Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Jxrgen Pedersen]

Hi Folks,

I've just improved (I hope ;o)) BlockIP so it can block those bad useres as
quoted below.
Thanks to Roger for the nice words, this it what makes it all worth to keep
WebSphere MQ secure or at least trying to...
Currently BlockIP2 can help you block: mqm, MUSR_MQADMIN and blank uids,
this means that a valid userid will pass the exit, I can't block a valid
user, that's up to WebSphere MQ and the operating system.
I have seen some exits arround calling Windows security, so uid/password
will get verified...
And it's improved to handle multi, patterns input, so you can specify more
networks/addresses, it's still limited to the lenght of SCYDATA (32) pos.
I'm planning a version where the specification is moved to a file..
You can find BlockIP2 here:
http://home19.inet.tele.dk/m-invent/tips_and_tricks.htm#BlockIP2
I hope you'll enjoy it.
I think the only solution to really stop this if the MCAUSER is to be blank
is to have an exit on that channel to stop this ID.


If I had a magic wand, I would make it so that SVRCONN channels with blank
MCAUSERs would default the userID to "knucklehead" if the client did not
present one (instead of defaulting to mqm). Also, a new channel attribute
called BlockMQM which could be turned on to reject (with no further exits
or
efforts) any connections coming in as mqm or MUSR_MQADMIN.
Just my $0.02 ;o)

_
Best regards
Jxrgen Pedersen
IBM Certified WebSphere MQ *
IBM Certified Solution Designer - WebSphere MQ V5.3
IBM Certified Solution Developer - WebSphere MQ V5.3
IBM Certified WebSphere MQ Integrator *
_
Fe alle de nye og sjove ikoner med MSN Messenger http://messenger.msn.dk
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Roger Lacroix]

Hi,

Good stuff.

Client channel or MQCHLIB (or MQSERVER) environment variable is ONLY used by
C/C++/COBOL/VB type programs.

IBM decided, for good or bad, that when coding for MQ base Java or Java MQ JMS
programs, the MQ connection framework would not use either Client channel or
MQCHLIB.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz


Quoting Benjamin Zhou <[EMAIL PROTECTED]>:

>
> Hi Roger,
>
> great insight !
>
> Following your suggestion, I let my jms program on NT send 1000 msg, now I
> can see the SYSTEM.DEF.SVRCONN in running state for a few seconds.
>
> Just one more question, why does client connection channel definition or
> MQCHLIB variable has no effect on JMS program?
>
> best regards,
> Ben
> x.2474
>
>
>
>
>
>
>
>
>   Roger Lacroix
>
>   <[EMAIL PROTECTED] To:  MQSeries List
> <[EMAIL PROTECTED]>
>   alware.biz>  cc:  "Benjamin F.
> Zhou" <[EMAIL PROTECTED]>
>Subject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   01/08/2004 03:22 PM
>
>
>
>
>
>
>
>
>
> Hi,
>
> Those client channels or MQCHLLIB environment variable will have NO effect
> on
> your JMS program.
>
> (1) Normal.
> (2) Channel deletion has no effect.  Same as (1).
> (3) Normal.
> (4) It will use the default SVRCONN channel of 'SYSTEM.DEF.SVRCONN'. Again
> normal.
> (5) Normal. You may not be fast enough to see it be running.
> (6) Normal.
>
> The one thing that I have noticed with version 5.3 of WMQ is that if an
> application behaves well (i.e. properly closes queues and disconnects) then
>
> within a second or two, the SVRCONN channel goes to inactive (assuming all
> 1
> connection).
>
> Therefore, to properly see a running SVRCONN channels, you will need to
> send a
> few hundred messages or put a 100ms sleep between puts.
>
> Hope that helps.
>
> Regards,
> Roger Lacroix
> Capitalware Inc.
> http://www.captialware.biz
>
>
> Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:
>
> > Thanks everyone for trying to clariy this for me.
> >
> > Actually, it was also my conviction that an MQI channel would be used for
> > ANY client application to talk to a remote qmgr. I came to the last
> > conclusion through a series of tests.
> >
> > my JMS program is on a local NT PC. it sends msg to MYQM on an AIX
> server,
> > websvr1.
> >
> > As I did usual with MQclient applications , I defined a svrconn channel
> > SVRC.MYQM on MYQM on websvr and defined a client connection channel on
> the
> > NT PC, beside several other client channels to qmgrs on other servers.
> The
> > environment variable MQCHLLIB has been defined to point to the file
> > mqchltab's location. I defined all these clients channels under a single
> > queue manager, which has nothing to do with any other queue manager,
> except
> > to define all the client channels.
> >
> > 1. I defined a qcf this way:
> > del qcf(qCF)
> > def qcf(qCF) qmgr(MYQM) host(websvr1) channel(SVRC.MYQM)
> > transport(client) port(1414)
> > del q(reqQ)
> > def q(reqQ) qmgr(MYQM) qu(TESTQ)
> > end
> >   I run my jms program to put msg to the queue TESTQ on the remote
> > MYQM, successful.
> >
> > 2. I removed the client channel definition on NT; run the jms program,
> msg
> > successfully gets on the TESTQ on MYQM. I noticed the channel SVRC.MYQM
> is
> > always inactive.
> >
> > 3. on websvr1's MYQM, I remove the svrconn channel SVRC.MYQM; run the
> > program, it failed with msg: "... failed to create MQQueueManager ..."
> >
> > 4. on MYQM, I recreated the svrconn channel SVRC.MYQM.  However, I
> removed
> > the property channel(SVRC.MYQM); run the program, successful. Here is the
> > jndi setup script:
> > del qcf(qCF)
> > def qcf(qCF) qmgr(MYQM) host(websvr1) transport(client)
> > port(1414)
> > del q(reqQ)
> > def q(reqQ) qmgr(MYQM) qu(TESTQ)
> > end
> >
> > 5. on MYQM, I again removed svrconn channel SVRC.MYQM, run the program,
> > successful. again. I checked, no svrconn channel is running, not even
> > SYSTEM.DEF.SVRCONN .
> >
> > 6. on NT, I added back the property channel(SVRC.MYQM) in my jndi script,
> > but removed host(websvr1), run the program, a

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Roger Lacroix]

Hi,

Those client channels or MQCHLLIB environment variable will have NO effect on
your JMS program.

(1) Normal.
(2) Channel deletion has no effect.  Same as (1).
(3) Normal.
(4) It will use the default SVRCONN channel of 'SYSTEM.DEF.SVRCONN'. Again
normal.
(5) Normal. You may not be fast enough to see it be running.
(6) Normal.

The one thing that I have noticed with version 5.3 of WMQ is that if an
application behaves well (i.e. properly closes queues and disconnects) then
within a second or two, the SVRCONN channel goes to inactive (assuming all 1
connection).

Therefore, to properly see a running SVRCONN channels, you will need to send a
few hundred messages or put a 100ms sleep between puts.

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.captialware.biz


Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:

> Thanks everyone for trying to clariy this for me.
>
> Actually, it was also my conviction that an MQI channel would be used for
> ANY client application to talk to a remote qmgr. I came to the last
> conclusion through a series of tests.
>
> my JMS program is on a local NT PC. it sends msg to MYQM on an AIX server,
> websvr1.
>
> As I did usual with MQclient applications , I defined a svrconn channel
> SVRC.MYQM on MYQM on websvr and defined a client connection channel on the
> NT PC, beside several other client channels to qmgrs on other servers. The
> environment variable MQCHLLIB has been defined to point to the file
> mqchltab's location. I defined all these clients channels under a single
> queue manager, which has nothing to do with any other queue manager, except
> to define all the client channels.
>
> 1. I defined a qcf this way:
> del qcf(qCF)
> def qcf(qCF) qmgr(MYQM) host(websvr1) channel(SVRC.MYQM)
> transport(client) port(1414)
> del q(reqQ)
> def q(reqQ) qmgr(MYQM) qu(TESTQ)
> end
>   I run my jms program to put msg to the queue TESTQ on the remote
> MYQM, successful.
>
> 2. I removed the client channel definition on NT; run the jms program, msg
> successfully gets on the TESTQ on MYQM. I noticed the channel SVRC.MYQM is
> always inactive.
>
> 3. on websvr1's MYQM, I remove the svrconn channel SVRC.MYQM; run the
> program, it failed with msg: "... failed to create MQQueueManager ..."
>
> 4. on MYQM, I recreated the svrconn channel SVRC.MYQM.  However, I removed
> the property channel(SVRC.MYQM); run the program, successful. Here is the
> jndi setup script:
> del qcf(qCF)
> def qcf(qCF) qmgr(MYQM) host(websvr1) transport(client)
> port(1414)
> del q(reqQ)
> def q(reqQ) qmgr(MYQM) qu(TESTQ)
> end
>
> 5. on MYQM, I again removed svrconn channel SVRC.MYQM, run the program,
> successful. again. I checked, no svrconn channel is running, not even
> SYSTEM.DEF.SVRCONN .
>
> 6. on NT, I added back the property channel(SVRC.MYQM) in my jndi script,
> but removed host(websvr1), run the program, as Peter anticipated, I got the
> error message: "... failed to create MQQueueManager for 'localhost:MYQM'
> ..."
>
> Under no circumstance did I see a svrconn channel became running except
> SYSTEM.ADMIN.SVRCONN, which is always running since I use remote admin.
>
> It is after all these tests did I arrive at the conclusion that JMS client
> doesn't use MQI channel unless we explicitly require that it use one. Even
> then, it is just referenced, not really used.
>
> Any IBMer out there can confirm or dis-confirm my argument? or further
> clarify it?
>
> best regards.
> Ben
> x.2474
>
>
>
>
>
>   Roger Lacroix
>   <[EMAIL PROTECTED] To:
> [EMAIL PROTECTED]
>   ALWARE.BIZ>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/08/2004 12:26 PM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Hi Ben,
>
> I believe you have some misconceptions about your JMS / JNDI values.
>
> First off, if you are using 'transport(client)' then you WILL be using a
> SVRCONN channel - hence a MQI channel.  Just because you did not specify
> it,
> does NOT mean you are not using one.  I believe the default SVRCONN channel
> used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.
>
> Under normal circumstances, the 'MCA USER ID' field of the
> 

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Robert Broderick]

a VERY BIG magnifying glass!


From: "Potkay, Peter M (PLC, IT)" <[EMAIL PROTECTED]>
Reply-To: MQSeries List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Date: Thu, 8 Jan 2004 14:04:41 -0500
" Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored)."
Roger, how do you monitor that?



-Original Message-
From: Roger Lacroix [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 12:27 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Hi Ben,

I believe you have some misconceptions about your JMS / JNDI values.

First off, if you are using 'transport(client)' then you WILL be using a
SVRCONN channel - hence a MQI channel.  Just because you did not specify
it,
does NOT mean you are not using one.  I believe the default SVRCONN channel
used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.
Under normal circumstances, the 'MCA USER ID' field of the
'SYSTEM.DEF.SVRCONN'
is blank.  This generally means that you will be connecting / opening /
getting / putting messages under the UserId of 'mqm'.
Secondly, you can implement a reasonable amount of MQ security in this
scenario
(of course, client & server security exits would be better).
At my current client, developers do not have access to the JMS / JNDI tree
in
UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore,
we
code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:
def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
transport(client) ClientId(FRED)
An alternate approach that is sometimes done (not strongly recommended) is
to
allow the developer to code the UserId in their application.
i.e.
((Message)outMessage).setStringProperty("JMSXUserID", "FRED");
In either case, we apply the necessary security to the UserId 'FRED' for
the
queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored).
We have standards that state that developers, QA people, etc  are not
allowed
access to the PROD queue managers unless approved but never with the 'mqm'
UserId.  We assign the appropriate authority to THEIR UserId.
Since my client is a bank / brokage-house, it is a fire-able offense to
access
PROD data if you have not been approved.  Hence, generally speaking, people
do
not risk it.
Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:

> Rob,
>
> thanks for the insight.
> However, a JMS application accesses a qmgr via a connection factory
object
> defined in the JNDI namespace, NOT through a svrconn channel on the
server,
> i,e. it's actually not using the MQI channel. It can be seen from the
> following entry in my definition script, that it actually creates a
direct
> socket connection to the host and port:
>
>   def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
> port(1415)
>
> So such a definition makes it even more dangerous since there is no more
MQ
> level security can be activated.
>
> While writing this, it became clear to me that the above is provided as
an
> alternative to using MQI channel to access a remote qmgr in order to
avoid
> having to define a client channel on the client side. Certainly, the
above
> definition can be altered to use MQI channel instead of the host
propery:
>
>   def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)
>
> However, the first is a dangerous alternative. Any comment?
>
> regards,
> Ben
>
>
>
>
>
>
>
>
>
>   "Wyatt, T. Rob"
>   <[EMAIL PROTECTED] To:
> [EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/05/2004 10:50 AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Benjamin,
>
> That is because the channel used by the client is using the authority of
> the
> QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
> different UserID on the channel, you will get administrative rights.
This
> is true of all client-connections and, yes, it is dangerous.
>
> -- T.Rob
>
> -Original Message-
> From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 05, 2004 9:55 AM
> To: [EMAIL PROTECTED]
> Subje

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Roger Lacroix]

Hi Peter,

How could I charge an outrageously large hourly rate if I give out my secrets.
I wish 

Hint: If any message has a UserId of 'mqm' (for Unix) or MUSR_MQADMIN (for
Windows) or CHIN (for OS/390 - where  is the QMgr name) then you know
you have a bad boy.  I have created some "Q sampler programs" to look to at the
UserId field of all messages in all queues.  I run it in binding mode and it
browses all messages (remember to get message of length 0 - zero) and checks
the UserId field. (It is very fast!)  It is setup to run 'X' times per hour (we
use a random number).

The other thing you should do is to add a simple server-side security channel
exit to log or better verify the incoming IP address.  For a PROD box, these IP
addresses should be well-known and well-defined.  Here is an excellent source
for a sample (see LogIP or BlockIP):
http://d1o111.dk.telia.net/~u149101068/index.htm?tips_and_tricks.htm

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz


Quoting "Potkay, Peter M (PLC, IT)" <[EMAIL PROTECTED]>:

> " Nobody, except for MQAdmins, is allowed to use
> the 'mqm' UserId (it is monitored)."
>
> Roger, how do you monitor that?
>
>
>
> -Original Message-
> From: Roger Lacroix [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 08, 2004 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
> Hi Ben,
>
> I believe you have some misconceptions about your JMS / JNDI values.
>
> First off, if you are using 'transport(client)' then you WILL be using a
> SVRCONN channel - hence a MQI channel.  Just because you did not specify it,
> does NOT mean you are not using one.  I believe the default SVRCONN channel
> used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.
>
> Under normal circumstances, the 'MCA USER ID' field of the
> 'SYSTEM.DEF.SVRCONN'
> is blank.  This generally means that you will be connecting / opening /
> getting / putting messages under the UserId of 'mqm'.
>
> Secondly, you can implement a reasonable amount of MQ security in this
> scenario
> (of course, client & server security exits would be better).
>
> At my current client, developers do not have access to the JMS / JNDI tree
> in
> UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore,
> we
> code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:
>
> def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
> transport(client) ClientId(FRED)
>
> An alternate approach that is sometimes done (not strongly recommended) is
> to
> allow the developer to code the UserId in their application.
> i.e.
> ((Message)outMessage).setStringProperty("JMSXUserID", "FRED");
>
> In either case, we apply the necessary security to the UserId 'FRED' for the
> queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
> the 'mqm' UserId (it is monitored).
>
> We have standards that state that developers, QA people, etc  are not
> allowed
> access to the PROD queue managers unless approved but never with the 'mqm'
> UserId.  We assign the appropriate authority to THEIR UserId.
>
> Since my client is a bank / brokage-house, it is a fire-able offense to
> access
> PROD data if you have not been approved.  Hence, generally speaking, people
> do
> not risk it.
>
> Hope that helps.
>
> Regards,
> Roger Lacroix
> Capitalware Inc.
> http://www.capitalware.biz
>
>
> Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:
>
> > Rob,
> >
> > thanks for the insight.
> > However, a JMS application accesses a qmgr via a connection factory object
> > defined in the JNDI namespace, NOT through a svrconn channel on the
> server,
> > i,e. it's actually not using the MQI channel. It can be seen from the
> > following entry in my definition script, that it actually creates a direct
> > socket connection to the host and port:
> >
> >   def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
> > port(1415)
> >
> > So such a definition makes it even more dangerous since there is no more
> MQ
> > level security can be activated.
> >
> > While writing this, it became clear to me that the above is provided as an
> > alternative to using MQI channel to access a remote qmgr in order to avoid
> > having to define a client channel on the client side. Certainly, the above
> > definition can be altered to use MQI channel instead of the host propery:
> >
> >   def qcf(qCF) 

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Benjamin F. Zhou]

Thanks everyone for trying to clariy this for me.

