq. thanks __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___ The content of this e-mail is intended only for the confidential use of theperson addressed. If you have received this message in error, please notifyus immediately by electronic mail, by telephone or by fax at the above num-bers.E-mail communications are not secure and therefore we do not accept any res-ponsibility for the confidentiality or altered contents of this message.Please be aware that SIS Group and its subsidiary companies cannot acceptany orders or other legally binding correspondence with a participant aspart of an E-mail. The views expressed above are not necessarily those heldby SIS Group and its subsidiary companies and not binding for
uncomitted messages
Hi I have a queue that contains a number of uncomitted messages. Messages are written there by a channel exit which is used by a number of channels, plus by a few other internal applications. Is there any way for me to identify the source of the uncommitted messages? (Or any way to clear / delete / redefine the queue if I can't manage to get the messages committed?) Thanks Darren. _ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Request / Reply
I am working with a group who is using the Java client. They are not using the local bindings. To connect to the queue manager they decided to use SYSTEM.DEF.SVRCONN. The applications failed to connect and the error logs have the following errors. These errors continue though all their error logs. === 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:43 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:44 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 === I asked that they create a new SVRCONN channel and this works fine. The SYSTEM.DEF.SVRCONN continues to fail. I have little experience with Java connecting to queue managers. Any idea what we are having problems with? Jeff Tressler Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
MsgId and CorrelId Conversion
Greetings All, We are in the process of rehosting OS/390 to AIX and I am looking for some thoughts on a problem we have run into. To provide test data on AIX I have a channel message exit on our gateway/hub.OS/390 channel that copies all mainframe-bound messages to the AIX qmgr, however initial testing has highlighted a problem with the format of the MsgId and CorrelId fields. Some of the applications, reading messages off some of the queues, all from the same source qmgr need to use the MsgId/CorrelId values but they are currently being sent in EBCDIC format and are not 'readable' on AIX. At the moment I am looking at either selectively translating the fields in the message exit or setting up a translation routine on AIX, if possible, that can be called by those applications that need it. Do any of you have any experience/thoughts/gotchas/samples/alternatives that you could share to help me in my decision? TIA, Kerry Swemmer T-Systems South Africa (Pty) Ltd Database Administrator Computing and Desktop Services Address: DaimlerChrysler, 7 Settlers Way, East London, South Africa Postal Address: PO Box 671, East London, 5200 Phone: +27 (43) 706 2549 Fax:+27 (43) 706 2085 Mobile: +27 (83) 657 4151 E-mail: [EMAIL PROTECTED] Internet: www.t-systems.co.za Any views expressed in this message are those of the individual sender, and T-Systems South Africa (Pty) Ltd accepts no liability therefore, except where the sender specifically states them to be those of T-Systems South Africa (Pty) Ltd. Although this message has been scanned for the possible presence of computer viruses prior to despatch, T-Systems South Africa (Pty) Ltd cannot be held responsible for any viruses or other material transmitted with, or as part of, this message. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Request / Reply
Hi Jeff, I have found that the 2 major reason you get rc of 2059 is because: (1) The listener for that particular queue manager is not running. (2) Incorrect port number. Hope that helps. Regards, Roger Lacroix Capitalware Inc. http://www.capitalware.biz Quoting Jeff A Tressler [EMAIL PROTECTED]: I am working with a group who is using the Java client. They are not using the local bindings. To connect to the queue manager they decided to use SYSTEM.DEF.SVRCONN. The applications failed to connect and the error logs have the following errors. These errors continue though all their error logs. === 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:43 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:44 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 === I asked that they create a new SVRCONN channel and this works fine. The SYSTEM.DEF.SVRCONN continues to fail. I have little experience with Java connecting to queue managers. Any idea what we are having problems with? Jeff Tressler Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: MsgId and CorrelId Conversion
Message Id and Correlation Id are defined to be BINARY data, not character data. MQ will never convert these, and IMHO, neither should you. If the application developer is assuming that they will be converted they are mistaken. Dave Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: MsgId and CorrelId Conversion
Hi, MQ treats MsgID, CorrelID and GroupID fields as binary data and these fields are NOT converted when messages hope between queue managers. Over the years, I have learnt to never store application related data in any of these fields because you never know when you will get burnt by the EBCDIC-ASCII thing. You should always store application data in the message data area rather than in MQMD fields. The MsgID and CorrelID should be primary used in the request / reply scenario. i.e. Send a request message and save the MsgID field then do a 'Get by CorrelID' by copying the saved MsgID value into the CorrelID field. The application should not care what the value of the MsgID was and if you care then print it out as a hex representation of the binary field. i.e. 414D512043... Hope that helps. Regards, Roger Lacroix Capitalware Inc. http://www.capitalware.biz Quoting Kerry Swemmer [EMAIL PROTECTED]: Greetings All, We are in the process of rehosting OS/390 to AIX and I am looking for some thoughts on a problem we have run into. To provide test data on AIX I have a channel message exit on our gateway/hub.OS/390 channel that copies all mainframe-bound messages to the AIX qmgr, however initial testing has highlighted a problem with the format of the MsgId and CorrelId fields. Some of the applications, reading messages off some of the queues, all from the same source qmgr need to use the MsgId/CorrelId values but they are currently being sent in EBCDIC format and are not 'readable' on AIX. At the moment I am looking at either selectively translating the fields in the message exit or setting up a translation routine on AIX, if possible, that can be called by those applications that need it. Do any of you have any experience/thoughts/gotchas/samples/alternatives that you could share to help me in my decision? TIA, Kerry Swemmer T-Systems South Africa (Pty) Ltd Database Administrator Computing and Desktop Services Address: DaimlerChrysler, 7 Settlers Way, East London, South Africa Postal Address: PO Box 671, East London, 5200 Phone: +27 (43) 706 2549 Fax:+27 (43) 706 2085 Mobile: +27 (83) 657 4151 E-mail: [EMAIL PROTECTED] Internet: www.t-systems.co.za Any views expressed in this message are those of the individual sender, and T-Systems South Africa (Pty) Ltd accepts no liability therefore, except where the sender specifically states them to be those of T-Systems South Africa (Pty) Ltd. Although this message has been scanned for the possible presence of computer viruses prior to despatch, T-Systems South Africa (Pty) Ltd cannot be held responsible for any viruses or other material transmitted with, or as part of, this message. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: can not connect to queue manager
