Raymond Powers | 23 Jun 17:41 2016

Close Not Authorized

Hi All,

We have a perplexing issue with authorizations. This is a Request/Reply originating from an application
running on WAS, using a client connection. It is now getting a 2035 not authorized.

Let's start with that this used to work. What changed is that the originating application moved from WAS 6 to
WAS 8.5. One thing that requires is that it can no longer use a blank user-id. So, it now is passing the same ID
as the MCAUSER on the SVRCONN channel.

I have looked at the event message. It is a challenge to read (this is MQ v7.0.1), especially with
little-endian (Linux). However, I believe that the event is showing the cause to be "Close Not
Authorized" ("03"), and it is definitely showing the name of the alias reply queue. I haven't really found
any explanations for "Close Not Authorized" that I think fit.

This is a complicated setup involving a lot of QAliases and some RemoteQs. While this is not a production
environment, it is a managed environment. So, experimenting has been challenging.

We have found that if we change the ReplyToQueue, the application does not get the 2035. However, the change
is more complicated than that sounds. The original ReplyToQueue is a QA of a QR. The one that it was changed
to, and works, is a QA of a QL.

Here are the details of the authorizations based on the group id of the MCAUSER:

Request QA:       DMGALL.DMGAPI.A0000.REQUEST.INT.FPT2
Request Auth:     get browse put inq set dlt chg dsp passid passall setid setall clr
Target QL:        DMGALL.DMGAPI.L0000.REQUEST.INT.FPT2
Target Auth:      none

Working Reply QA: DMGAPI.FX_SDS.A0000.REPLY.INT.FPT2
Working QA Auth:  get browse put inq set dlt chg dsp passid passall setid setall clr
(Continue reading)

T.Rob | 20 Jun 23:54 2016

Is purchased license type propagated to install?

I'm trying to figure out if it's possible to look at an MQ installation and trace back to the license associated with it.  I know when you go to Passport Advantage you see only the component(s) for which you are licensed.  Assuming you bought MQ Advanced it would be *possible* that the amqpcert.lic delivered would be different than if you purchased MQ Server, and then have that propagated down to the final install.  If that were true you could then look at the installed version to reconcile back to what you believed you purchased, or what someone in Supply chain Management told you was purchased, or what Software House  International thought they delivered.

 

My assumption here is that if licensing were important IBM would have figured out a way for MQ Admins - their first line of defense - to participate in license management and reconciliation when ILMT is not installed. What I'm finding so far is that amqpcert.lic appears to be encrypted or otherwise not human-readable, and dspmqver doesn't display anything that seems to correspond to the actual license type beyond "Developer" or "Production".  This all suggests I'm wrong either about licensing being important or about IBM thinking of us as allies in license management.  I'm hoping there's an undocumented dspmqver option or some decoder for amqpcert.lic I don't know about.

 

Thanks -- T.Rob

 

T.Robert Wyatt, Managing partner

IoPT Consulting, LLC

+1 704-443-TROB (8762) Voice/Text

https://ioptconsulting.com

https://twitter.com/tdotrob

 


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Virgilio Calimlim | 18 Jun 04:52 2016
Picon

MQ security

Folks,

There is a global exodus from non-secure FTP to a more secure protocol/file-transfer-utility.
In my group, we are considering MQ along with FTPS and SFTP.

Security-wise, what is the advantage (if any) of MQ with basic security over plain FTP?
Is there any encryption done before data is transferred from the client to the external queue manager?
Is encryption a default setting or optional and still has to be switched on?

I am aware that firewall protection is available for both MQ and FTP but authentication is not performed with MQ basic security.
To be selected, MQ should have its own built-in encryption logic without having to switch on TLS or another encryption tool.

Appreciate any assistance.

Kind regards,
Virgilio Calimlim


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Easest way to tell how long MQGETs took on one queue on a z/OS QM

I’ve asked for the last time for the app to record this information. So looking to do it from the MQ infrastructure side.

 

I don’t want an avalanche of data – just a list of MQGETs for a specific queue, and how long each MQGET with Wait took.

 

This is a z/OS queue manager, MQ 7.1, the queue is not a Shared Queue

 

What should I be looking at? Can SMF records be that specific?

 

 

Peter Potkay

 

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Fogwill, Henry | 17 Jun 17:55 2016
Picon

MQID mismatch on cluster queue managers

We just had a very strange event happen on a test MQ cluster, and can’t begin to explain how this can be possible. I am hoping to get some feedback from this group to help figure this mystery out.

 

The cluster consist of MQ (v8) on z/OS, MQ Linux (v7.0.1), and MQ (v7.5) on Windows.

 

Somehow all the distributed queue managers started connecting to the full repository on z/OS, and we started getting errors in the CHIN relating to a misdirected repository commands. The error message is CSQX412E. This message list the sender, and target queue manager, and the MQID for the mainframe queue manager was wrong.

 

One of the following happened (1) the mainframe queue manager changed it’s MQID on the fly (2) all distributed queue managers formed an alliance, and decided the mainframe MQID is now different. Neither of these options makes any sense to us.

 

Does anyone know of any, way without creating a new queue manager, to have to MQID change, or if anything can make a queue manager in a cluster decide to use a different MQID to connect to an existing queue manager in a cluster?

 

 

Thanks,

Henry


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Jackson, Richard R. | 17 Jun 17:38 2016

Who read my queue (ZOS)

 

 

Is there a way to find out which tranid or batch job read my queue last night  between 16:00 and 16:28.

