cancel
Showing results for 
Search instead for 
Did you mean: 

MQ Series security needs

Former Member
0 Kudos

Apoliogies for any non PI wording, I'm from MQ side.

PI is trying to connect to our MQ instance and if no MQ oam security is in place thats working fine for JMS and non JMS compliant both reading and writing.

We have to add a security layer in MQ to restrict the connection to certian objects. Problem is that nobody can so far pinpoint what those objects are.

We granted MQ rights to the queues and queue managers for the user id and that user id is specified in the channel definition.

The MQ side would then reject inquire requests for queue SYSTEM.DEFAULT.MODEL.QUEUE and we added that as it would do no harm to us. Now, although the svrconn channel comes up the PI channel gets a mqjms2008 - 2035 error.

We'd like to know what its trying to do so we can help but docuemntation at this level is limited - from what I've found so far.

At a guess I think might be trying to create dynamic queues which I'd understand if it was a request/reply scenario, but it isn't

Can anyone help with either a detail technical link for this adapter or with experience of having doen it before.

Thanks

Tim

Edited by: BramhallTim on Sep 16, 2009 9:38 AM

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi

We had the oam setup as suggested but got the additional error message.

Suddenly the 2035 went away and PI was connecitng - PI says it made no changes - one of those mytery fixes.

Thanks for your input.

Tim

agasthuri_doss
Active Contributor
0 Kudos

Tim,

>channel comes up the PI channel gets a mqjms2008 - 2035 error.

It is a security error, Check whether it permit that ID to access the queue.

Cheers

Agasthuri

Former Member
0 Kudos

As has been said its a security error, do you know which objects the PI channel is trying to access, if not as per my previous post check your mq error logs.

Former Member
0 Kudos

You need a server conn channel with an appropriate MCA, i.e. not a user in the mqm group. Configure your JMS adapter to connect to the queue manager on that channel. Set up the appropriate OAM on the desired objects and you are up and running.

If you are getting authorisation errors once the OAM has been set up, do you get errors in the mq error log? In addition you should be able to increase the trace level within both MQ and PI?