Actually, it was also my conviction that an MQI channel would be used for
ANY client application to talk to a remote qmgr. I came to the last
conclusion through a series of tests.

my JMS program is on a local NT PC. it sends msg to MYQM on an AIX server,
websvr1.

As I did usual with MQclient applications , I defined a svrconn channel
SVRC.MYQM on MYQM on websvr and defined a client connection channel on the
NT PC, beside several other client channels to qmgrs on other servers. The
environment variable MQCHLLIB has been defined to point to the file
mqchltab's location. I defined all these clients channels under a single
queue manager, which has nothing to do with any other queue manager, except
to define all the client channels.

1. I defined a qcf this way:
del qcf(qCF)
def qcf(qCF) qmgr(MYQM) host(websvr1) channel(SVRC.MYQM)
transport(client) port(1414)
del q(reqQ)
def q(reqQ) qmgr(MYQM) qu(TESTQ)
end
  I run my jms program to put msg to the queue TESTQ on the remote
MYQM, successful.

2. I removed the client channel definition on NT; run the jms program, msg
successfully gets on the TESTQ on MYQM. I noticed the channel SVRC.MYQM is
always inactive.

3. on websvr1's MYQM, I remove the svrconn channel SVRC.MYQM; run the
program, it failed with msg: "... failed to create MQQueueManager ..."

4. on MYQM, I recreated the svrconn channel SVRC.MYQM.  However, I removed
the property channel(SVRC.MYQM); run the program, successful. Here is the
jndi setup script:
del qcf(qCF)
def qcf(qCF) qmgr(MYQM) host(websvr1) transport(client)
port(1414)
del q(reqQ)
def q(reqQ) qmgr(MYQM) qu(TESTQ)
end

5. on MYQM, I again removed svrconn channel SVRC.MYQM, run the program,
successful. again. I checked, no svrconn channel is running, not even
SYSTEM.DEF.SVRCONN .

6. on NT, I added back the property channel(SVRC.MYQM) in my jndi script,
but removed host(websvr1), run the program, as Peter anticipated, I got the
error message: "... failed to create MQQueueManager for 'localhost:MYQM'
..."

Under no circumstance did I see a svrconn channel became running except
SYSTEM.ADMIN.SVRCONN, which is always running since I use remote admin.

It is after all these tests did I arrive at the conclusion that JMS client
doesn't use MQI channel unless we explicitly require that it use one. Even
then, it is just referenced, not really used.

Any IBMer out there can confirm or dis-confirm my argument? or further
clarify it?

best regards.
Ben
x.2474





  Roger Lacroix
  <[EMAIL PROTECTED] To:  [EMAIL PROTECTED]
  ALWARE.BIZ>  cc:
      Sent by: MQSeries            Subject: Re: Puzzled: MQJE001, MQRC 
2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/08/2004 12:26 PM
  Please respond to
  MQSeries List






Hi Ben,

I believe you have some misconceptions about your JMS / JNDI values.

First off, if you are using 'transport(client)' then you WILL be using a
SVRCONN channel - hence a MQI channel.  Just because you did not specify
it,
does NOT mean you are not using one.  I believe the default SVRCONN channel
used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.

Under normal circumstances, the 'MCA USER ID' field of the
'SYSTEM.DEF.SVRCONN'
is blank.  This generally means that you will be connecting / opening /
getting / putting messages under the UserId of 'mqm'.

Secondly, you can implement a reasonable amount of MQ security in this
scenario
(of course, client & server security exits would be better).

At my current client, developers do not have access to the JMS / JNDI tree
in
UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore,
we
code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:

def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
transport(client) ClientId(FRED)

An alternate approach that is sometimes done (not strongly recommended) is
to
allow the developer to code the UserId in their application.
i.e.
((Message)outMessage).setStringProperty("JMSXUserID", "FRED");

In either case, we apply the necessary security to the UserId 'FRED' for
the
queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored).

We have standards that state that developers, QA people, etc  are not
allowed
access to the PROD queue managers unless approved but never with the 'mqm'
UserId.  We assign the appropriate authority to THEIR UserId.

Since my client is a bank 

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Michael Dag]

piece of paper in a safe! one person ('safe'person) gets it out passes the
password,
notes who has it and for what, when finished makes up a new password and
puts it in the safe.
the 'safe' person is non-techie...

Michael

-Oorspronkelijk bericht-
Van: MQSeries List [mailto:[EMAIL PROTECTED] Potkay, Peter
M (PLC, IT)
Verzonden: donderdag 8 januari 2004 20:05
Aan: [EMAIL PROTECTED]
Onderwerp: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


" Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored)."

Roger, how do you monitor that?



-Original Message-
From: Roger Lacroix [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 12:27 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi Ben,

I believe you have some misconceptions about your JMS / JNDI values.

First off, if you are using 'transport(client)' then you WILL be using a
SVRCONN channel - hence a MQI channel.  Just because you did not specify it,
does NOT mean you are not using one.  I believe the default SVRCONN channel
used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.

Under normal circumstances, the 'MCA USER ID' field of the
'SYSTEM.DEF.SVRCONN'
is blank.  This generally means that you will be connecting / opening /
getting / putting messages under the UserId of 'mqm'.

Secondly, you can implement a reasonable amount of MQ security in this
scenario
(of course, client & server security exits would be better).

At my current client, developers do not have access to the JMS / JNDI tree
in
UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore,
we
code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:

def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
transport(client) ClientId(FRED)

An alternate approach that is sometimes done (not strongly recommended) is
to
allow the developer to code the UserId in their application.
i.e.
((Message)outMessage).setStringProperty("JMSXUserID", "FRED");

In either case, we apply the necessary security to the UserId 'FRED' for the
queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored).

We have standards that state that developers, QA people, etc  are not
allowed
access to the PROD queue managers unless approved but never with the 'mqm'
UserId.  We assign the appropriate authority to THEIR UserId.

Since my client is a bank / brokage-house, it is a fire-able offense to
access
PROD data if you have not been approved.  Hence, generally speaking, people
do
not risk it.

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz


Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:

> Rob,
>
> thanks for the insight.
> However, a JMS application accesses a qmgr via a connection factory object
> defined in the JNDI namespace, NOT through a svrconn channel on the
server,
> i,e. it's actually not using the MQI channel. It can be seen from the
> following entry in my definition script, that it actually creates a direct
> socket connection to the host and port:
>
>   def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
> port(1415)
>
> So such a definition makes it even more dangerous since there is no more
MQ
> level security can be activated.
>
> While writing this, it became clear to me that the above is provided as an
> alternative to using MQI channel to access a remote qmgr in order to avoid
> having to define a client channel on the client side. Certainly, the above
> definition can be altered to use MQI channel instead of the host propery:
>
>   def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)
>
> However, the first is a dangerous alternative. Any comment?
>
> regards,
> Ben
>
>
>
>
>
>
>
>
>
>   "Wyatt, T. Rob"
>   <[EMAIL PROTECTED] To:
> [EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/05/2004 10:50 AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Benjamin,
>
> That is because the channel used by the client is using the authority of
> the
> QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
> different UserID on the channel, you will get administrative rights.  This
> is true of all client-connections

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Potkay, Peter M (PLC, IT)]

" Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored)."

Roger, how do you monitor that?



-Original Message-
From: Roger Lacroix [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 12:27 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi Ben,

I believe you have some misconceptions about your JMS / JNDI values.