Roger Lacroix wrote: Did you issue the 'refresh security' from runmqsc (or whatever it is called for OpenVMS). Note: For earlier releases of MQ for Unix, you had to bounce to queue manager to pick up new security setting. (Strange but true.) Roger, there were no security setting changes made to this user. The user was created with the MQM rights, but as a habit I restarted the qm anyway, to no avail. Ken Woloschuk wrote: You could try and disable the OAM and see if there are other authorization issues like file/directory permissions. There's only one problem - on VMS you define a logical PRIOR to creating the queue manager which disables the OAM for the life of the queue manager. This may be beneficial if you can create a test queue manager which has the 2035 return for the given userID. The following link discusses the OAM and VMS: http://www-306.ibm.com/software/integration/mqfamily/library/manualsb/amqqag 00/amqqag001m.htm#HDRUTOAM Ken, that sounds like sound advise - I'll disable the OAM and see what happens. Gunther Jeschawitz wrote: On UNIX systems, you have to be a member of the group mqm to start runmqsc. You don't need any other authority. Maybe it's the same on OpenVMS. The userid has the MQM rights (this is what is required under OpenVMS). I was trying to find out where to get more details on the security violation itself. This is the first MQ install I've done on this release of OVMS, so I need to get more info to find out what's missing. Thank you all for your input; more details to follow. Dave A. = David A. Awerbuch, IBM Certified MQSeries Specialist APC Consulting Services, Inc. Providing Automated Solutions to Business Challenges West Hempstead, NY(516) 481-6440 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25 http://photos.yahoo.com/ph/print_splash Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Request / Reply
We routinely change the MCAUSER of any SYSTEM channels to nobody so that they cannot be used as points of entry. We then create a separate channel for specific applications etc. (remembering to remove/change the MCAUSER for each individual channel). In any event, Java client connections have been presented on this list server as significant security risks in the past. Regards John Scott IBM Certified Specialist - MQSeries Argos Ltd -Original Message- From: Jeff A Tressler [mailto:[EMAIL PROTECTED] Sent: 26 April 2004 14:18 To: [EMAIL PROTECTED] Subject: Re: Request / Reply I am working with a group who is using the Java client. They are not using the local bindings. To connect to the queue manager they decided to use SYSTEM.DEF.SVRCONN. The applications failed to connect and the error logs have the following errors. These errors continue though all their error logs. === 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:43 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 04/23/04 14:46:43 AMQ9508: Program cannot connect to the queue manager. EXPLANATION: The connection attempt to queue manager 'APPSERV5_F1_QM' failed with reason code 2059. ACTION: Ensure that the queue manager is available and operational. - amqrmsaa.c : 420 04/23/04 14:46:44 AMQ: Channel program ended abnormally. EXPLANATION: Channel program 'SYSTEM.DEF.SVRCONN' ended abnormally. ACTION: Look at previous error messages for channel program 'SYSTEM.DEF.SVRCONN' in the error files to determine the cause of the failure. - amqrmrsa.c : 467 === I asked that they create a new SVRCONN channel and this works fine. The SYSTEM.DEF.SVRCONN continues to fail. I have little experience with Java connecting to queue managers. Any idea what we are having problems with? Jeff Tressler Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive ** Click here to visit the Argos home page http://www.argos.co.uk The information contained in this message or any of its attachments may be privileged and/or confidential, and is intended exclusively for the addressee. Unauthorised disclosure, copying or distribution of the contents is strictly prohibited. The views expressed may not be official policy, but the personal views of the originator. If you have received this message in error, please advise the sender by using the reply facility in your e-mail software. All messages sent and received by Argos Ltd are monitored for viruses, high-risk file extensions, and inappropriate content. ** Click here to visit the Argos home page http://www.argos.co.uk The information contained in this message or any of its attachments may be privileged and/or confidential, and is intended exclusively for the addressee. Unauthorised disclosure, copying or distribution of the contents is strictly prohibited. The views expressed may not be official policy, but the personal views of the originator. If you have received this message in error, please advise the sender by using the reply facility in your e-mail software. All messages sent and received by Argos Ltd are monitored for viruses, high-risk file extensions, and inappropriate content. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Qmanager Alias Definition?
Thanks, I did try to put messages on an XMITQ that has the same name as the remote QManager name. I used a java program MQSender.java to do it. so my java command looked like : java MQSender remoteQueueName XMITQName(this is my destination QMANGER Name too) . I got an error code 2085. what am I missing ( i.e. auth on the xmitQ, or is it the way that I create QManager object within the java program) Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Miller, Dennis Sent: Thursday, April 22, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? First note, the qremote you describe is NOT a qmgr alias, nor do you need one. Client 2 can simply move ReplyToQManagerName to ObjectQmgrNamr before opening the ReplyToQueue. This causes client 2 to place the message on the XMIT-Q by the same name as the ReplyToQmanagerName. You only need a qmgr alias when the desired outbound xmitq has a different name. If you prefer to use the qremote on client 2 instead of the method described above, then RQUEUE must identify the replytoqueue. That implies you cannot generate replytoqueue names dynamically. Regards, Dennis -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Qmanager Alias Definition? Hi All, We are in the process of testing the concept of QManager alias. One scenario that comes to mind is : 1- QM-1 sends a request message to QM-2, The MQMD will include the ReplyToQManagerName ( QM-1 in this case), and ReplyToQName ( Dynamic Queue created by a client Application-1) 2- Client Application-2 listens on the Request Queue, process the request, and puts back a response on QM-2 . Application-2 in this case doesn't have any access to QM-1. Question: What is needed from the QM-2 Admin? In regards to Qmanager alias , XmitQ , or other setup. We successfully ran the same scenario using remoteQ, Xmitq , channels. however, when I tried to setup QManager alias, I got the famous code 2085. For more details on our current setup: RemoteQ definition to act as QManager Alias : RQUEUE(QM-1.ALIAS) XMITQ(QM-1) RQMNAME(QM-1) XMiteQ definition: QLOCAL(QM-1) USAGE(XMITQ) Channel : CHANNEL(QM-2.TO.QM-1) CHLTYPE(SDR) XMITQ(QM-1) CONNNAME(sys1(1416)) Now the application-2 fires a command to put a response message to the QM-1 with a Dynamic Queue Name ( in this case PUT message to DynamicQ on QM-1.ALIAS). What are we missing? Thanks in advance for your help, Hossam Khedr GE MI Canada Project Symphony Tel (905) 858-5248 8*250-5248 Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Qmanager Alias Definition?
