Thanks Peter.
Bill Johnson
Mainframe Tech Support
216-595-4778
<
Loading Image...@1a804d59.41ba0562]
Visit MedMutual.com<http://www.medmutual.com/>
CONFIDENTIALITY NOTICE:
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure by law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from printing, storing, disseminating, distributing or copying this message. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature, unless a specific statement to the contrary is included in this message.
Thank you, Medical Mutual.
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Wednesday, March 05, 2014 9:51 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: CONTEXT
Bill,
We use BMCâs Middleware and Transaction ManagâŠ..OK, QPASA, on the mainframe as well. We grant that QPASA agent (qpcfg) full MQ access to the queue manager, and rely on the security in QPASA to restrict what the user can do. QPASA is an MQ Administrators tool â it should have full access to the QM in my opinion.
If you need to / want to run your qpcfg agent with less than full MQ rights, for example without context authority, then you wonât be able to tell QPASA to do some things like copy messages into a queue, where the context options are needed so the putter (qpcfg) can set all the MQMD headers exactly the same as the original messages.
If the user in this case was just right clicking on the queue to select the âClearâ option, I donât see why the qpcfg agent would need to open the queue with any of the MQOO_*_CONTEXT options, and a case could be made that if qpcfg is doing this for a clear queue operation, its wrong. Even if you opened the queue for selective gets there should be no need to open the queue with any MQOO_*_CONTEXT options. You only need these options and thus this authority for putting message.
BMC is good about fixing things like this if they are wrong. Years ago their qpcfg agent would open the queue with the input options even though you right clicked the put option on the queue. All sorts of fun with âthe MQ triggering is broken!â because triggering conditions were no longer true anytime anyone was using QPASA as the putter of a message and left the session open. They promptly fixed that when it was brought to their attention.
If you discover the user was doing a non put operation on the queue and qpcfg is throwing these context errors, its worth a ticket to BMC for investigation.
Peter Potkay
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]<mailto:[mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]> On Behalf Of Johnson, William
Sent: Thursday, February 27, 2014 12:57 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
Thanks Tim, I looked at the link you provided. Our security department is not an expert in granting MQ security. I think theyâll have to revisit it for the users.
Thanks for everyoneâs help.
Bill Johnson
Mainframe Tech Support
216-595-4778
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Tim Zielke
Sent: Thursday, February 27, 2014 11:05 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
Hi Bill,
Have you reviewed this doc -> http://pic.dhe.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs12390_.htm
Based on everything that has been stated so far, it sounds like your tool to clear the queue was requesting some type of context access which the user did not have. This error below looks like your security manager (i.e. Top Secret) reporting the context profile that was referenced in the context check, to me.
TSS7250E 151 J=MQT1MSTR A=JAS5 TYPE=MQADMIN RESOURCE=MQT1.CONTEXT.QL.CICTAH1A.MQT1.BACKOUT
Thanks,
Tim
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]<mailto:[mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]> On Behalf Of Johnson, William
Sent: Thursday, February 27, 2014 9:44 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
The person who was trying to clear the queue and exposed the issue is out of the office until Monday. Iâve used QPASA to clear a queue before and never witnessed âCONTEXTâ get attached to the queue name within the mainframe queue manager started task. Of course, Iâve never received a Top Secret error before either. It is a test queue manager and not critical but weâd still like to know what the solution is.
Bill Johnson
Mainframe Tech Support
216-595-4778
[cid:***@edb7574f.47892278]
Visit MedMutual.com<http://www.medmutual.com/>
CONFIDENTIALITY NOTICE:
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure by law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from printing, storing, disseminating, distributing or copying this message. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature, unless a specific statement to the contrary is included in this message.
Thank you, Medical Mutual.
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Tim Crossland
Sent: Thursday, February 27, 2014 10:26 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
What options are they using when they open the queue?
Are they opening the queue using the MQOO_SET_IDENTITY_CONTEXT or MQOO_SET_ALL_CONTEXT option?
Tim Crossland
Senior Consultant
M: +44 (0)7725 208776
T: +44 (0)207 147 9955
[ZA102637858]<https://twitter.com/iconsolutions>[ZA102637857]<http://www.linkedin.com/company/icon-solutions-uk-ltd?trk=hb_tab_compy_id_549225>
[icon]<http://www.iconsolutions.com/> Solutions Ltd www.iconsolutions.com
-----Original Message-----
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]<mailto:[mailto:***@LISTSERV.MEDUNIWIEN.AC.AT]> On Behalf Of Johnson, William
Sent: 27 February 2014 15:15
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
Using a product called BMC Middleware management or as it was formerly known QPASA from MQ Software.
Bill Johnson
Mainframe Tech Support
216-595-4778
http://www.medmutual.com/
Visit http://www.medmutual.com/
CONFIDENTIALITY NOTICE:
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure by law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from printing, storing, disseminating, distributing or copying this message. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature, unless a specific statement to the contrary is included in this message.
Thank you, Medical Mutual.
-----Original Message-----
From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Bruce Lerner
Sent: Thursday, February 27, 2014 10:12 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: CONTEXT
Exactly how were you attempting to clear the queue?
To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************