First off, if you are using 'transport(client)' then you WILL be using a
SVRCONN channel - hence a MQI channel.  Just because you did not specify it,
does NOT mean you are not using one.  I believe the default SVRCONN channel
used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.

Under normal circumstances, the 'MCA USER ID' field of the
'SYSTEM.DEF.SVRCONN'
is blank.  This generally means that you will be connecting / opening /
getting / putting messages under the UserId of 'mqm'.

Secondly, you can implement a reasonable amount of MQ security in this
scenario
(of course, client & server security exits would be better).

At my current client, developers do not have access to the JMS / JNDI tree
in
UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore,
we
code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:

def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
transport(client) ClientId(FRED)

An alternate approach that is sometimes done (not strongly recommended) is
to
allow the developer to code the UserId in their application.
i.e.
((Message)outMessage).setStringProperty("JMSXUserID", "FRED");

In either case, we apply the necessary security to the UserId 'FRED' for the
queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored).

We have standards that state that developers, QA people, etc  are not
allowed
access to the PROD queue managers unless approved but never with the 'mqm'
UserId.  We assign the appropriate authority to THEIR UserId.

Since my client is a bank / brokage-house, it is a fire-able offense to
access
PROD data if you have not been approved.  Hence, generally speaking, people
do
not risk it.

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz


Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:

> Rob,
>
> thanks for the insight.
> However, a JMS application accesses a qmgr via a connection factory object
> defined in the JNDI namespace, NOT through a svrconn channel on the
server,
> i,e. it's actually not using the MQI channel. It can be seen from the
> following entry in my definition script, that it actually creates a direct
> socket connection to the host and port:
>
>   def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
> port(1415)
>
> So such a definition makes it even more dangerous since there is no more
MQ
> level security can be activated.
>
> While writing this, it became clear to me that the above is provided as an
> alternative to using MQI channel to access a remote qmgr in order to avoid
> having to define a client channel on the client side. Certainly, the above
> definition can be altered to use MQI channel instead of the host propery:
>
>   def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)
>
> However, the first is a dangerous alternative. Any comment?
>
> regards,
> Ben
>
>
>
>
>
>
>
>
>
>                   "Wyatt, T. Rob"
>   <[EMAIL PROTECTED] To:
> [EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/05/2004 10:50 AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Benjamin,
>
> That is because the channel used by the client is using the authority of
> the
> QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
> different UserID on the channel, you will get administrative rights.  This
> is true of all client-connections and, yes, it is dangerous.
>
> -- T.Rob
>
> -Original Message-
> From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 05, 2004 9:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
> Bob, that's a good point. I've opened a ticket with IBM on this misleading
> reason code.
>
> However, if I use client mode, the jms application ne

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Wyatt, T. Rob]

Benjamin,

I don't believe that your example proves a socket connection.  Rather I
believe that it demonstrates that SYSTEM.DEF.SVRCONN is set as the default.
When your application is running, do you not see an active SVRCONN instance
for it?  If you disable the SYSTEM.DEF.SVRCONN, does the program still work?

According to the docs, only the JMS Pub/Sub interface supports socket
connections and then it's only to the event broker, not to the QMgr.
Anything connecting to the QMgr uses bindings or a standard MQ client
interface.

Ref:
http://publibfp.boulder.ibm.com/epubs/html/csqzaw11/csqzaw110i.htm#HDRCSQ77G
1

-- T.Rob



-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 11:07 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries        Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
          Sent by: MQSeries  Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside 

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Roger Lacroix]

Hi Ben,

I believe you have some misconceptions about your JMS / JNDI values.

First off, if you are using 'transport(client)' then you WILL be using a
SVRCONN channel - hence a MQI channel.  Just because you did not specify it,
does NOT mean you are not using one.  I believe the default SVRCONN channel
used (when none is specified) is 'SYSTEM.DEF.SVRCONN'.

Under normal circumstances, the 'MCA USER ID' field of the 'SYSTEM.DEF.SVRCONN'
is blank.  This generally means that you will be connecting / opening /
getting / putting messages under the UserId of 'mqm'.

Secondly, you can implement a reasonable amount of MQ security in this scenario
(of course, client & server security exits would be better).

At my current client, developers do not have access to the JMS / JNDI tree in
UAT / PTE / PROD (only the SysAdmins and MQAdmins have access).  Therefore, we
code the following for the QCF or XAQCF in JMS / JNDI for WebLogic apps:

def qcf(qCF) qmgr(MYQM) host(192.168.1.12) channel(MYSVRCONN) port(1415)
transport(client) ClientId(FRED)

An alternate approach that is sometimes done (not strongly recommended) is to
allow the developer to code the UserId in their application.
i.e.
((Message)outMessage).setStringProperty("JMSXUserID", "FRED");

In either case, we apply the necessary security to the UserId 'FRED' for the
queue manager of 'MYQM'.  Nobody, except for MQAdmins, is allowed to use
the 'mqm' UserId (it is monitored).

We have standards that state that developers, QA people, etc  are not allowed
access to the PROD queue managers unless approved but never with the 'mqm'
UserId.  We assign the appropriate authority to THEIR UserId.

Since my client is a bank / brokage-house, it is a fire-able offense to access
PROD data if you have not been approved.  Hence, generally speaking, people do
not risk it.

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz


Quoting "Benjamin F. Zhou" <[EMAIL PROTECTED]>:

> Rob,
>
> thanks for the insight.
> However, a JMS application accesses a qmgr via a connection factory object
> defined in the JNDI namespace, NOT through a svrconn channel on the server,
> i,e. it's actually not using the MQI channel. It can be seen from the
> following entry in my definition script, that it actually creates a direct
> socket connection to the host and port:
>
>   def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
> port(1415)
>
> So such a definition makes it even more dangerous since there is no more MQ
> level security can be activated.
>
> While writing this, it became clear to me that the above is provided as an
> alternative to using MQI channel to access a remote qmgr in order to avoid
> having to define a client channel on the client side. Certainly, the above
> definition can be altered to use MQI channel instead of the host propery:
>
>   def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)
>
> However, the first is a dangerous alternative. Any comment?
>
> regards,
> Ben
>
>
>
>
>
>
>
>
>
>       "Wyatt, T. Rob"
>   <[EMAIL PROTECTED] To:
> [EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
> MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/05/2004 10:50 AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Benjamin,
>
> That is because the channel used by the client is using the authority of
> the
> QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
> different UserID on the channel, you will get administrative rights.  This
> is true of all client-connections and, yes, it is dangerous.
>
> -- T.Rob
>
> -Original Message-
> From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 05, 2004 9:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
> Bob, that's a good point. I've opened a ticket with IBM on this misleading
> reason code.
>
> However, if I use client mode, the jms application needs neither +inq nor
> +connect to the qmgr, to put a message to a queue. It dosn't even need a
> +put/+get/+brose. It seems to me that in the case of MQClient, it is the
> local qmgr that actually does the puts/gets. So no authorization is needed
> at all.  But this sounds too dangerous, doesn't it?
>
> regards,
>
> Benjamin F. 

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Nick Dilauro]

Sorry I forgot to attach the file.

Nick


-Original Message-
From: Nick Dilauro
Sent: Thursday, January 08, 2004 9:16 AM
To: 'MQSeries List'
Subject: RE: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Benjamin,

Attached is a JNDI bindings file which was created without the channel
option.  You can look at it with a text editor and see that it put in a
default entry for SYSTEM.DEF.SVRCONN.  If you use the channel option this
entry is replaced by your channel.  You can also run your appl and see that
you are really running on the default channel.  I don't think the qmgr
really has any special processing for either JMS and Java when the client is
running the Java.  It's all just basic MQ from the server's point of view so
there has to be a svrconn channel.

Nick


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Benjamin
F. Zhou
Sent: Thursday, January 08, 2004 8:07 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries        Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>        cc:
              Sent by: MQSeries  Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Nick Dilauro]

Benjamin,

Attached is a JNDI bindings file which was created without the channel
option.  You can look at it with a text editor and see that it put in a
default entry for SYSTEM.DEF.SVRCONN.  If you use the channel option this
entry is replaced by your channel.  You can also run your appl and see that
you are really running on the default channel.  I don't think the qmgr
really has any special processing for either JMS and Java when the client is
running the Java.  It's all just basic MQ from the server's point of view so
there has to be a svrconn channel.