You shouldn't put the XMITQName in the remoteQueueName. You should populate your sender routine with a queue name and qmgr name the same way you would if the queue was a local queue. The local qmgr will then find the xmitq and route your message correctly. Nick -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khedr, Hossam (GEI, MORT) Sent: Monday, April 26, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks, I did try to put messages on an XMITQ that has the same name as the remote QManager name. I used a java program MQSender.java to do it. so my java command looked like : java MQSender remoteQueueName XMITQName(this is my destination QMANGER Name too) . I got an error code 2085. what am I missing ( i.e. auth on the xmitQ, or is it the way that I create QManager object within the java program) Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Miller, Dennis Sent: Thursday, April 22, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? First note, the qremote you describe is NOT a qmgr alias, nor do you need one. Client 2 can simply move ReplyToQManagerName to ObjectQmgrNamr before opening the ReplyToQueue. This causes client 2 to place the message on the XMIT-Q by the same name as the ReplyToQmanagerName. You only need a qmgr alias when the desired outbound xmitq has a different name. If you prefer to use the qremote on client 2 instead of the method described above, then RQUEUE must identify the replytoqueue. That implies you cannot generate replytoqueue names dynamically. Regards, Dennis -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Qmanager Alias Definition? Hi All, We are in the process of testing the concept of QManager alias. One scenario that comes to mind is : 1- QM-1 sends a request message to QM-2, The MQMD will include the ReplyToQManagerName ( QM-1 in this case), and ReplyToQName ( Dynamic Queue created by a client Application-1) 2- Client Application-2 listens on the Request Queue, process the request, and puts back a response on QM-2 . Application-2 in this case doesn't have any access to QM-1. Question: What is needed from the QM-2 Admin? In regards to Qmanager alias , XmitQ , or other setup. We successfully ran the same scenario using remoteQ, Xmitq , channels. however, when I tried to setup QManager alias, I got the famous code 2085. For more details on our current setup: RemoteQ definition to act as QManager Alias : RQUEUE(QM-1.ALIAS) XMITQ(QM-1) RQMNAME(QM-1) XMiteQ definition: QLOCAL(QM-1) USAGE(XMITQ) Channel : CHANNEL(QM-2.TO.QM-1) CHLTYPE(SDR) XMITQ(QM-1) CONNNAME(sys1(1416)) Now the application-2 fires a command to put a response message to the QM-1 with a Dynamic Queue Name ( in this case PUT message to DynamicQ on QM-1.ALIAS). What are we missing? Thanks in advance for your help, Hossam Khedr GE MI Canada Project Symphony Tel (905) 858-5248 8*250-5248 Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
WBI MB v5 - Create Broker
We have wbimbv5.0.3 installed on a Solaris machine, with WMQ 5.3 (CSD06) When I try and issue the mqsicreatebroker command, I am getting the following error returned: ld.so.1: mqsicreatebroker: fatal: libjvm.so: open failed: No such file or directory Killed Has anybody encountered this? Any help would be appreciated. Thanks in advance. Regards, Bhapinder
Re: MsgId and CorrelId Conversion
Kerry, No, no, no...You cannot put EBCDIC in msgid/correlid. MQ never translates them and neither should you; they ARE readable on AIX and will contain exactly what was sent. All by design. Passing application data in those fields is a boo-boo. You may be able to overcome it with some creative coding, but it begins to look like a snarly mess, no? My first suggestion, of course, is to fix the underlying problem. Yeah, I know. My first recourse would be for the exit to insert the EBCDIC msgid/correlid into the application part of the message where it belongs. Then it will get translated along with everything else consistent with the principal of receiver makes right. Regards, Dennis -Original Message- From: Kerry Swemmer [mailto:[EMAIL PROTECTED] Sent: Monday, April 26, 2004 6:55 AM To: [EMAIL PROTECTED] Subject: MsgId and CorrelId Conversion Greetings All, We are in the process of rehosting OS/390 to AIX and I am looking for some thoughts on a problem we have run into. To provide test data on AIX I have a channel message exit on our gateway/hub.OS/390 channel that copies all mainframe-bound messages to the AIX qmgr, however initial testing has highlighted a problem with the format of the MsgId and CorrelId fields. Some of the applications, reading messages off some of the queues, all from the same source qmgr need to use the MsgId/CorrelId values but they are currently being sent in EBCDIC format and are not 'readable' on AIX. At the moment I am looking at either selectively translating the fields in the message exit or setting up a translation routine on AIX, if possible, that can be called by those applications that need it. Do any of you have any experience/thoughts/gotchas/samples/alternatives that you could share to help me in my decision? TIA, Kerry Swemmer T-Systems South Africa (Pty) Ltd Database Administrator Computing and Desktop Services Address: DaimlerChrysler, 7 Settlers Way, East London, South Africa Postal Address: PO Box 671, East London, 5200 Phone: +27 (43) 706 2549 Fax:+27 (43) 706 2085 Mobile: +27 (83) 657 4151 E-mail: [EMAIL PROTECTED] Internet: www.t-systems.co.za Any views expressed in this message are those of the individual sender, and T-Systems South Africa (Pty) Ltd accepts no liability therefore, except where the sender specifically states them to be those of T-Systems South Africa (Pty) Ltd. Although this message has been scanned for the possible presence of computer viruses prior to despatch, T-Systems South Africa (Pty) Ltd cannot be held responsible for any viruses or other material transmitted with, or as part of, this message. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Qmanager Alias Definition?
