It's a nice solution that only applies with Queue manager to Queue manager
channels. You can't do this sort of thing with a server connection channel,
because there is no queue manager at the other end (also no transmission
queue etc etc). It also shouldn't be necessary to do this to keep a
Hi Roger,
That message should only appear if you are using the extended
transactional clients product (ETC). Is it your intention to be using
ETC with Weblogic? Such a configuration would require an ETC license for
each client/Weblogic box you wish to use it on. To the best of my
knowledge this
As Neil has said, maybe it is a bug, HBINT should do the trick.
In the mean time, code the application so that when you get a 2009, do a
re-connect to the QMGR in that way you can re-establish a connection again,
I think that may work as a work around.
But I would take it up with IBM.
Stuart,
I don't use the MQ VB client but if you're doing this from 'C' or the VB
client uses the C client then I too am surprised that you don't see any
heartbeat traffic. KEEPALIVE may be more understandable since many
platforms default the KEEPALIVE interval to 2 hours. Unfortunately, except
Kulbir,
Ask any of your unix sysadmins about syslog. WMQI sends all events
(warning, error) through syslog daemon to files or network.
Tibor
Hi,
We're beginning to look at migrating our WMQI set-up from Windows 2000 to
HP-UX and have a query. As part of our support processes we make
are there any search engines on the list server left on 'the web' My old ones seem
to be gone!
denis
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Hi
we send XML-Messages from SunSolaris to the OS390 over the middleware QSMQI 2.1
Well, there is almost everything ok but the XML-Parser on the Hostside is not able to
work with CR after the XML-endtags. So, we take this sign away by converting the
message to an EBCDIC-Message, converting it
Hi there,
We have a very large network of MQSeries installations ( 300 installations) that are currently using a mixture of Hostnames and IP addresses for the channel connection names. We are in the process of reviewing our configurations and will be looking to standardise the use of the conname
HH! The beauty of distributed messaging!!! Don't you just
love it
We do the same. We have a message comig in from an NT front end through a
UNIX Concentrator to the backend via clustering. Out first node logs
receives the message as a blob and logs it (as every GOOD
Kulbir - I'd vote for Hostnames
because it allows you to change the IP address without needing to go in and
change potentially a host (no pun intended) of definitions. Also, I think it's
more descriptive (sort of like they used to say that Cobol was
self-documenting). That said, be aware
Title: Message
Sid,
Given only the
information in your email, the answer would be "Yes, malicious activity could
occur". To fully answer that question one would need to know
the rest of the configuration. Are the listeners running under a
low-privileged ID or as mqm? The clients andcluster on
Title: Message
You
can't. Without going into too much detail, you would need an agent that
doesn't rely on the command server, a command server that used a different
queue, or you would have to define the queue and start thecommand server
each time. These options may seem like a royal pain but
Using DNS name could free us from caring IP address
change. It appears that after DNS resolution (at channel
start), the queue manager is in fact talking in IP address.
Hence, I guess the performance improvement only appears at channel startup, if
any. However, how often will the channel
http://www.ebizq.net/vintage/messageq//forums/vienna/
OR
http://www.mail-archive.com/mqseries%40akh-wien.ac.at/index.html
OR
http://vm.akh-wien.ac.at/wa/~listserv/mqser_l
-Original Message-
From: ulla [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 4:27 AM
To: [EMAIL
Well, denial of service attack is always there, of course (I did not try it myself
with MQ and listener pool, to be completely honest). Of course, I assume your system
will use only SSL channels to have a strong authentication and confidentiality on the
wire. Do not forget to set SSL_PEER to
Hey all, has anyone else seen an increase with orphaned rcvr channels
with MQ 5.3 on Z/OS? The funny thing is that there seem to be several
other X parm features in 5.3 that may address just this. I turned on
KEEP ALIVE and tested it to satisfaction but also saw two other new
parameters now
Stuart
Correct me if I'm wrong. Your server application (whose connection is not
in question) is actively sitting on an MQGET waiting for work (as server
applications do). Your client application is going through the firewall
with a CLNTCONN/SVRCONN connection that is being broken. This client
Just as a matter of interest. Does anyone know of any actual, real world,
deliberate, sophisticated, malicious, penetration of an MQSeries installation,
and if so, what was the consequence?
Matt.
-Original Message-
From: Pavel Tolkachev [mailto:[EMAIL PROTECTED]
Sent: 10 September 2003
Pavel,
The SSLPEER parameter is actually a filter. Therefore you can code it like
SSLPEER(CN=APPL*, O=MYCompany, OU=Any*, C=US). This will then permit any
CN prefixed by APPL and any OU prefix by Any. By using the filter you
can service and validate many different Distinguished Names
I personally prefer using host names because of the ease of
changing IP addresses should the need arise. However, that
being said, I have always reverted to the use of hard IP
addresses because I have never found a customer account that
maintains their Name Servers in a manner that allows for any
Pavel,
Could you explain how a user could obtain more privilege vis-a-vis the dlq
handler?
Pavel Tolkachev
pavel.tolkachev To: [EMAIL PROTECTED]
@DB.COM cc:
Sent by:
I agree with Rick. There is no bug that I can see. Unless you do a get with
Unlimited wait during your idle times, there will be no heartbeats.
The only other way is to generate the traffic yourself, maybe by doing an
MQINQ call or something every minute. But then you are truly not idle are
you?
I totally agree. Our network is in a constant state of change, but our host
names change much less frequently. So I get to ignore most of the things
that change here. I doubt that there's any appreciable response time hit
either, because I would assume that the host-to-IP translation only is done
Hi,
We will install a new AIX box for MQ Integrator and TCB is very
recommended by security guys. But I'm not sure in the success, because
known MQ books don't analyze this configuration.
Anyone is using a similar?
TIA,
Tibor
Instructions for managing your mailing list subscription are
Hey Salem
We have and ADOPTMCA=qmname and ADOPTCHK=yes on at the 5.2/ZOS level. This
help
to alleviate some orphan rcvr channels.
Richard Jackson
SIAC -
CICS/MQ Systems
212-383-9043
Salem Muribi
[EMAIL PROTECTED]To: [EMAIL
Stuart,
I have an application that runs on a web server and uses PCF commands over
client channels to talk with my MQ servers. When the user clicks a button
or link, the web server receives the request passes to CGI, starts a
process, connects to the QMgr, creates a dynamic queue, sends and
Hey all,
I use DNS names for a number of what I feel are great reasons.
1. IP addresses change, but DNS names tend not to. I don't use the host name
(VAXX), though, I always use a DNS name like APPL.domain.com. Reason? See #4
below.
2. Every host has a DNS entry setup that points to it, in
Couple of my friends used to complain people tried to break their system all the
time (like tens times a day). I do not actually know any consequences and even if I
knew I would not be allowed to discuss them. It was not a pure MQ system, it included
a custom authentication/authorization layer
infochain is still there if you want to look at very old postings too.
www.infochain.be
We need someone to write an engine which calls all the engines and gives the
output together.
Tania
SJG Enterprise Integration
http://www.sjg-enterpriseintegration.com/
-Original Message-
From:
Thanks Phil,
I actually remembered that, I asked the list about this once before. Wildcards
partially help to authenticate many people (apps), but do not solve the authentication
problem in general (people/applications can have completely unrelated names or two
persons from the same
I wonder why Google doesn't work for searching this listserve?
-Original Message-
From: Business Integration
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 2:11 PM
To: [EMAIL PROTECTED]
Subject: Re: archives of the listserver
infochain is still there if you want to look
I'm not sure I agree with your contention that a DLQ would enable a user to
gain more privileges. Also, by not having a DLQ, you could also stop the
channel by trying to send a message to a bogus remote queue. This would,
in effect, also deny legitimate messages from being sent.
Certificate Revocation Lists - Allows you to deny access to any single named
individual while still allowing access to the group via wildcard filter.
MCAUSER - enforces that any user coming in through the channel has
low-privileged access configurable via OAM.
Class of service - multiple SVRCONN
Hi,
No, we are not using nor have we installed ETC. On the clients boxes, we only
installed the WMQ Client v5.3 SupportPac with SSL. Actually, we are only using
the WMQ/Java jar files (and not the rest of the client base).
The WebLogic programs are written in Java and use JMS to interface with
In regard to the dlq, making use of the MCAUSER on a receiver channel might
lend a hand (this will not work for client connections). When the MCAUSER
on a receiver channel is non blank it behaves much different than a
server connection for a client. For a receiver you have to set the
How would you decide who, or who isn't an authorized user? The contention
is/was that we could have a malicious user, who could be an authorized user
as well.
Bill Anderson
[EMAIL PROTECTED] To: [EMAIL PROTECTED]
Thanks T.Rob,
CRLs are definitely a good point -- I keep forgetting about this possibility. Wrt
multiple SVRCONN channels: can I actually have several on same port?
Exit is a way, of course, but only as a last resort.. I am off the problem right now;
if it comes back to me I will probably be
Pavel,
I actually build a Security Exit to address your concern. It checks either
the incoming IP address or the incoming SSLPEER against a list of SSLPEER
(Distinguished Names) and/or IP addresses, and then assigns a corresponding
user id to the MCAUSER field. The exit can also be used to
Well, I suppose that is more of a business oriented question than a
technical one. But, if you delete the dlq completely, its a done deal
right, NOBODY can use it because its not there. If you use the MCAUSER to
restrict access to some, it is still available for legitimate use. How you
choose who
Hello Rick,
Sorry, this will be in reply to your previous mail down the trail (I lost the
original); I agree with your last sentence completely.
Disabling the channel is not quite the same as writing my messages to other person's
queue (from security breach point of view). Disabling channel is
A developer asked me if there are any issues with Oracle 9iAS, using JSP
and MQSeries. If anyone knows, I'd appreciate some feedback.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive:
Thanks Phil,
It is good to know you have one. I guess such exits must become a pretty common type
of a 3rd-party product for MQ in the next year or so. Before SSL, the generic security
purpose exits (Security and Message) had to use their own non-standard ways to encrypt
information and
My new bumper sticker:
If DLQs are outlawed then only outlaws will have DLQs
-- T.Rob
-Original Message-
From: Bill Anderson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: Re: Security with Server Connection channels
Well, I
Oops, I mis-spoke.
After tracking down the guy who did the initial install of the WMQ client base,
I was told that yes, they did install ETC (news to me!!). He told me that they
purchased a site license for ETC (via IBM sales rep.).
So, if we are legal for ETC, how do I get rid of those error
Hi all,
We are on WMQ Server 5.3 on W2K (Queue manager QM1),
and WMQ Client 5.2.1 on W2K.
We have a user (not a developer) running a Smalltalk
app on his machine(W2K) by by Client connecting to
QM1. He specifies MQMD.ReplyToQ as a temporary dynamic
queue (with a full name using the client
It seems that the version of saveqmgr that I have does not dump all qmgr attributes...
Notably from the QMGR attributes the following are missing:
COMMANDQ
CCSID
MAXPTRY
DISTL
This was running on Solaris 5.8, WMQ 5.2 (CSD05).
Is this an intentional ommision or a bug ?
--
tonyB.
Instructions
Hi Ruzi,
amqrmppa is a channel pooling agent. In MQ5.2, the runmqlsr listener ran
the channels as threads in its own process. This did not scale well, hence
the need to have multiple listeners on different ports.
At MQ5.3, the runmqlsr listener offloads the channel threads on to
dedicated
Hi Anthony,
At least 3 out of 4 is intentional.
saveqmgr is building commands to recreate your queue manager. It has to
create value DEFINE and ALTER commands.
The COMMANDQ, MAXPRTY and DISTL attributes are not settable by ALTER QMGR,
so saveqmgr cannot build them. CCSID does appear to be
Phil,
Is the source code for this exit available ?
Sid
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, 11 September 2003 5:59 AM
To: [EMAIL PROTECTED]
Subject: Re: Security with Server Connection channels
Pavel,
I actually build a Security Exit
You have way too much free time T.Rob!
-Original Message-
From: Wyatt, T. Rob [mailto:[EMAIL PROTECTED]
Sent: Thursday, 11 September 2003 6:37 AM
To: [EMAIL PROTECTED]
Subject: Re: Security with Server Connection channels
My new bumper sticker:
If DLQs are outlawed then only outlaws
Hi
I was wondering if anyone has attempted to access cluster queues from a .Net app?!?
Specifically in my case, we are using a vb.Net app which will be (hopefully :) putting
to a cluster queue. The MQ version is 5.3 csd 4.
Any info on successes or failures would be well appreciated!!
this workedafter I specified the encoding and CCSID of input messsage's MQMD in the compute node to 500 and 785.I have the same test run for AS/400 as well.There was a problemfor packed signed number I get error in WMQI, 'parsing decimal data , no sign found'What should the CWF properties be for
Hi,
What is this 'packed decimal positive code' in the CWF properties tab.Doc says it should be 'C' but for few systems it has to be 'F'.
Iam curious about this field , coz iam having a RPG pgmthat declaresa variable as 4P2 and assigns a value -56.78 , but when my broker retrieves this (WMQI on
Hi Juni,
This is internal magic done by Binary Coded Decimal (BCD). It is usually
second nature to mainframe programmers because it is related directly to
EBCDIC (Extended Binary Coded Decimal Interchange Code). EBCDIC is used
internally by IBM zOS (zSeries) and OS400 (iSeries) systems.
EBCDIC
54 matches
Mail list logo