Nick


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Benjamin
F. Zhou
Sent: Thursday, January 08, 2004 8:07 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>    cc:
          Sent by: MQSeries  Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and n

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Potkay, Peter M (PLC, IT)]

I may be wrong, but the following def:

"def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client) port(1415)"

will cause your QCF to default to the SYSTEM.DEF.SVRCONN channel.I have
never heard of an MQClient connecting to a QM and not using a SVRCONN
channel, regardless of what interface was on top of that MQClient (like
JMS).


"def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)"

Would default the QCF to the localhost, since you did not specify the
hostname.


An MQClient will always use a hostname and will come in through a SVRCONN
channel. The building of the QCF just happens to let you leave these 2
fields blank and then gives you the default values.

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 11:07 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>    cc:
          Sent by: MQSeries  Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user r

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Nick Dilauro]

Benjamin,

I think you're missing something.  When you leave off the channel, I believe
it defaults to SYSTEM.DEF.SVRCONN channel.  Check your bindings file (if
your using the file version) and you can see the entry.

Nick


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Benjamin
F. Zhou
Sent: Thursday, January 08, 2004 8:07 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
          Sent by: MQSeries      Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and not in his code.  We have since learned that Java will inquire
>on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
>has to back out a GET.
>
>-- T.Rob
>
>-----Original Message-----
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 2:24 PM
>To: [EMAIL PROTECTED]
>Subject: R

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Benjamin F. Zhou]

Rob,

thanks for the insight.
However, a JMS application accesses a qmgr via a connection factory object
defined in the JNDI namespace, NOT through a svrconn channel on the server,
i,e. it's actually not using the MQI channel. It can be seen from the
following entry in my definition script, that it actually creates a direct
socket connection to the host and port:

  def qcf(qCF) qmgr(MYQM) host(192.168.1.12) transport(client)
port(1415)

So such a definition makes it even more dangerous since there is no more MQ
level security can be activated.

While writing this, it became clear to me that the above is provided as an
alternative to using MQI channel to access a remote qmgr in order to avoid
having to define a client channel on the client side. Certainly, the above
definition can be altered to use MQI channel instead of the host propery:

  def qcf(qCF) qmgr(MYQM) channel(MYSVRCONN) transport(client)

However, the first is a dangerous alternative. Any comment?

regards,
Ben









  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:  [EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled: MQJE001, MQRC 
2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/05/2004 10:50 AM
  Please respond to
  MQSeries List






Benjamin,

That is because the channel used by the client is using the authority of
the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
      Sent by: MQSeries          Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and not in his code.  We have since learned that Java will inquire
>on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
>has to back out a GET.
>
>-- T.Rob
>
>-Original Message-----
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 2:24 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi Rob,
>
>Great !  Your tip on adding inq right to non-mqm users did the trick. Here
>is the setmqaut command:
>
>   setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq
>
>But how did you know that a JMS appl needs inq right to the qmgr to
>establish connection? I didn't find such information on the JMS manual.
>
>thanks a lot for t

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Carroll, Y. (Yvette)]

Title: RE: Puzzled: MQJE001, MQRC 2102 for non-mqm users





I found the following in the text for CSD 5 for V5.3 on AIX.  It MIGHT help explain
why you got a 2102 and not an access error:


IY43097 - Occasionally a failure with return code 2102
 (MQRC_RESOURCE_PROBLEM) occurred when trying to connect
 aplications to WebSphere MQ V5.3.  When a large number
 of applications attempted to perform a get operation
 with large buffer sizes,  the shared memory set was
 extended, but with incorrect permissions.  This meant
 that applications run under a user id which did not
 have mqm as its primary group could not connect to this
 extent, getting EACCESS from shmat. This was returned
 as a resource problem.


-Original Message-
From: Dawson, John [mailto:[EMAIL PROTECTED]]
Sent: 07 January 2004 10:52
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users



Peter,


  When referring to the WMQ manuals, be sure that you visit
http://www-306.ibm.com/software/integration/mqfamily/support/readme/cli530_r
ead_2.html for the manual updates as there is a lot of corrected information
regarding SSL.



Regards,


John Dawson
Phone: 972.281.4016
Fax    : 972.281.4904
mailto:[EMAIL PROTECTED]


 -Original Message-
From:   Heggie, Peter [mailto:[EMAIL PROTECTED]]
Sent:   Wednesday, January 07, 2004 2:32 PM
To: [EMAIL PROTECTED]
Subject:    Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?


Peter Heggie



-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users



"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"


From an MQ perspective, it is the same as when it first came out with
5.3.


-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users



That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.


I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?


Peter Heggie



-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users



But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!




-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users



I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.


Peter Heggie



This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.


Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive



This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.


Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


Instructions for managing your mailing list subscription are provided in
the Listserv General Users Gu

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

That's a very valuable reference! thanks

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Dawson, John
Sent: Wednesday, January 07, 2004 3:52 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Peter,

  When referring to the WMQ manuals, be sure that you visit
http://www-306.ibm.com/software/integration/mqfamily/support/readme/cli5
30_r
ead_2.html for the manual updates as there is a lot of corrected
information regarding SSL.


Regards,

John Dawson
Phone: 972.281.4016
Fax: 972.281.4904
mailto:[EMAIL PROTECTED]

 -Original Message-
From:   Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent:   Wednesday, January 07, 2004 2:32 PM
To: [EMAIL PROTECTED]
Subject:    Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with
5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

Thanks.. That's the one

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
earMERC Roberts
Sent: Wednesday, January 07, 2004 3:40 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


the redbook is here:
http://publib-b.boulder.ibm.com/Redbooks.nsf/9445fa5b416f6e32852569ae006
bb65f/3effa2807d4b649e85256b750055b5f7?OpenDocument


Ernest Roberts
IT - Sr Sys Prog
MBUSA, LLC


- Forwarded by Ernest Roberts/171/DCAG/DCX on 01/07/2004 03:40 PM
-

  "Heggie, Peter"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  .NGRID.COM>  cc:
  Sent by:     Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  MQSeries List
  <[EMAIL PROTECTED]
  en.AC.AT>


  01/07/2004 03:31
  PM
  Please respond
  to MQSeries List






Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with
5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Dawson, John]

Peter,

  When referring to the WMQ manuals, be sure that you visit
http://www-306.ibm.com/software/integration/mqfamily/support/readme/cli530_r
ead_2.html for the manual updates as there is a lot of corrected information
regarding SSL.


Regards,

John Dawson
Phone: 972.281.4016
Fax: 972.281.4904
mailto:[EMAIL PROTECTED]

 -Original Message-
From:   Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent:   Wednesday, January 07, 2004 2:32 PM
To: [EMAIL PROTECTED]
Subject:Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with
5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[earMERC Roberts]

the redbook is here:
http://publib-b.boulder.ibm.com/Redbooks.nsf/9445fa5b416f6e32852569ae006bb65f/3effa2807d4b649e85256b750055b5f7?OpenDocument


Ernest Roberts
IT - Sr Sys Prog
MBUSA, LLC


- Forwarded by Ernest Roberts/171/DCAG/DCX on 01/07/2004 03:40 PM -

  "Heggie, Peter"
  <[EMAIL PROTECTED] To:  [EMAIL PROTECTED]
  .NGRID.COM>  cc:
  Sent by:     Subject: Re: Puzzled: MQJE001, MQRC 
2102 for non-mqm users
  MQSeries List
  <[EMAIL PROTECTED]
  en.AC.AT>


  01/07/2004 03:31
  PM
  Please respond
  to MQSeries List






Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with
5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

Thanks.. I see there is a redbook on Implementing MQ security from May
2003.. Is that the latest publication on MQ and SSL?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Wednesday, January 07, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with
5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to
National Grid and are intended solely for the use of the individual or
entity to whom they are addressed.  If you have received this e-mail in
error, please reply to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Potkay, Peter M (PLC, IT)]

"I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?"

>From an MQ perspective, it is the same as when it first came out with 5.3.