Thanks Nick, Here is what I meant by my command: Java MQsender queueName QManagerName java MQSender remoteQueueName XMITQQName . ( note I my XMITQQName is the same as the destination Q Manager Name) To simplify, I need to put a message on an XMITQ, the message should routed to a remote QueueManager with the same name as my XMITQ , but I'm getting 2085 when trying using java. Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Nick Dilauro Sent: Monday, April 26, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? You shouldn't put the XMITQName in the remoteQueueName. You should populate your sender routine with a queue name and qmgr name the same way you would if the queue was a local queue. The local qmgr will then find the xmitq and route your message correctly. Nick -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khedr, Hossam (GEI, MORT) Sent: Monday, April 26, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks, I did try to put messages on an XMITQ that has the same name as the remote QManager name. I used a java program MQSender.java to do it. so my java command looked like : java MQSender remoteQueueName XMITQName(this is my destination QMANGER Name too) . I got an error code 2085. what am I missing ( i.e. auth on the xmitQ, or is it the way that I create QManager object within the java program) Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Miller, Dennis Sent: Thursday, April 22, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? First note, the qremote you describe is NOT a qmgr alias, nor do you need one. Client 2 can simply move ReplyToQManagerName to ObjectQmgrNamr before opening the ReplyToQueue. This causes client 2 to place the message on the XMIT-Q by the same name as the ReplyToQmanagerName. You only need a qmgr alias when the desired outbound xmitq has a different name. If you prefer to use the qremote on client 2 instead of the method described above, then RQUEUE must identify the replytoqueue. That implies you cannot generate replytoqueue names dynamically. Regards, Dennis -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Qmanager Alias Definition? Hi All, We are in the process of testing the concept of QManager alias. One scenario that comes to mind is : 1- QM-1 sends a request message to QM-2, The MQMD will include the ReplyToQManagerName ( QM-1 in this case), and ReplyToQName ( Dynamic Queue created by a client Application-1) 2- Client Application-2 listens on the Request Queue, process the request, and puts back a response on QM-2 . Application-2 in this case doesn't have any access to QM-1. Question: What is needed from the QM-2 Admin? In regards to Qmanager alias , XmitQ , or other setup. We successfully ran the same scenario using remoteQ, Xmitq , channels. however, when I tried to setup QManager alias, I got the famous code 2085. For more details on our current setup: RemoteQ definition to act as QManager Alias : RQUEUE(QM-1.ALIAS) XMITQ(QM-1) RQMNAME(QM-1) XMiteQ definition: QLOCAL(QM-1) USAGE(XMITQ) Channel : CHANNEL(QM-2.TO.QM-1) CHLTYPE(SDR) XMITQ(QM-1) CONNNAME(sys1(1416)) Now the application-2 fires a command to put a response message to the QM-1 with a Dynamic Queue Name ( in this case PUT message to DynamicQ on QM-1.ALIAS). What are we missing? Thanks in advance for your help, Hossam Khedr GE MI Canada Project Symphony Tel (905) 858-5248 8*250-5248 Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Qmanager Alias Definition?
Hossam, It's looks like you are using some sort of wrapper. You may have to make the change in the wrapper program since it may always assume you are connecting to the qmgr which hosts the queue. I'm not familiar with your wrapper program so I can't give you much help. In order for this to work, the wrapper would have to support what you're trying to do. For example, if you were using JMS you would designate the local qmgr to which you want to connect in the MQQueueConnectionFactory and then designate the qname (located on the remote qmgr) and it's qmgrname in the MQQueueFactory. Nick -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khedr, Hossam (GEI, MORT) Sent: Monday, April 26, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks Nick, Here is what I meant by my command: Java MQsender queueName QManagerName java MQSender remoteQueueName XMITQQName . ( note I my XMITQQName is the same as the destination Q Manager Name) To simplify, I need to put a message on an XMITQ, the message should routed to a remote QueueManager with the same name as my XMITQ , but I'm getting 2085 when trying using java. Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Nick Dilauro Sent: Monday, April 26, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? You shouldn't put the XMITQName in the remoteQueueName. You should populate your sender routine with a queue name and qmgr name the same way you would if the queue was a local queue. The local qmgr will then find the xmitq and route your message correctly. Nick -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khedr, Hossam (GEI, MORT) Sent: Monday, April 26, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks, I did try to put messages on an XMITQ that has the same name as the remote QManager name. I used a java program MQSender.java to do it. so my java command looked like : java MQSender remoteQueueName XMITQName(this is my destination QMANGER Name too) . I got an error code 2085. what am I missing ( i.e. auth on the xmitQ, or is it the way that I create QManager object within the java program) Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Miller, Dennis Sent: Thursday, April 22, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? First note, the qremote you describe is NOT a qmgr alias, nor do you need one. Client 2 can simply move ReplyToQManagerName to ObjectQmgrNamr before opening the ReplyToQueue. This