 

I looked at the log print utility, Qname is not a parm nor is time range.

 

I was think of just turning SMF class 3 on for a few minutes.

 

Any other suggestions?

 

Rich Jackson

 


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.
List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Don Thomas | 16 Jun 17:29 2016
Picon

More Cluster Confusion

Good morning Listers,

   I find myself once again in a state of confusion regarding some cluster behavior. Here is the background:

I have a 5 queue manager cluster. Two run on z/OS and each holds a FR. The other 3 run on Solaris servers
On each of the z/OS queue managers there is a local clustered reply queue.
On each Solaris queue manager there is a local clustered request queue.

This is the process:

An application on z/OS puts a message to the cluster request queue that resides on a Solaris queue manager. The z/OS app populates the reply to queue  and reply to queue manager fields in the message header.

The application on Solaris gets the message, does it's thing and puts the reply to queue name and queue manager name from the header of the request on the reply message.

All straight forward, I know. But here is what has me scratching my head. From either z/OS FR queue manager, I can see all of the clustered queues from all of the  queue mangers.Both the request queues and reply queues. However, from the Solaris PR queue managers I can only see the clustered request queues on the other PR queue managers. I do not see the clustered reply queues on the z/OS queue managers. So how do the queue managers on Solaris successfully do a put to a queue that I cannot see? There are only cluster channels running between these queue managers so it's not a default to an xmitq with the same queue manager name type behavior. Does it default to a CLUSSDR channel that has the same queue manager name as the reply to queue manager and trust that the remote queue manager will be able identify the destination queue? I'm also puzzled as to why I cannot see the reply queues on the FRs from the PRs.

Any thoughts?

Thanks,
Don

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

MQ Activity Recording - A way to get time stamps for a message as it hops from QM to QM?

Application Activity Trace, at MQ 7.5, does not allow us to only gather info on a specific queue or set of queues.

 

Looking at Activity Recording, it looks like if I ask the application to specify MQRO_ACTIVITY in the Report field, and set the Queue Manager parameter ACTIVREC to "QUEUE" , the QM will generate activity reports the local system queue SYSTEM.ADMIN.ACTIVITY.QUEUE.

http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.mon.doc/q036630_.htm

 

 

It seems to me this is a relatively simple way to get a bread crumb trail of how long the message spent at each QM and inside each app as it hops QM to QM, App1 to WMB to App2 back to WMB back to App1. And I will only need to deal with the event messages for this one specific message, instead of a the tidal wave of info that trace or Application Activity Trace drowns me in.

 

Is this a correct assumption of how Activity Recording can work? If yes, I wonder why the manuals don’t mention this use case – seems like powerful stuff.

 

I searched in vain for a presentation on Activity Recording – perhaps my Google fu is not up to par today. Any pointers?

 

 

(Yeah, another “MQ is slow! Prove otherwise. ” kinda day - sigh)

 

 

Peter Potkay

 

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Charley Rich | 15 Jun 15:39 2016

TechTalk Today at 11AM EST: 3 Ways to Solve DataPower Issues that Impact Applications

Register for our TechTalk Today at 11AM EST: 

3 Ways to Solve DataPower Issues that Impact Applications

http://www.nastel.com/gain-insight-into-datapower-performance-and-its-impact-on-applications

Here's how:

    Monitor the health and performance of DataPower appliances
    Track business transactions that flow through DataPower
    Proactively diagnose DataPower Performance

Benefits:

    End-to-end visualization of apps, transactions and infrastructure
    Reduced MTTR — no need for a war room meeting to decide what to fix
    Instant detection of actual or potential problems impacting applications

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Paul Clarke | 15 Jun 04:18 2016
Picon

MO71 Version 9.0 now available.

Hi,

 

MQGem Software is pleased to announce that MO71 Version 9.0.0 is now available for download here http://www.mqgem.com/mo71_download.html Our many thanks to those who helped with Beta testing and offering suggestions for features in this release.

 

The main features of this release are:

 

  • Support for IBM MQ V9.0 (Command Level 900)
  • Exporting lists now has a new 'All Fields' checkbox
  • Changing multiple objects can now belong to different Queue Managers
  • Support of CCDT URL
  • New Buffer Pool and Page Set dialogs
  • Ability to define, update and delete AMS Protection Policies
  • Show last monitor time on main window
  • Changing multiple objects is reflected in the dialog title bar

 

As before, any current licensed users of MO71 can run the new version on their existing licence. If you don’t have a licence and would like to try out MO71 please send a note to support-PvZknbXPofMAvxtiuMwx3w@public.gmane.org and a 1-month trial licence will be sent to you.

 

As always I welcome any comments or suggestions,

 

Cheers,

Paul.


List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

Roger Lacroix | 15 Jun 00:13 2016

MQ Labs at MQTC v2.0.1.6

All,

Lyn Elkins of IBM and her team are generously hosting MQ Labs at MQTC 
v2.0.1.6. The lab will have 10-12 PCs/laptops with IBM MQ running on 
them. The labs will be free-format. Attendees will be able to use the 
lab when they have free time.

MQ Labs:

- Monday 8:30AM to 5:00PM in Booth 7 (next to the Aloeswood room)
- Tuesday 8:30AM to 12:00PM (noon) in Booth 7 (next to the Aloeswood room)

For more information about MQTC, please go to: 
http://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Gmane