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to National
Grid and are intended solely for the use of the individual or entity to whom
they are addressed.  If you have received this e-mail in error, please reply
to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If
you are not the intended recipient, please notify the sender
immediately by return email and delete this communication and destroy all copies.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

That's right.. I have heard this before. I could use the incoming userid
and incoming machine name and perform a lookup in a table and get an
assigned userid that has the correct priviledges. And that's about
halfway to the better solution of SSL and certificates. Our organization
has not implemented application level SSL and certificates so a
homegrown solution may be our only current option.

I've been off the MQ board for six months.. Has implementing SSL gotten
any easier with MQ 5.3.5 ?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of
Potkay, Peter M (PLC, IT)
Sent: Monday, January 05, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let
him do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


This e-mail and any files transmitted with it, are confidential to National Grid and 
are intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this e-mail in error, please reply to this message 
and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Potkay, Peter M (PLC, IT)]

But the real user could be some loser that defines the ID "mqm" on their
machine, logs on with that ID, and then your QM has no choice but to let him
do whatever they want!



-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Peter,

If you could do that, what would it gain you?  In general you want ALL
client connections to use low-privileged IDs or else they have full
administrative rights to the QMgr.  It is trivial on Java and not too
much harder in other languages to specify any ID - mqm for instance - to
the client MCA.  Since the client can assert any ID, why would you trust
some types of client and not others?

-- T.Rob

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 11:11 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Here is an excerpt from the doc (Clients/Chapter 7)

>>>
Access control in WebSphere MQ is based upon the user identifier
associated with the process making MQI calls. For WebSphere MQ clients,
the process that issues the MQI calls is the server-connection MCA. The
user identifiers used by the server-connection MCA are that contained in
the MCAUserIdentifier and LongMCAUserIdentifier fields of the MQCD. The
contents of these fields are determined by:

- Any values set by security exits

- The user ID (for clients on UNIX systems, Windows 2000, Windows NT,
and Windows XP ) or MQ_USER_ID environment variable (for other clients)
from the client.

- MCAUSER (in the server-connection channel definition).

Depending upon the combination of settings of the above, the
user-identifier fields are set to appropriate values. If a
server-connection security exit is provided, the user-identifier fields
can be set by the exit. Otherwise they are determined as follows:

If the server-connection channel MCAUSER attribute is nonblank, this
value is used.

If the server-connection channel MCAUSER attribute is blank, the user ID
received from the client is used. However, for the clients that use the
MQ_USER_ID environment variable to supply the user ID, it is possible
that no environment variable is set. In this case, the user ID that
started the server-connection channel is used.

For Java client connections, if the client application does not provide
a user ID then no client user identification is provided to the server.
<<<

Looking at a server connection channel, I see the MCA userid field is
blank, but the connection is coming from a Windows XP machine. I would
have thought, based on the documentation above that, except for Java
client apps, for the UNIX and Windows (W2k, NT, XP) clients that the
logged on userid is automatically placed in the MCA UserID field. But I
guess not. It is only placed in the MQCD exit block, available for an
exit to place the contents in the MCA User field.

Has anyone figured out how to determine if an incoming connection is
coming from a Java client?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Benjamin,

That is because the channel used by the client is using the authority of
the QMgr.  Unless you put an MCAUSER or a security exit that substitutes
a different UserID on the channel, you will get administrative rights.
This is true of all client-connections and, yes, it is dangerous.

-- T.Rob

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This e-mail and any files transmitted with it, are confidential to National
Grid and are intended solely for the use of the individual or entity to whom
they are addressed.  If you have received this e-mail in error, please reply
to this message and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privi

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

I'm sorry - I took the documentation to mean that for non-Java clients,
on Windows and UNIX, the userid in the MQCD is the currently logged on
user and that the environment variables are not referencved. So if I
could verify that it was not a Java client, then I could rely on the
userid to be the real user.

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Peter,

If you could do that, what would it gain you?  In general you want ALL
client connections to use low-privileged IDs or else they have full
administrative rights to the QMgr.  It is trivial on Java and not too
much harder in other languages to specify any ID - mqm for instance - to
the client MCA.  Since the client can assert any ID, why would you trust
some types of client and not others?

-- T.Rob

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 11:11 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Here is an excerpt from the doc (Clients/Chapter 7)

>>>
Access control in WebSphere MQ is based upon the user identifier
associated with the process making MQI calls. For WebSphere MQ clients,
the process that issues the MQI calls is the server-connection MCA. The
user identifiers used by the server-connection MCA are that contained in
the MCAUserIdentifier and LongMCAUserIdentifier fields of the MQCD. The
contents of these fields are determined by:

- Any values set by security exits

- The user ID (for clients on UNIX systems, Windows 2000, Windows NT,
and Windows XP ) or MQ_USER_ID environment variable (for other clients)
from the client.

- MCAUSER (in the server-connection channel definition).

Depending upon the combination of settings of the above, the
user-identifier fields are set to appropriate values. If a
server-connection security exit is provided, the user-identifier fields
can be set by the exit. Otherwise they are determined as follows:

If the server-connection channel MCAUSER attribute is nonblank, this
value is used.

If the server-connection channel MCAUSER attribute is blank, the user ID
received from the client is used. However, for the clients that use the
MQ_USER_ID environment variable to supply the user ID, it is possible
that no environment variable is set. In this case, the user ID that
started the server-connection channel is used.

For Java client connections, if the client application does not provide
a user ID then no client user identification is provided to the server.
<<<

Looking at a server connection channel, I see the MCA userid field is
blank, but the connection is coming from a Windows XP machine. I would
have thought, based on the documentation above that, except for Java
client apps, for the UNIX and Windows (W2k, NT, XP) clients that the
logged on userid is automatically placed in the MCA UserID field. But I
guess not. It is only placed in the MQCD exit block, available for an
exit to place the contents in the MCA User field.

Has anyone figured out how to determine if an incoming connection is
coming from a Java client?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Benjamin,

That is because the channel used by the client is using the authority of
the QMgr.  Unless you put an MCAUSER or a security exit that substitutes
a different UserID on the channel, you will get administrative rights.
This is true of all client-connections and, yes, it is dangerous.

-- T.Rob

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive


This e-mail and any files transmitted with it, are confidential to National Grid and 
are intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this e-mail in error, please reply to this message 
and let the sender know.

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Wyatt, T. Rob]

Peter,

If you could do that, what would it gain you?  In general you want ALL
client connections to use low-privileged IDs or else they have full
administrative rights to the QMgr.  It is trivial on Java and not too much
harder in other languages to specify any ID - mqm for instance - to the
client MCA.  Since the client can assert any ID, why would you trust some
types of client and not others?

-- T.Rob

-Original Message-
From: Heggie, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 11:11 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Here is an excerpt from the doc (Clients/Chapter 7)

>>>
Access control in WebSphere MQ is based upon the user identifier
associated
with the process making MQI calls. For WebSphere MQ clients, the process
that
issues the MQI calls is the server-connection MCA. The user identifiers
used
by the server-connection MCA are that contained in the MCAUserIdentifier
and
LongMCAUserIdentifier fields of the MQCD. The contents of these fields
are
determined by:

- Any values set by security exits

- The user ID (for clients on UNIX systems, Windows 2000, Windows NT,
and Windows XP )
or MQ_USER_ID environment variable (for other clients) from the client.

- MCAUSER (in the server-connection channel definition).

Depending upon the combination of settings of the above, the
user-identifier fields
are set to appropriate values. If a server-connection security exit is
provided,
the user-identifier fields can be set by the exit. Otherwise they are
determined as follows:

If the server-connection channel MCAUSER attribute is nonblank, this
value is used.

If the server-connection channel MCAUSER attribute is blank, the user ID
received
from the client is used. However, for the clients that use the
MQ_USER_ID environment
variable to supply the user ID, it is possible that no environment
variable is set.
In this case, the user ID that started the server-connection channel is
used.

For Java client connections, if the client application does not provide
a user ID
then no client user identification is provided to the server.
<<<

Looking at a server connection channel, I see the MCA userid field is
blank, but the connection is coming from a Windows XP machine. I would
have thought, based on the documentation above that, except for Java
client apps, for the UNIX and Windows (W2k, NT, XP) clients that the
logged on userid is automatically placed in the MCA UserID field. But I
guess not. It is only placed in the MQCD exit block, available for an
exit to place the contents in the MCA User field.