causes client 2 to place the message on the XMIT-Q by the same name as the ReplyToQmanagerName. You only need a qmgr alias when the desired outbound xmitq has a different name. If you prefer to use the qremote on client 2 instead of the method described above, then RQUEUE must identify the replytoqueue. That implies you cannot generate replytoqueue names dynamically. Regards, Dennis -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Qmanager Alias Definition? Hi All, We are in the process of testing the concept of QManager alias. One scenario that comes to mind is : 1- QM-1 sends a request message to QM-2, The MQMD will include the ReplyToQManagerName ( QM-1 in this case), and ReplyToQName ( Dynamic Queue created by a client Application-1) 2- Client Application-2 listens on the Request Queue, process the request, and puts back a response on QM-2 . Application-2 in this case doesn't have any access to QM-1. Question: What is needed from the QM-2 Admin? In regards to Qmanager alias , XmitQ , or other setup. We successfully ran the same scenario using remoteQ, Xmitq , channels. however, when I tried to setup QManager alias, I got the famous code 2085. For more details on our current setup: RemoteQ definition to act as QManager Alias : RQUEUE(QM-1.ALIAS) XMITQ(QM-1) RQMNAME(QM-1) XMiteQ definition: QLOCAL(QM-1) USAGE(XMITQ) Channel : CHANNEL(QM-2.TO.QM-1) CHLTYPE(SDR) XMITQ(QM-1) CONNNAME(sys1(1416)) Now the application-2 fires a command to put a response message to the QM-1 with a Dynamic Queue Name ( in this case PUT message to DynamicQ on QM-1.ALIAS). What are we missing? Thanks in advance for your help, Hossam Khedr GE MI Canada Project Symphony Tel (905) 858-5248 8*250-5248 Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users
pmr# 72499,7td attn; Erica
fyi, I just encountered a strange problem where a channel failure did not result in a channel event being generated. I didn't realize we had a problem until an application generated an email informing me of a connection problem. IBM says this is a known problem. - Forwarded by Richard Tsujimoto/Consultant-NewYork/CanonUSA on 04/26/2004 03:07 PM - mqseries [EMAIL PROTECTED] To: [EMAIL PROTECTED] .comcc: Sent by: Erica D Subject: pmr# 72499,7td attn; Erica Hatchell [EMAIL PROTECTED] .com 04/26/2004 02:53 PM Please respond to mqseries Hi Richard, This looks to be a known issue. . 1474.PRB When are Channel Stopped Events (MQRC_CHANNEL_STOPPED (2283, X'8EB') generated? . The behaviour has changed since the introduction of IC29815 so that Channel Stopped events are only generated when the channel program itself generates a stopped event. Customers will therefore find that if a channel goes straight into a retry mode after it is started, they will not get a MQRC_CHANNEL_STOPPED event with MQRQ_CHANNEL_STOPPED_RETRY. The confusing issue is that an MQRC_CHANNEL_STARTED event is written to the SYSTEM.ADMIN.CHANNEL.EVENT queue when the channel is started via runmqsc or the MQSeries Explorer, even if the channel isn't actually able to initialize a conversation with the remote end. The difference between the event generated by runmqsc/explorer and the channel process is that you can see the name of the process in the PutApplName: PutApplName : 'ebSphere MQ\bin\runmqchl.EXE' OR PutApplName : 'ebSphere MQ\bin\AMQPCSEA.EXE' Additionally the MQCFH will contain a blank conname if the channel process hasn't generated the event e.g: : 0700 2400 0100 2E00 '$...' 0010: 0100 0100 EA08 'Û...' 0020: 0200 0400 1800 DF07 '?...' 0030: 0400 464F 4E5A 0400 'FONZ' 0040: 2400 AD0D 0D00 '$...¡...' 0050: 464F 4E5A 2E54 4F2E 5249 4348 3300 'FONZ.TO.RICH3...' As opposed the the following MQCFH when the channel process has been started: : 0700 2400 0100 2E00 '$...' 0010: 0100 0100 EB08 'Ù...' 0020: 0B00 0400 1800 DF07 '?...' 0030: 0400 464F 4E5A 0400 'FONZ' 0040: 2400 AD0D 0D00 '$...¡...' 0050: 464F 4E5A 2E54 4F2E 5249 4348 3300 'FONZ.TO.RICH3...' 0060: 0400 2000 B10D ' ...?...' 0070: 0B00 5249 4348 2E58 4D49 5451 3300 'RICH.XMITQ3.' 0080: 0400 2400 B20D '$...?...' 0090: 1000 392E 3230 2E39 332E 3636 2831 '9.20.93.66(1' 00A0: 3431 3529 0300 1000 FC03 '415)³...' 00B0: 0700 0300 1000 F503 '§...' 00C0: 4595 0300 1000 2E04 'Eò..' 00D0: 0300 1000 2F04 '/...' 00E0: 0400 2400 D20B '$...Ê...' 00F0: 0D00 464F 4E5A 2E54 4F2E 'FONZ.TO.' 0100: 5249 4348 3300 0400 1400 'RICH3...' 0110: D30B 0400 'Ë...' 0120: 1400 D40B 'È...' Future releases of MQSeries will provide a Channel stanza tuning parameter StopEvent = Always, which will revert to the old behaviour of always generating a STOP event. Regards Erica, MQSeries Level 2 Support - Distributed Platforms Email: [EMAIL PROTECTED] Need online help? Go to http://www.ibm.com/support/ Need publications? Go to http://www.ibm.com/shop/publications/order When sending mail to MQSERIES, please add the Level 2 rep's name and the Problem Number in the Subject line. ** In addition please call the
Re: Need help with BlokIP exit
Hi Ruzi,
did you figure out how to set it? I don't seem to be able to make the
BlockIP2.dll get loaded. specifically, I put all the files into
d:\utils\exit, and configured my SYSTEM.ADMIN.SVRCONN with
scyexit('d:\utils\exit\BlockIP2(BlockExit)'), and
scydata('d:\utils\exit\blck.cfg; -d')
But it doesn't seem to produce any log file, so I anticipate it didn't
load.
Would you mind shed some light on this setting? BTW, that does this
(BlockExit) mean? as parameter?
Benjamin F. Zhou
Messaging Integration Supp.
Mercedes-Benz USA
(201) 573-2474
Ruzi R
[EMAIL PROTECTED] To: [EMAIL PROTECTED]
OM cc:
Sent by: Subject: Re: Need help with BlokIP exit
MQSeries List
[EMAIL PROTECTED]
en.AC.AT
02/24/2004 05:45
PM
Please respond
to MQSeries List
Where is this c:\exit.log file defined?
Ruzi
--- Roger Lacroix [EMAIL PROTECTED]
wrote:
Hi,
What errors are you getting - what is in the
c:\exit.log file ??
