Hi,
i'm struggling with using a new userid in a windows 10 pro environment. And i hope you can help me with my problem.
I know there are a lot of thread with the same error, but i couldn't find my solution.
I have a 'MQ-Series' group with the name mqclient. In this group i will connect all the users which should work with the new queue manager and objects.
Lets define some Names:
windows group: mqclient
windows root-user: proroot (that is the Windows-Admin and Installer of MQ)
windows normal user1: app
windows normal user2: mquser
other/more users will be necessary
As 'proroot' i had made the following definitions in MQ:
crtmqm QM1
strmqm QM1
STOP LISTENER('SYSTEM.DEFAULT.LISTENER.TCP') IGNSTATE(YES)
DEFINE QLOCAL('DEV.QUEUE.1') REPLACE
DEFINE QLOCAL('DEV.QUEUE.2') REPLACE
DEFINE QLOCAL('DEV.QUEUE.3') REPLACE
DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE
ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE')
DEFINE TOPIC('DEV.BASE.TOPIC') TOPICSTR('dev/') REPLACE
DEFINE AUTHINFO('DEV.AUTHINFO') AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(OPTIONAL) ADOPTCTX(YES) REPLACE
ALTER QMGR CONNAUTH('DEV.AUTHINFO')
REFRESH SECURITY(*) TYPE(CONNAUTH)
DEFINE CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) REPLACE
DEFINE CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('app') REPLACE
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) DESCR('Allows connection via APP channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)
DEFINE LISTENER('DEV.LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR) REPLACE
START LISTENER('DEV.LISTENER.TCP') IGNSTATE(YES)
setmqaut -m QM1 -t qmgr -g mqclient +connect +inq
setmqaut -m QM1 -n DEV.** -t queue -g mqclient +put +get +browse +inq
Everything is local on windows.
In DOS-Box i can now:
set MQSERVER=DEV.APP.SVRCONN/TCP/localhost(1414)
set MQSAMP_USER_ID=app
amqsputc DEV.QUEUE.1 QM1
==> THIS WORKS FINE!!! and i can append messages.
But when i set in the same DOS-Box
set MQSAMP_USER_ID=mquser
amqsputc DEV.QUEUE.1 QM1
i entered the password, i received 'MQCONNX ended with reason code 2035'.
In my opinion the advantage of windows-groups will be to grant one group and to
connect many users in this group without thinking twice of rights in MQ.
But this doesn't work.
How can i solve this Problem. Hope you can help me.
Thanks alot.
OlliP
==> SOLUTION: i've read the hole day and found the solution for that problem....
If someone changes a user or a group in windows, then you can only work with the changed rights after logging on to Windows again.
A restart from the queue manager and / or MQ Explorer is not sufficient. A new DOS box is not enough!
It's very simple, but you don't think it works. But it's just Windows.
i'm struggling with using a new userid in a windows 10 pro environment. And i hope you can help me with my problem.
I know there are a lot of thread with the same error, but i couldn't find my solution.
I have a 'MQ-Series' group with the name mqclient. In this group i will connect all the users which should work with the new queue manager and objects.
Lets define some Names:
windows group: mqclient
windows root-user: proroot (that is the Windows-Admin and Installer of MQ)
windows normal user1: app
windows normal user2: mquser
other/more users will be necessary
As 'proroot' i had made the following definitions in MQ:
crtmqm QM1
strmqm QM1
STOP LISTENER('SYSTEM.DEFAULT.LISTENER.TCP') IGNSTATE(YES)
DEFINE QLOCAL('DEV.QUEUE.1') REPLACE
DEFINE QLOCAL('DEV.QUEUE.2') REPLACE
DEFINE QLOCAL('DEV.QUEUE.3') REPLACE
DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE
ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE')
DEFINE TOPIC('DEV.BASE.TOPIC') TOPICSTR('dev/') REPLACE
DEFINE AUTHINFO('DEV.AUTHINFO') AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(OPTIONAL) ADOPTCTX(YES) REPLACE
ALTER QMGR CONNAUTH('DEV.AUTHINFO')
REFRESH SECURITY(*) TYPE(CONNAUTH)
DEFINE CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) REPLACE
DEFINE CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('app') REPLACE
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) DESCR('Allows connection via APP channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)
DEFINE LISTENER('DEV.LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR) REPLACE
START LISTENER('DEV.LISTENER.TCP') IGNSTATE(YES)
setmqaut -m QM1 -t qmgr -g mqclient +connect +inq
setmqaut -m QM1 -n DEV.** -t queue -g mqclient +put +get +browse +inq
Everything is local on windows.
In DOS-Box i can now:
set MQSERVER=DEV.APP.SVRCONN/TCP/localhost(1414)
set MQSAMP_USER_ID=app
amqsputc DEV.QUEUE.1 QM1
==> THIS WORKS FINE!!! and i can append messages.
But when i set in the same DOS-Box
set MQSAMP_USER_ID=mquser
amqsputc DEV.QUEUE.1 QM1
i entered the password, i received 'MQCONNX ended with reason code 2035'.
In my opinion the advantage of windows-groups will be to grant one group and to
connect many users in this group without thinking twice of rights in MQ.
But this doesn't work.
How can i solve this Problem. Hope you can help me.
Thanks alot.
OlliP
==> SOLUTION: i've read the hole day and found the solution for that problem....
If someone changes a user or a group in windows, then you can only work with the changed rights after logging on to Windows again.
A restart from the queue manager and / or MQ Explorer is not sufficient. A new DOS box is not enough!
It's very simple, but you don't think it works. But it's just Windows.