Has anyone figured out how to determine if an incoming connection is
coming from a Java client?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Benjamin,

That is because the channel used by the client is using the authority of
the QMgr.  Unless you put an MCAUSER or a security exit that substitutes
a different UserID on the channel, you will get administrative rights.
This is true of all client-connections and, yes, it is dangerous.

-- T.Rob

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Heggie, Peter]

Here is an excerpt from the doc (Clients/Chapter 7)

>>>
Access control in WebSphere MQ is based upon the user identifier
associated 
with the process making MQI calls. For WebSphere MQ clients, the process
that 
issues the MQI calls is the server-connection MCA. The user identifiers
used 
by the server-connection MCA are that contained in the MCAUserIdentifier
and 
LongMCAUserIdentifier fields of the MQCD. The contents of these fields
are 
determined by: 

- Any values set by security exits

- The user ID (for clients on UNIX systems, Windows 2000, Windows NT,
and Windows XP ) 
or MQ_USER_ID environment variable (for other clients) from the client.

- MCAUSER (in the server-connection channel definition).

Depending upon the combination of settings of the above, the
user-identifier fields 
are set to appropriate values. If a server-connection security exit is
provided, 
the user-identifier fields can be set by the exit. Otherwise they are 
determined as follows: 

If the server-connection channel MCAUSER attribute is nonblank, this
value is used.
 
If the server-connection channel MCAUSER attribute is blank, the user ID
received 
from the client is used. However, for the clients that use the
MQ_USER_ID environment 
variable to supply the user ID, it is possible that no environment
variable is set. 
In this case, the user ID that started the server-connection channel is
used. 

For Java client connections, if the client application does not provide
a user ID 
then no client user identification is provided to the server. 
<<<

Looking at a server connection channel, I see the MCA userid field is
blank, but the connection is coming from a Windows XP machine. I would
have thought, based on the documentation above that, except for Java
client apps, for the UNIX and Windows (W2k, NT, XP) clients that the
logged on userid is automatically placed in the MCA UserID field. But I
guess not. It is only placed in the MQCD exit block, available for an
exit to place the contents in the MCA User field.

Has anyone figured out how to determine if an incoming connection is
coming from a Java client?

Peter Heggie


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt,
T. Rob
Sent: Monday, January 05, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Benjamin,

That is because the channel used by the client is using the authority of
the QMgr.  Unless you put an MCAUSER or a security exit that substitutes
a different UserID on the channel, you will get administrative rights.
This is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this
misleading reason code.

However, if I use client mode, the jms application needs neither +inq
nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a

+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is
needed at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
  Sent by: MQSeries      Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient
access authority would generate this type of error. It seems there is an
unresolved bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff
and if I  remember correctly the person at that time was not getting a
2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked 
>JMS exception so I did not have a reason code to look at.  If I had 
>been given a 2102, it sure would have thrown me off!  I like to keep 
>the events turned on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion
with
>the user revealed that any QMgr inquiry calls were happening in

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Wyatt, T. Rob]

Benjamin,

That is because the channel used by the client is using the authority of the
QMgr.  Unless you put an MCAUSER or a security exit that substitutes a
different UserID on the channel, you will get administrative rights.  This
is true of all client-connections and, yes, it is dangerous.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
  Sent by: MQSeries  Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and not in his code.  We have since learned that Java will inquire
>on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
>has to back out a GET.
>
>-- T.Rob
>
>-Original Message-
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 2:24 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi Rob,
>
>Great !  Your tip on adding inq right to non-mqm users did the trick. Here
>is the setmqaut command:
>
>   setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq
>
>But how did you know that a JMS appl needs inq right to the qmgr to
>establish connection? I didn't find such information on the JMS manual.
>
>thanks a lot for the insight !
>
>Ben
>
>
>
>
>
>
>
>   "Wyatt, T. Rob"
>               <[EMAIL PROTECTED] To:
>[EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
>MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/02/2004 12:44 PM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
>Benjamin,
>
>Are the classpaths the same between the two UserIDs?  If you are on Unix,
>try
>
>echo $CLASSPATH | tr ":" "\n"
>
>...from each user's command line and compare.  There are generally two
>types
>of problems that manifest themselves differently under different users -
>security, which you covered, and environment.
>
>Incidentally, you did not mention whether you gave the user Inquire on the
>QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
>usually generates 2035's though.
>
>-- T.Rob
>
>-Original Message-
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 11:48 AM
>To: [EMAIL PROTECTED]
>Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi,
>
>first, happy new year to every

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[David C. Partridge]

looks like the svrconn channel definition is running with the default value
of ' ' which means that all clients connect and run with "mqm" authority.
This is not very secure ...

Consider using a security exit solution to protect your client channels and
set a userid based on cryptographic credentials.

Dave

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of
Benjamin F. Zhou
Sent: 05 January 2004 14:55
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  OTMAIL.COM>cc:
  Sent by: MQSeries      Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and not in his code.  We have since learned that Java will inquire
>on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
>has to back out a GET.
>
>-- T.Rob
>
>-Original Message-----
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 2:24 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi Rob,
>
>Great !  Your tip on adding inq right to non-mqm users did the trick. Here
>is the setmqaut command:
>
>   setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq
>
>But how did you know that a JMS appl needs inq right to the qmgr to
>establish connection? I didn't find such information on the JMS manual.
>
>thanks a lot for the insight !
>
>Ben
>
>
>
>
>
>
>
>           "Wyatt, T. Rob"
>   <[EMAIL PROTECTED] To:
>[EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
>MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/02/2004 12:44 PM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
>Benjamin,
>
>Are the classpaths the same between the two UserIDs?  If you are on Unix,
>try
>
>echo $CLASSPATH | tr ":" "\n"
>
>...from each user's command line and compare.  There are generally two
>types
>of problems that manifest themselves differently under different users -
>security, which you covered, and environment.
>
>Incidentally, you did not mention whether you gave the user Inquire on the
>QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
>usually generates 2035's though.
>
>-- T.Rob
>
>-Original Message-
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 11:48 AM
>To: [EMAIL PROTECTED]
>Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi,
&

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Benjamin F. Zhou]

Bob, that's a good point. I've opened a ticket with IBM on this misleading
reason code.

However, if I use client mode, the jms application needs neither +inq nor
+connect to the qmgr, to put a message to a queue. It dosn't even need a
+put/+get/+brose. It seems to me that in the case of MQClient, it is the
local qmgr that actually does the puts/gets. So no authorization is needed
at all.  But this sounds too dangerous, doesn't it?

regards,

Benjamin F. Zhou
Mercedes-Benz USA
x.2474





  Robert Broderick
  <[EMAIL PROTECTED] To:  [EMAIL PROTECTED]
  OTMAIL.COM>cc:
  Sent by: MQSeries  Subject: Re: Puzzled: MQJE001, MQRC 
2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  .AC.AT>


  01/02/2004 03:39
  PM
  Please respond to
  MQSeries List






Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an
unresolved
bug.

About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.


bobbee


>From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
>Reply-To: MQSeries List <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>Date: Fri, 2 Jan 2004 13:40:13 -0600
>
>When this happened to us, my developers were not printing the linked JMS
>exception so I did not have a reason code to look at.  If I had been given
>a
>2102, it sure would have thrown me off!  I like to keep the events turned
>on
>so when I was presented with the problem I very quickly found an event
>message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
>the user revealed that any QMgr inquiry calls were happening inside the
>Java
>classes and not in his code.  We have since learned that Java will inquire
>on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
>has to back out a GET.
>
>-- T.Rob
>
>-Original Message-
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 2:24 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi Rob,
>
>Great !  Your tip on adding inq right to non-mqm users did the trick. Here
>is the setmqaut command:
>
>   setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq
>
>But how did you know that a JMS appl needs inq right to the qmgr to
>establish connection? I didn't find such information on the JMS manual.
>
>thanks a lot for the insight !
>
>Ben
>
>
>
>
>
>
>
>   "Wyatt, T. Rob"
>               <[EMAIL PROTECTED] To:
>[EMAIL PROTECTED]
>   MERICA.COM>  cc:
>   Sent by: MQSeriesSubject: Re: Puzzled:
>MQJE001, MQRC 2102 for non-mqm users
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   01/02/2004 12:44 PM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
>Benjamin,
>
>Are the classpaths the same between the two UserIDs?  If you are on Unix,
>try
>
>echo $CLASSPATH | tr ":" "\n"
>
>...from each user's command line and compare.  There are generally two
>types
>of problems that manifest themselves differently under different users -
>security, which you covered, and environment.
>
>Incidentally, you did not mention whether you gave the user Inquire on the
>QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
>usually generates 2035's though.
>
>-- T.Rob
>
>-Original Message-
>From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
>Sent: Friday, January 02, 2004 11:48 AM
>To: [EMAIL PROTECTED]
>Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
>
>
>Hi,
>
>first, happy new year to everyone.
>
>while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
>simple jms program to put msg to a queue.
>
>The program runs without problem if I start it as "mqm", but if I logon as
>a different user than mqm, got the same MQJE001, MQRC 2102 exception.
>I explicitely allowed that user the right to connect to the same qmgr and
>put/get to the queues, and run the sample executible amqsput, amqsget
>without any problem.
>
>