The one thing that I have learned about playing with
Security Exits is that the
OS and/or the MCA can be a REAL pain. Once a DLL or
shared-object is loaded,
it can stay loaded.
Therefore, here is what I do whenever I rebuild an
exit OR change the SYCDATA
attribute of the channel.
(1) Stop the channel with mode(force) until there
are no more connections.
(2) Copy DLL or shared-object to exit directory
(3) Make any SYCDATA changes
(4) Start the channel
(5) Run program to make a connection.
This may sound tedious but I have banged my head
many times because a DLL or
shared-object was previously loaded and I didn't
realize it.
P.S. I tried your example and it worked.
i.e.
SCYDATA(FN=c:\temp\Blockspec.txt;)
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
Quoting Ruzi R [EMAIL PROTECTED]:
Roger,
Thanks. I just downloaded the BlockIP2 and tried
again
and it works with SCYDATA having more than one IP.
However I still could not get the file working.
Display of the SCYDATA is:
FN=c:\temp\Blockspec.txt;
And Blockspec.txt has the following entries:
Patterns=125.25.2.23,125.25.3.44;
Userids=userid1,userid2;
BlockMqmUsers=Y;
Any ideas what I am missing? Anyone?
Thanks.
Ruzi
--- Roger Lacroix [EMAIL PROTECTED]
wrote:
Hi,
You MUST put an ending semi-colon ;.
i.e.
SCYDATA(125.25.2.23;125.25.3.44;)
Hope that helps. Also, you should use BlockIP2
(more features!!)
Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
Quoting Ruzi R [EMAIL PROTECTED]:
MQ 5.3 CSD06 on Windows2000. I am trying to
test
different configurations using BlockIP
security
exit.
It works when I use only one IP (full or
partial
with
an *) in SCYDATA.
However, I could not get it to work when I
specify
SCYDATA with more than one IP address like the
following:
1- SCYDATA(125.25.2.23;125.25.3.44) or
SCYDATA(125.25.2.*;125.25.3.*). Actually,
because
of
the requirements, I don t want to use a
pattern
but
specify the full IP addresses.
2- So that I can specify more IPs, I tried
using
FN
as follows without success:
SCYDATA('FN=c:\path..\Blockspec.txt;'). My
Blockspec.txt is defined like this (minding my
commas
and semicolons):
Patterns=125.25.2.23,125.25.3.44;
Userids=userid1,userid2;
BlockMqmUsers=Y;
Has anyone gotten it working using the 1st ot
2nd
method mentioned above?
Many thanks in advance.
Ruzi
Instructions for managing your mailing list
subscription are provided in
the Listserv General Users Guide available at
http://www.lsoft.com
Archive:
http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list
subscription are provided in
the Listserv General Users Guide available at
http://www.lsoft.com
Archive:
http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list
subscription are provided in
the Listserv General Users Guide available at
http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list
subscription are provided in
the Listserv General Users Guide available at
http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at
Re: Need help with BlokIP exit
Hi Benjamin,
You should get a file: c:\BlockIP2.log presenting you with a log/trace fil
telling you what BlockIP2 do.
If you're dealing with windows you must specify scyexit() and scydata() like
this:
alt chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) +
SCYDATA('FN=d:\utils\exit\blck.cfg;-d') +
scyexit('d:\utils\exit\BlockIP2(BlockExit)') * NT
the -d; option tells BlockIP to send debug information to the logfile too.
You can read a bit about BlockIP2 here:
http://www.mrmq.dk/BlockIP.htm
By the way (BlockExit) tells windows which entry in the dll to invoke. There
can be many entries/routines in a dll. This is the reason for (BlockExit). I
hope it turn on some light...
Just my $0.02 ;o)
Kind regards
Jxrgen
Author of BlockIP
Hi Ruzi,
did you figure out how to set it? I don't seem to be able to make the
BlockIP2.dll get loaded. specifically, I put all the files into
d:\utils\exit, and configured my SYSTEM.ADMIN.SVRCONN with
scyexit('d:\utils\exit\BlockIP2(BlockExit)'), and
scydata('d:\utils\exit\blck.cfg;-d')
But it doesn't seem to produce any log file, so I anticipate it didn't
load.
Would you mind shed some light on this setting? BTW, that does this
(BlockExit) mean? as parameter?
Benjamin F. Zhou
Messaging Integration Supp.
