arrehman
arrehman

Reputation: 1322

WebSphere MQ Q Program Usage

I have a queue manager QM_TEST created using the following MQSC command:

  SET AUTHREC OBJTYPE(QMGR) GROUP('mq-user') AUTHADD(INQ,DSP,CONNECT,SET,SETALL)
  SET AUTHREC PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(INQ,DSP,GET)
  SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(INQ,DSP,PUT)
  DEFINE CHANNEL ($cname) CHLTYPE (SVRCONN) TRPTYPE (TCP) MCAUSER('tcs-mq-user') REPLACE
  SET CHLAUTH($cname) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('tcs-mq-user')
  DEFINE QLOCAL ($dlqname) REPLACE
  SET AUTHREC PROFILE($dlqname) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(ALL)
  ALTER  QMGR DEADQ($dlqname) FORCE
  DEFINE LISTENER ($lname) TRPTYPE (TCP) CONTROL (QMGR) PORT ($port)
  START LISTENER ($lname)

I have two queues TEST1 and TEST2 created using:

DEFINE QLOCAL ($qname) GET(ENABLED) PUT(ENABLED) MAXDEPTH($maxdepth) REPLACE
SET AUTHREC PROFILE($qname) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(ALL)

I am trying to copy messages from TEST1 to TEST2 using the q program utility:

q -xb -mQM_TEST -iTEST1 -mQM_TEST -oTEST2 -p20

However I get this error:

MQSeries Q Program by Paul Clarke [ V6.0.0 Build:May 2 2012 ] Connecting ...failed. MQCONNX on object 'QM_TEST' returned 2035 Not authorized..

I am running WebSphere MQ v7.1. q SupportPac is installed on the server and I am executing the q command on the server. I can't figure out a way to pass the channel name TEST_CHANNEL and port number 1414, is that the issue?

Upvotes: 1

Views: 5707

Answers (1)

T.Rob
T.Rob

Reputation: 31852

The program is connecting to the QMgr in bindings mode via shared memory rather than using the SVRCONN channel. You can verify this by ALTER QMGR AUTHOREV(ENABLED) then looking at the authorization event that is produced in the QMgr event queue. If you have installed SupportPac MS0P you can right-click on the queue and select "Format event messages" to see it in human-readable format. Either way, you should see that the ID being used to connect is not tcs-mq-user but rather whatever ID you are using to run the Q program. Try:

q -lmqic -xc -iTEST1 -oTEST2 -p20

The program will prompt you for the channel details when run with -xc.

The Q program can dump queues to files but it is not designed for that. The QLoad program from SupportPac MO03 is designed for that and will capture all aspects of the message and, if you are suitably authorized, also restore them intact. This includes message ID, timestamp, etc.

Finally, a quick note about the AUTHREC statements in your post. Since you have bothered to create a low-privleged MCAUSER and set authorities for it, I presume that you would like that ID not to have administrative privileges. Please be aware that granting a user +set or +setall on the QMgr allows them to manage authorization records using WMQ Explorer or anything else that uses PCF commands. Consider restricting authorities on the QMgr to +dsp +inq +connect.

Generally, the applications don't get access to the DLQ but rather get access to an application-specific backout queue. If the app is granted access to the DLQ it is usually only to put messages there and not to get them back out. This is because the DLQ is a system-wide resource and if the QMgr is shared, the messages from multiple apps might land in the DLQ. As a security precaution, restrict delete access on that queue to administrators. This way someone cleaning up after their app can't accidentally (or otherwise) delete the messages belonging to another app.

UPDATE:
Reviewing your post, I noticed another discrepancy. I had assumed that you were getting the 2035 Authorization Error because you were connecting in bindings mode with an ID other than mqm or tcs-mq-user. After looking again, I realized that you never authorized the mq-user group to the queues you are trying to access. You authorized it to the Command Queue and the reply model which aren't used in this scenario. (WMQ Explorer uses them.) So, add the following rules:

SET AUTHREC PROFILE(TEST1) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(PUT,GET,INQ,BROWSE)
SET AUTHREC PROFILE(TEST2) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(PUT,GET,INQ,BROWSE)

This will solve the auths problem if in fact you are connecting as tcs-mq-user.

There isn't a way to pass the channel to Q on the command line, as far as I know, but it does accept the standard MQSERVER variable. For example:

export MQSERVER="$cname/TCP/localhost($port)"

...where $cname is the channel name and $port is the port. Here's my test:

tcs-mq-user:~> export MQSERVER="TEST.SVRCONN/TCP/localhost(1414)"
tcs-mq-user:~> q -xb -iTEST1 -mQMTEST -lmqic
MQSeries Q Program by Paul Clarke [ V6.0.0 Build:May  2 2012 ]
Connecting ...connected to 'JMSDEMO'.
No more messages.
tcs-mq-user:~> 

As to why its not finding the client libs, do you have them installed?

tcs-mq-user:~> rpm -qa | grep MQSeriesClient
MQSeriesClient-7.5.0-0

Upvotes: 1

Related Questions