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Robert Broderick]

Stillthe unanswered question

Why the 2102 Is something looping. I cannot see why insufficient access
authority would generate this type of error. It seems there is an unresolved
bug.
About 2 months ago there was a discussin on the +inq for the JMS stuff and
if I  remember correctly the person at that time was not getting a 2102.
bobbee


From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
Reply-To: MQSeries List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Date: Fri, 2 Jan 2004 13:40:13 -0600
When this happened to us, my developers were not printing the linked JMS
exception so I did not have a reason code to look at.  If I had been given
a
2102, it sure would have thrown me off!  I like to keep the events turned
on
so when I was presented with the problem I very quickly found an event
message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
the user revealed that any QMgr inquiry calls were happening inside the
Java
classes and not in his code.  We have since learned that Java will inquire
on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
has to back out a GET.
-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Hi Rob,

Great !  Your tip on adding inq right to non-mqm users did the trick. Here
is the setmqaut command:
  setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq

But how did you know that a JMS appl needs inq right to the qmgr to
establish connection? I didn't find such information on the JMS manual.
thanks a lot for the insight !

Ben







  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>
  01/02/2004 12:44 PM
  Please respond to
  MQSeries List




Benjamin,

Are the classpaths the same between the two UserIDs?  If you are on Unix,
try
echo $CLASSPATH | tr ":" "\n"

...from each user's command line and compare.  There are generally two
types
of problems that manifest themselves differently under different users -
security, which you covered, and environment.
Incidentally, you did not mention whether you gave the user Inquire on the
QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
usually generates 2035's though.
-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.
The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.
MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.
Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
_
Get reliable dial-up Internet access now with our limited-time introductory
offer.  http://join.msn.com/?page=dept/dialup
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Wyatt, T. Rob]

When this happened to us, my developers were not printing the linked JMS
exception so I did not have a reason code to look at.  If I had been given a
2102, it sure would have thrown me off!  I like to keep the events turned on
so when I was presented with the problem I very quickly found an event
message showing the UserID, the QMgr INQ call and a 2035.  Discussion with
the user revealed that any QMgr inquiry calls were happening inside the Java
classes and not in his code.  We have since learned that Java will inquire
on queue objects as well, to obtain values for BOQUEUE and BOTHRESH if it
has to back out a GET.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi Rob,

Great !  Your tip on adding inq right to non-mqm users did the trick. Here
is the setmqaut command:

  setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq

But how did you know that a JMS appl needs inq right to the qmgr to
establish connection? I didn't find such information on the JMS manual.

thanks a lot for the insight !

Ben







  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled:
MQJE001, MQRC 2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/02/2004 12:44 PM
  Please respond to
  MQSeries List






Benjamin,

Are the classpaths the same between the two UserIDs?  If you are on Unix,
try

echo $CLASSPATH | tr ":" "\n"

...from each user's command line and compare.  There are generally two
types
of problems that manifest themselves differently under different users -
security, which you covered, and environment.

Incidentally, you did not mention whether you gave the user Inquire on the
QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
usually generates 2035's though.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.

The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.

MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.

Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Benjamin F. Zhou]

Hi Rob,

Great !  Your tip on adding inq right to non-mqm users did the trick. Here
is the setmqaut command:

  setmqaut -m QMGR -t qmgr -p wasadmin +connect +inq

But how did you know that a JMS appl needs inq right to the qmgr to
establish connection? I didn't find such information on the JMS manual.

thanks a lot for the insight !

Ben







  "Wyatt, T. Rob"
  <[EMAIL PROTECTED] To:  [EMAIL PROTECTED]
  MERICA.COM>  cc:
  Sent by: MQSeries    Subject: Re: Puzzled: MQJE001, MQRC 
2102 for non-mqm users
  List
  <[EMAIL PROTECTED]
  C.AT>


  01/02/2004 12:44 PM
  Please respond to
  MQSeries List






Benjamin,

Are the classpaths the same between the two UserIDs?  If you are on Unix,
try

echo $CLASSPATH | tr ":" "\n"

...from each user's command line and compare.  There are generally two
types
of problems that manifest themselves differently under different users -
security, which you covered, and environment.

Incidentally, you did not mention whether you gave the user Inquire on the
QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
usually generates 2035's though.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.

The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.

MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.

Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Robert Broderick]

Also, can you run it under a debugger or have it dump some kind of debugging
info to determine where it is chewing up memory.
bobbee


From: "Wyatt, T. Rob" <[EMAIL PROTECTED]>
Reply-To: MQSeries List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Date: Fri, 2 Jan 2004 11:44:31 -0600
Benjamin,

Are the classpaths the same between the two UserIDs?  If you are on Unix,
try
echo $CLASSPATH | tr ":" "\n"

...from each user's command line and compare.  There are generally two
types
of problems that manifest themselves differently under different users -
security, which you covered, and environment.
Incidentally, you did not mention whether you gave the user Inquire on the
QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
usually generates 2035's though.
-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.
The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.
MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.
Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
_
Enjoy a special introductory offer for dial-up Internet access   limited
time only! http://join.msn.com/?page=dept/dialup
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Wyatt, T. Rob]

Benjamin,

Are the classpaths the same between the two UserIDs?  If you are on Unix,
try

echo $CLASSPATH | tr ":" "\n"

...from each user's command line and compare.  There are generally two types
of problems that manifest themselves differently under different users -
security, which you covered, and environment.

Incidentally, you did not mention whether you gave the user Inquire on the
QMgr and queues.  JMS will inquire the QMgr right after connecting.  This
usually generates 2035's though.

-- T.Rob

-Original Message-
From: Benjamin F. Zhou [mailto:[EMAIL PROTECTED]
Sent: Friday, January 02, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users


Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.

The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.

MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.

Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Robert Broderick]

Maybe it's your profile for the userid and how it allocates it's resources.
One of the developers had an issue here giving the same error (after a
volume test) they increased the storage requirements for the JVM and it ran
OK after that. Compare the profile of mqm with your user Id. I don't know if
this is true BUT maybe ther is also a group profile being
executed??
   bobbee


From: "Benjamin F. Zhou" <[EMAIL PROTECTED]>
Reply-To: MQSeries List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Puzzled: MQJE001, MQRC 2102 for non-mqm users
Date: Fri, 2 Jan 2004 11:47:48 -0500
Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.
The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.
MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.
Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
_
Check your PC for viruses with the FREE McAfee online computer scan.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Puzzled: MQJE001, MQRC 2102 for non-mqm users

[Benjamin F. Zhou]

Hi,

first, happy new year to everyone.

while trouble-shooting a WAS application's MQRC2102 problem, I wrote a
simple jms program to put msg to a queue.

The program runs without problem if I start it as "mqm", but if I logon as
a different user than mqm, got the same MQJE001, MQRC 2102 exception.
I explicitely allowed that user the right to connect to the same qmgr and
put/get to the queues, and run the sample executible amqsput, amqsget
without any problem.

MQRC 2102 is resource problem, but I don't understand why it happen to WAS
users, but not to mqm, and only happens to jms applications.

Any idea would be greatly appreciated.

Benjamin F. Zhou
Messaging & Integration
Research & Technology, ITM
Mercedes-Benz USA
x.2474

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive