David Awerbuch (BLOOMBERG/ 120 PARK)
2013-09-11 20:21:43 UTC
I am hoping some one out there has already seen this issue during their upgrade cycle.
We upgraded a host with existing queue managers from 7.0.1.4 to 7.5.0.1. Our client applications are not able to connect to the queue managers using the existing svrconn channels and authorization records - 2035 errors.
1. User Application
Checked queue manager log, I see:
AMQ8077: Entity 'dbaseuser ' has insufficient authority to access object 'NEWSQMGR'.
AMQ9557: Queue Manager User ID initialization failed.
'dbaseuser' is an existing unix userid. until the upgrade to 7.5, the access through this srvconn was not an issue.
Note - the mcauser() field on the svrconn has always been and is blank.
I believe in the previous release (7.0.1.4) that this user would connect as user 'mqm'; thus no issues with connectivity and object access.
Now with 7.5.0.1 it looks like the real userid from the client connection header is being exposed to the authorization module. is this a correct assessment? Is there a way to restore this processing, or am I looking at a moving-forward series of changes to my application svrconns?
Note -- 7.5.0.1 queue manager has CHLAUTH(DISABLED)
2. WMQ Administration tool - web-based service
Checked queue manager log, I see this series of error messages; these are all generated by the same pid.tid:
AMQ9780: Channel to remote machine '1.2.3.4' is ending due to an error.
EXPLANATION:
Channel 'ADMIN.SVRCONN' between this machine and the remote machine
'1.2.3.4' encountered an error and will now end. In some cases the
channel name can not be determined and so is shown as '????'.
AMQ9519: Channel 'ADMIN.SVRCONN' not found.
EXPLANATION:
The requested operation failed because the program could not find a definition
of channel 'ADMIN.SVRCONN'.
AMQ9999: Channel 'ADMIN.SVRCONN' to host 'windowshost(1.2.3.4)'
ended abnormally.
EXPLANATION:
The channel program running under process ID 8392 for channel
'ADMIN.SVRCONN' ended abnormally. The host name is 'sysnyweb03
(1.2.3.4)'; in some cases the host name cannot be determined and so is
shown as '????'.
AMQ5653: The user 'windowshost$' is not defined.
EXPLANATION:
The system call getpwnam("windowshost$") failed with errno 2.
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
Previous to the upgrade, this worked just fine.
Note - also in this case - the mcauser() field on the svrconn has always been and is blank.
so, the same premises and belief exists as above - in the previous release (7.0.1.4) this user would connect as user 'mqm'; thus no issues with connectivity and object access.
Now with 7.5.0.1 it looks like the machine name from the client connection header is being exposed to the authorization module; or the header contains the machinename with the appended '$'. Is this a correct assessment? Again, is there a way to restore this processing, or am I looking at a moving-forward series of changes to my admin svrconns?
Thanks.
Dave
------------------------------------------------------------
-------------------------------------------------------------------
David Awerbuch -- Systems Architect -- Middleware Infrastructure
email: ***@bloomberg.net || ==== Bloomberg LP ==== ||
phone: + 1 646 324 2868 || Making Financial ||
WMQ support mq-***@bloomberg.com || Markets Transparent ||
-------------------------------------------------------------------
For all Trading Systems issues, please contact the TSCI 24-hour helpdesk.
- Americas - New York +1+212-318-2000
- Europe - London +44-20-7330-7500
- Asia - Tokyo +81-3-3201-8900
- Singapore +65-6212-1000
<< {IS} May you and yours be inscribed in the Book Of Life for health and happiness >>
We upgraded a host with existing queue managers from 7.0.1.4 to 7.5.0.1. Our client applications are not able to connect to the queue managers using the existing svrconn channels and authorization records - 2035 errors.
1. User Application
Checked queue manager log, I see:
AMQ8077: Entity 'dbaseuser ' has insufficient authority to access object 'NEWSQMGR'.
AMQ9557: Queue Manager User ID initialization failed.
'dbaseuser' is an existing unix userid. until the upgrade to 7.5, the access through this srvconn was not an issue.
Note - the mcauser() field on the svrconn has always been and is blank.
I believe in the previous release (7.0.1.4) that this user would connect as user 'mqm'; thus no issues with connectivity and object access.
Now with 7.5.0.1 it looks like the real userid from the client connection header is being exposed to the authorization module. is this a correct assessment? Is there a way to restore this processing, or am I looking at a moving-forward series of changes to my application svrconns?
Note -- 7.5.0.1 queue manager has CHLAUTH(DISABLED)
2. WMQ Administration tool - web-based service
Checked queue manager log, I see this series of error messages; these are all generated by the same pid.tid:
AMQ9780: Channel to remote machine '1.2.3.4' is ending due to an error.
EXPLANATION:
Channel 'ADMIN.SVRCONN' between this machine and the remote machine
'1.2.3.4' encountered an error and will now end. In some cases the
channel name can not be determined and so is shown as '????'.
AMQ9519: Channel 'ADMIN.SVRCONN' not found.
EXPLANATION:
The requested operation failed because the program could not find a definition
of channel 'ADMIN.SVRCONN'.
AMQ9999: Channel 'ADMIN.SVRCONN' to host 'windowshost(1.2.3.4)'
ended abnormally.
EXPLANATION:
The channel program running under process ID 8392 for channel
'ADMIN.SVRCONN' ended abnormally. The host name is 'sysnyweb03
(1.2.3.4)'; in some cases the host name cannot be determined and so is
shown as '????'.
AMQ5653: The user 'windowshost$' is not defined.
EXPLANATION:
The system call getpwnam("windowshost$") failed with errno 2.
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
Previous to the upgrade, this worked just fine.
Note - also in this case - the mcauser() field on the svrconn has always been and is blank.
so, the same premises and belief exists as above - in the previous release (7.0.1.4) this user would connect as user 'mqm'; thus no issues with connectivity and object access.
Now with 7.5.0.1 it looks like the machine name from the client connection header is being exposed to the authorization module; or the header contains the machinename with the appended '$'. Is this a correct assessment? Again, is there a way to restore this processing, or am I looking at a moving-forward series of changes to my admin svrconns?
Thanks.
Dave
------------------------------------------------------------
-------------------------------------------------------------------
David Awerbuch -- Systems Architect -- Middleware Infrastructure
email: ***@bloomberg.net || ==== Bloomberg LP ==== ||
phone: + 1 646 324 2868 || Making Financial ||
WMQ support mq-***@bloomberg.com || Markets Transparent ||
-------------------------------------------------------------------
For all Trading Systems issues, please contact the TSCI 24-hour helpdesk.
- Americas - New York +1+212-318-2000
- Europe - London +44-20-7330-7500
- Asia - Tokyo +81-3-3201-8900
- Singapore +65-6212-1000
<< {IS} May you and yours be inscribed in the Book Of Life for health and happiness >>