?
Solved

MQ logging

Posted on 2010-01-12
8
Medium Priority
?
2,217 Views
Last Modified: 2013-12-11
I'm an MQ newb. I'm trying to connect from WAS7 JMS. I use JNDI to get the QueueConnectionFactory then call createQueueConnection. When I make this call I get a JMSException caused by

JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')

I would like to see the credentials being passed to MQ, does MQ log failed connection attempts ? Is there a way to see why this connection is failing ?

thanks very much
0
Comment
Question by:buckrodger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 26303284
It looks like you are getting an authorization failure (e.g., bad userid/password kind of thing).

Information about "API Completion and reason codes" can be found here:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqsao.doc/csq0519.htm

Information about "Security consideration" can be found here:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqtac.doc/wq10400_.htm

Is this a new installation, or did you upgrade your MQ and/or WSAS recently?

Did it ever work?

Are they (MQ & WSAS) on the same, or different machines?

Searching for MQRC_NOT_AUTHORIZED, we find:
--------------------------------------------------
MQRC_NOT_AUTHORIZED

public final static int

Reason code - queue is not authorized for access.
--------------------------------------------------

Information about "Log defaults" can be found here:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqzag.doc/fa12570_.htm

Hopefully this helps.

Let me know.
0
 

Author Comment

by:buckrodger
ID: 26303864
We did upgrade WAS from 6.1 to 7.  And this all worked on 6.1.  In my local env WAS and MQ are on different machines.  In the test env WAS and MQ are on the same machine.  I don't think its a password thing because if I specify the same username and password on the createQueueConnection call it works fine.  However if I let WAS pass the credentials it fails.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 26304110
So what version of MQ is being used?  6.0, I presume.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:buckrodger
ID: 26304386
6.0.2.6
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 26304973
Here's something that I just learned:

changes were done to the MQ JMS V7 client to provide to the MQ server the userid of the process (application) that is talking with the MQ server via the MQ JMS client.
In this case, the MQ queue manager has received a username which either:
- Does not exist in the Unix host of the MQ queue manager,
- Does exist, but it does not have the proper authority to access the MQ queue manager.

Solution
Check which user ID the application is being run under and then check to see if that user ID is in the mqm group (or some other group with sufficient authority).
If it is not in the mqm group, then add it to the mqm group and issue a runmqsc  command:
REFRESH SECURITY(*)

The user ID associated with the program when it runs must have authority to access certain resources of the queue manager. Grant the following authorities to the user ID:
- The authority to connect to the queue manager, and the authority to inquireon the attributes of the queue manager object
- The authority to put and get messages on the desired queue.
.
b) In case that it is not obvious which is the actual userid token that is received by the MQ queue manager from the MQ JMS client, then it is necessary to take a trace of the queue manager (and if possible, a trace of the MQ JMS client).
The tokens to look for in the traces are:
+ From the JMS Trace (trace.log) you can see the userid that is sent by the MQ Client
For example, the trace.log for the JMS client may have strings such as these:

com.ibm.mq.jms.MQQueueConnectionFactory connecting as user: JohnDoe
com.ibm.mq.jms.MQQueueConnection Setting username = JohnDoe
com.ibm.mq.MQv6InternalCommunications userID = 'JohnDoe '
com.ibm.mq.MQv6InternalCommunications UID :JOHNDOE

+ From the MQ server trace you can see the userid that is received by the queue manager
It is very likely that one of the MQ trace files (*.FMT) will have the following string indicating that the value (username) is not a user ID in the system or that it does not belong to the mqm group (unknown principal). Search for the string: UnknownPrincipal

      UnknownPrincipal(johndoe)

Also, in case that the userid does exist, another possible cause is that the user does not have all the proper authorizations, thus, check for the following phrase in the trace:

      The following requested permissions are unauthorized:

I hope that this helps!
0
 
LVL 41

Accepted Solution

by:
HonorGod earned 1000 total points
ID: 26305020
For information about how to grant authorities, see the following book from the MQ online information center

Title: MQ V7 Information Center
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp

Title: WebSphere MQ System Administration Guide
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.amqzag.doc/fa10120_.htm
0
 

Author Closing Comment

by:buckrodger
ID: 31676220
Thanks for your help
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 26308214
Glad to have been able to help.

Thanks for the grade & points.

Good luck & have a great day.
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question