Wow. Good catch!



The quotes are important on platforms where file globbing is performed and
you use a generic profile. As a rule, I always use them so that I don't end
up with fully qualified profiles with no quotes and generic profiles with
quotes.



If you omit the quotes, the command will work as intended in *almost* all
cases. The file globbing fill find no files that happen to match the file
name. But when it does fail, it does so subtly. If you authorize a profile
XYZ.** with no quotes and have one or more files of that name in the current
directory, their names are substituted on the command line. If it's just
one file you get a syntactically correct command with (hopefully!) no
matching object. If it's two or more files, the command fails with a syntax
error.



So don't get rid of quotes altogether!



-- T.Rob





From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Potkay, Peter M (CTO Architecture + Engineering)
Sent: Monday, July 15, 2013 9:19 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ 2035 - What am I missing here



I've been trying various things mentioned in this thread. I had a long
response all ready to send out this morning, and then I had one more look at
the authorities, this time using my trusty MO71 GUI. There was the problem,
plain as day. The way the GUI presented it made the problem readily apparent
when I could see all the profiles listed.



It reminded me of my first week of Basic Programmer Training back in '98,
where we were learning how to submit our very first JCL jobs. One poor
schlub (me) was stuck after hours in class trying to get that blasted job to
run. No one could figure it out. The next morning we come in, the teacher
takes one look at it again and tells me to remove that one extra slash from
one of the lines and walks away laughing. Hours wasted because of an extra
character on one line. Geez, I thought, one little mistake like that will
derail a whole program? I thought these computers were supposed to be smart.



Sigh.





Here is the authority I have.



E:\Peter>dmpmqaut -m FSIBLAB -p bubba

profile: 'HIG.FSIBLAB.LOCAL.QUEUE'

object type: queue

entity: ***@MYSERVERNAMEHERE

entity type: principal

authority: get put inq



Here is the error message:

The entry in the MQ error log.

7/12/2013 15:46:21 - Process(2572.20) User(mqxxxxx_xxx)
Program(amqzlaa0.exe)

Host(WH1WMBD0022) Installation(Installation1)

VRMF(7.5.0.1) QMgr(FSIBLAB)



AMQ8077: Entity '***@myservernamehere' has insufficient authority to
access object

'HIG.FSIBLAB.LOCAL.QUEUE'.







Look at those queue names. See the problem yet? Try squinting real hard.



I had run this:

E:\>setmqaut -m FSIBLAB -t queue -n 'HIG.FSIBLAB.LOCAL.QUEUE' -p bubba -all
+put +get +inq



I should have done this:

E:\>setmqaut -m FSIBLAB -t queue -n HIG.FSIBLAB.LOCAL.QUEUE -p bubba -all
+put +get +inq





E:\>dmpmqaut -m FSIBLAB -p bubba -t queue



profile: HIG.FSIBLAB.LOCAL.QUEUE

object type: queue

entity: ***@WH1WMBD0022

entity type: principal

authority: get put inq

- - - - - - - -

profile: 'HIG.FSIBLAB.LOCAL.QUEUE'

object type: queue

entity: ***@WH1WMBD0022

entity type: principal

authority: get put inq

- - - - - - - -

profile: @CLASS

object type: queue

entity: ***@WH1WMBD0022

entity type: principal

authority: none







I had just gotten out of a runmqsc session creating some new queues that I
had wrapped in quotes and I guess I was still thinking setmqaut needed it as
well (it doesn't - it respects lowercase names when needed.)





As soon as I ran this everything works as expected. It had been working
exactly as it should have all along. Computers are smart - me dumb.







-Peter









From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
T.Rob
Sent: Friday, July 12, 2013 9:26 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ 2035 - What am I missing here



Hi Gina,



Neither of the possibilities you suggested can be the cause. Peter has set
an MCAUSER on the channel so no possibility of the ID from the remote
computer being used. This is confirmed in the error message which shows the
ID which failed as being '***@myservernamehere'. Either Peter explicitly
specified '***@myservernamehere' in the MCAUSER or else the MCAUSER is
unqualified but resolves to the local ID with the same name. In either
case, it is successfully overriding the ID from the remote client.



Similarly, it isn't CHLAUTH because that has already been resolved by the
time the OPEN occurs. IF the connection were blocked there the failure
would be on the CONNECT and not the OPEN.



The reason I asked for the dmpmqaut with the -e command is that there is
probably another profile contributing to the failure. That profile may be
attached to a group that the bubba account resides in which is why it
doesn't show in the command Peter tried. If that is the case, the -e should
reveal it.



In general, the authorizations look for the most specific profile. Peter's
dmpmqaut shows the bubba ID attached to a fully-qualified profile so there
can be nothing more specific than that. However, there isn't any
documentation on the precedence if there are multiple matches on profiles of
the same specificity. For example, an ID in grpa and in grpb tries to open
the same queue. One profile attached to grpa grants +put and one attached
to grpb grants +inq +brwse +get. As my article (http://bit.ly/aKNTvU)
shows, the result is a union. What I'm not sure of and I'm hoping Peter
will test is what happens on Windows, the only platform capable of this,
when conflicting profiles are attached to a principal and a group. One
would think that the principle is more specific than the group and it would
take precedence. However, what I suspect is that the opposite is happening.
I could try to re-create it but Peter has a live instance of the problem and
it would take only a few seconds for him to cut, paste and test.



-- T.Rob





From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
GINA MCCARTHY
Sent: Friday, July 12, 2013 7:37 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ 2035 - What am I missing here



Or this:



http://www-01.ibm.com/support/docview.wss?uid=swg21188194



:-)



_____

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Potkay, Peter M (CTO Architecture + Engineering)
Sent: Friday, July 12, 2013 3:55 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: MQ 2035 - What am I missing here

The bubba ID is a local ID defined to the server.

Windows 2008 R2 SP1

MQ 7.5.0.1

The MCAUSER of the SVRCONN channel is set to bubba.

I am using amqsgetc from my desktop to access this QM.



I can't get past this error.



Grasping at straws here. Even though dmpmqaut shows this ID has this access
I refreshed security. I restarted the QM. What is the problem here?







The entry in the MQ error log.

7/12/2013 15:46:21 - Process(2572.20) User(mqxxxxx_xxx)
Program(amqzlaa0.exe)

Host(WH1WMBD0022) Installation(Installation1)

VRMF(7.5.0.1) QMgr(FSIBLAB)



AMQ8077: Entity '***@myservernamehere' has insufficient authority to
access object

'HIG.FSIBLAB.LOCAL.QUEUE'.



EXPLANATION:

The specified entity is not authorized to access the required object. The

following requested permissions are unauthorized: get

ACTION:

Ensure that the correct level of authority has been set for this entity
against

the required object, or ensure that the entity is a member of a privileged

group.

----- amqzfubn.c : 515
--------------------------------------------------------









The Authority Event message from MO71:



Command :44 (QMgr Event)

Reason :2035 (Not authorized.)

Parameter Id :2015 (QMgr Name)

Value :'FSIBLAB '

Parameter Id :1020 (Reason Qualifier)

Value :2 [0x'2'] MQRQ_OPEN_NOT_AUTHORIZED

Parameter Id :2016 (Q Name)

Value :'HIG.FSIBLAB.LOCAL.QUEUE '

Parameter Id :1022 (Open Options)

Value :00002001

00002000 Fail if quiescing

00000001 Input as Queue Definition

Parameter Id :3025 (User Identifier)

Value :'bubba '

Parameter Id :1 (Appl Type)

Value :11 [0x'B'] MQAT_WINDOWS_NT

Parameter Id :3024 (Appl Name)

Value :'ebSphere MQ\bin\amqsgetc.exe'









E:\Peter>dmpmqaut -m FSIBLAB -p bubba

profile: 'HIG.FSIBLAB.LOCAL.QUEUE'

object type: queue

entity: ***@MYSERVERNAMEHERE

entity type: principal

authority: get put inq

- - - - - - - -

profile: SELF

object type: qmgr

entity: bubba@ MYSERVERNAMEHERE

entity type: principal

authority: inq connect

- - - - - - - -

profile: @CLASS

object type: queue

entity: bubba@ MYSERVERNAMEHERE

entity type: principal

authority: none

- - - - - - - -

profile: @CLASS

object type: qmgr

entity: bubba@ MYSERVERNAMEHERE

entity type: principal

authority: none



E:\Peter>











Peter Potkay







************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html