Mercedes-Benz USA
(201) 573-2474
_
Fe alle de nye og sjove ikoner med MSN Messenger http://www.msn.dk/messenger
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Fwd: Re: can not connect to queue manager
An update. I disabled the OAM as Ken suggested, and that has solved the problem, so I now know it is security related. So this still begs the question: how on VMS do I find out what the security violation is? Thanks, Dave A. --- David Awerbuch [EMAIL PROTECTED] wrote: Date: Mon, 26 Apr 2004 07:56:43 -0700 (PDT) From: David Awerbuch [EMAIL PROTECTED] Subject: Re: can not connect to queue manager To: Mqseries Messages [EMAIL PROTECTED] Roger Lacroix wrote: Did you issue the 'refresh security' from runmqsc (or whatever it is called for OpenVMS). Note: For earlier releases of MQ for Unix, you had to bounce to queue manager to pick up new security setting. (Strange but true.) Roger, there were no security setting changes made to this user. The user was created with the MQM rights, but as a habit I restarted the qm anyway, to no avail. Ken Woloschuk wrote: You could try and disable the OAM and see if there are other authorization issues like file/directory permissions. There's only one problem - on VMS you define a logical PRIOR to creating the queue manager which disables the OAM for the life of the queue manager. This may be beneficial if you can create a test queue manager which has the 2035 return for the given userID. The following link discusses the OAM and VMS: http://www-306.ibm.com/software/integration/mqfamily/library/manualsb/amqqag 00/amqqag001m.htm#HDRUTOAM Ken, that sounds like sound advise - I'll disable the OAM and see what happens. Gunther Jeschawitz wrote: On UNIX systems, you have to be a member of the group mqm to start runmqsc. You don't need any other authority. Maybe it's the same on OpenVMS. The userid has the MQM rights (this is what is required under OpenVMS). I was trying to find out where to get more details on the security violation itself. This is the first MQ install I've done on this release of OVMS, so I need to get more info to find out what's missing. Thank you all for your input; more details to follow. Dave A. = David A. Awerbuch, IBM Certified MQSeries Specialist APC Consulting Services, Inc. Providing Automated Solutions to Business Challenges West Hempstead, NY(516) 481-6440 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25 http://photos.yahoo.com/ph/print_splash = David A. Awerbuch, IBM Certified MQSeries Specialist APC Consulting Services, Inc. Providing Automated Solutions to Business Challenges West Hempstead, NY(516) 481-6440 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25 http://photos.yahoo.com/ph/print_splash Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: can not connect to queue manager
The permissions on authorization files, created by the OAM, are: S:RWD, O:RWD, G:RWD, W:R (ID=MQM, ACCESS=R+W+E+D+C) see the following for more info: http://www-306.ibm.com/software/integration/mqfamily/library/manualsb/amqqag 00/amqqag001q.htm#HDRUAF -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of David Awerbuch Sent: Monday, April 26, 2004 15:45 To: [EMAIL PROTECTED] Subject: Fwd: Re: can not connect to queue manager An update. I disabled the OAM as Ken suggested, and that has solved the problem, so I now know it is security related. So this still begs the question: how on VMS do I find out what the security violation is? Thanks, Dave A. --- David Awerbuch [EMAIL PROTECTED] wrote: Date: Mon, 26 Apr 2004 07:56:43 -0700 (PDT) From: David Awerbuch [EMAIL PROTECTED] Subject: Re: can not connect to queue manager To: Mqseries Messages [EMAIL PROTECTED] Roger Lacroix wrote: Did you issue the 'refresh security' from runmqsc (or whatever it is called for OpenVMS). Note: For earlier releases of MQ for Unix, you had to bounce to queue manager to pick up new security setting. (Strange but true.) Roger, there were no security setting changes made to this user. The user was created with the MQM rights, but as a habit I restarted the qm anyway, to no avail. Ken Woloschuk wrote: You could try and disable the OAM and see if there are other authorization issues like file/directory permissions. There's only one problem - on VMS you define a logical PRIOR to creating the queue manager which disables the OAM for the life of the queue manager. This may be beneficial if you can create a test queue manager which has the 2035 return for the given userID. The following link discusses the OAM and VMS: http://www-306.ibm.com/software/integration/mqfamily/library/manualsb/amqqag 00/amqqag001m.htm#HDRUTOAM Ken, that sounds like sound advise - I'll disable the OAM and see what happens. Gunther Jeschawitz wrote: On UNIX systems, you have to be a member of the group mqm to start runmqsc. You don't need any other authority. Maybe it's the same on OpenVMS. The userid has the MQM rights (this is what is required under OpenVMS). I was trying to find out where to get more details on the security violation itself. This is the first MQ install I've done on this release of OVMS, so I need to get more info to find out what's missing. Thank you all for your input; more details to follow. Dave A. = David A. Awerbuch, IBM Certified MQSeries Specialist APC Consulting Services, Inc. Providing Automated Solutions to Business Challenges West Hempstead, NY(516) 481-6440 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25 http://photos.yahoo.com/ph/print_splash = David A. Awerbuch, IBM Certified MQSeries Specialist APC Consulting Services, Inc. Providing Automated Solutions to Business Challenges West Hempstead, NY(516) 481-6440 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25 http://photos.yahoo.com/ph/print_splash Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Need help with BlokIP exit
The (BlockExit) part is the function to call inside the DLL.
The exit is loaded when someone uses the channel. Try the following simple
test procedure:
Creating a test server connection channel called test
define the exit against that
Open a DOS window set MQSERVER=test/TCP/localhost
Use a tool to get or put a message to a test queue
Check that the log file is created in the directory you specified in the
parameter file
Here is a sample parameter file:
LogPath=\mqm\logs
LogDrive=c:
LogFormat=NDC
LogFileName=MQCHANNEL
LogExt=txt
#
#
#
#BlockMqmUsers=Y
#
# Disable using older style
#
#Userids=god,user1,user2
#Patterns=203.0.*.*,172.30.*.*
#
CON=203.0.228.*;*;MCA=mqa
CON=172.30.*.*;*;MCA=dbadm
This creates a log file MQCHANNEL_test_20040427.txt
Hope this helps!
Sid
-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 27 April 2004 5:42 AM
To: [EMAIL PROTECTED]
Subject: Re: Need help with BlokIP exit
Hi Ruzi,
did you figure out how to set it? I don't seem to be able to make the
BlockIP2.dll get loaded. specifically, I put all the files into
d:\utils\exit, and configured my SYSTEM.ADMIN.SVRCONN with
scyexit('d:\utils\exit\BlockIP2(BlockExit)'), and
scydata('d:\utils\exit\blck.cfg; -d')
But it doesn't seem to produce any log file, so I anticipate it didn't load.
Would you mind shed some light on this setting? BTW, that does this
(BlockExit) mean? as parameter?
Benjamin F. Zhou
Messaging Integration Supp.
Mercedes-Benz USA
(201) 573-2474
Ruzi R
[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
OM cc:
Sent by: Subject: Re: Need help with
BlokIP exit
MQSeries List
[EMAIL PROTECTED]
en.AC.AT
02/24/2004 05:45
PM
Please respond
to MQSeries List
Where is this c:\exit.log file defined?
Ruzi
--- Roger Lacroix [EMAIL PROTECTED]
wrote:
Hi,
What errors are you getting - what is in the
c:\exit.log file ??
The one thing that I have learned about playing with
Security Exits is that the
OS and/or the MCA can be a REAL pain. Once a DLL or shared-object is
loaded, it can stay loaded.
Therefore, here is what I do whenever I rebuild an
exit OR change the SYCDATA
attribute of the channel.
(1) Stop the channel with mode(force) until there
are no more connections.
(2) Copy DLL or shared-object to exit directory
(3) Make any SYCDATA changes
(4) Start the channel
(5) Run program to make a connection.
This may sound tedious but I have banged my head
many times because a DLL or
shared-object was previously loaded and I didn't
realize it.
P.S. I tried your example and it worked.
i.e.
SCYDATA(FN=c:\temp\Blockspec.txt;)
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
Quoting Ruzi R [EMAIL PROTECTED]:
Roger,
Thanks. I just downloaded the BlockIP2 and tried
again
and it works with SCYDATA having more than one IP.
However I still could not get the file working.
Display of the SCYDATA is:
FN=c:\temp\Blockspec.txt;
And Blockspec.txt has the following entries:
Patterns=125.25.2.23,125.25.3.44;
Userids=userid1,userid2;
BlockMqmUsers=Y;
Any ideas what I am missing? Anyone?
Thanks.
Ruzi
--- Roger Lacroix [EMAIL PROTECTED]
wrote:
Hi,
You MUST put an ending semi-colon ;.
i.e.
SCYDATA(125.25.2.23;125.25.3.44;)
Hope that helps. Also, you should use BlockIP2
(more features!!)
Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
Quoting Ruzi R [EMAIL PROTECTED]:
MQ 5.3 CSD06 on Windows2000. I am trying to
test
different configurations using BlockIP
security
exit.
It works when I use only one IP (full or
partial
with
an *) in SCYDATA.
However, I could not get it to work when I
specify
SCYDATA with more than one IP address like the
following:
1- SCYDATA(125.25.2.23;125.25.3.44) or
SCYDATA(125.25.2.*;125.25.3.*). Actually,
because
of
the requirements, I don t want to use a
pattern
but
specify the full IP addresses.
2- So that I can specify more IPs, I tried
using
FN
as follows without success:
SCYDATA('FN=c:\path..\Blockspec.txt;'). My Blockspec.txt is
defined like this (minding my
commas
and semicolons):
Patterns=125.25.2.23,125.25.3.44; Userids=userid1,userid2;
BlockMqmUsers=Y;
Has anyone gotten it working using the 1st ot
2nd
method mentioned above?
Many thanks in advance.
Ruzi
Instructions for managing your mailing list
subscription are provided in
the Listserv General Users Guide available at
http://www.lsoft.com
Archive:
Re: Qmanager Alias Definition?
While it's possible to open the XMITQ directly, it's not advised because you have to build a distribution header and play other low-level games. You want to open the replytoqueue at replytoqmgr and allow the local qmgr to resolve that combination to the xmitq. I'm not totally sure what your MQSender can do, but if it works as properly then it would look something like: MQSender replytoqueue.name replytoqmanager.name The qmgr will recognize that replytoqmanager.name is is the name of an xmitq and open it in behalf of the MQSender. You reference the xmitq as a queue manager name, not as a queue name. -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Monday, April 26, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks Nick, Here is what I meant by my command: Java MQsender queueName QManagerName java MQSender remoteQueueName XMITQQName . ( note I my XMITQQName is the same as the destination Q Manager Name) To simplify, I need to put a message on an XMITQ, the message should routed to a remote QueueManager with the same name as my XMITQ , but I'm getting 2085 when trying using java. Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Nick Dilauro Sent: Monday, April 26, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? You shouldn't put the XMITQName in the remoteQueueName. You should populate your sender routine with a queue name and qmgr name the same way you would if the queue was a local queue. The local qmgr will then find the xmitq and route your message correctly. Nick -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Khedr, Hossam (GEI, MORT) Sent: Monday, April 26, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? Thanks, I did try to put messages on an XMITQ that has the same name as the remote QManager name. I used a java program MQSender.java to do it. so my java command looked like : java MQSender remoteQueueName XMITQName(this is my destination QMANGER Name too) . I got an error code 2085. what am I missing ( i.e. auth on the xmitQ, or is it the way that I create QManager object within the java program) Thanks, Hossam -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Miller, Dennis Sent: Thursday, April 22, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: Re: Qmanager Alias Definition? First note, the qremote you describe is NOT a qmgr alias, nor do you need one. Client 2 can simply move ReplyToQManagerName to ObjectQmgrNamr before opening the ReplyToQueue. This causes client 2 to place the message on the XMIT-Q by the same name as the ReplyToQmanagerName. You only need a qmgr alias when the desired outbound xmitq has a different name. If you prefer to use the qremote on client 2 instead of the method described above, then RQUEUE must identify the replytoqueue. That implies you cannot generate replytoqueue names dynamically. Regards, Dennis -Original Message- From: Khedr, Hossam (GEI, MORT) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Qmanager Alias Definition? Hi All, We are in the process of testing the concept of QManager alias. One scenario that comes to mind is : 1- QM-1 sends a request message to QM-2, The MQMD will include the ReplyToQManagerName ( QM-1 in this case), and ReplyToQName ( Dynamic Queue created by a client Application-1) 2- Client Application-2 listens on the Request Queue, process the request, and puts back a response on QM-2 . Application-2 in this case doesn't have any access to QM-1. Question: What is needed from the QM-2 Admin? In regards to Qmanager alias , XmitQ , or other setup. We successfully ran the same scenario using remoteQ, Xmitq , channels. however, when I tried to setup QManager alias, I got the famous code 2085. For more details on our current setup: RemoteQ definition to act as QManager Alias : RQUEUE(QM-1.ALIAS) XMITQ(QM-1) RQMNAME(QM-1) XMiteQ definition: QLOCAL(QM-1) USAGE(XMITQ) Channel : CHANNEL(QM-2.TO.QM-1) CHLTYPE(SDR) XMITQ(QM-1) CONNNAME(sys1(1416)) Now the application-2 fires a command to put a response message to the QM-1 with a Dynamic Queue Name ( in this case PUT message to DynamicQ on QM-1.ALIAS). What are we missing? Thanks in advance for your help, Hossam Khedr GE MI Canada Project Symphony Tel (905) 858-5248 8*250-5248 Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General
