Can I change MQ Object Authority when it stopped - ibm-mq

I have some stopped QMGRs. When I try to start them or delete them from MQ Explorer, I encounter this error:
AMQ7077: You are not authorized to perform the requested operation.
exitvalue=119
How can I change or remove the restrictions on this object?

You can start or delete a queue manager via the MQ Explorer too, so long as the queue manager and MQ Explorer are running on the same machine/installation. You must ensure that the MQ Explorer is running under an mqm user ID, just as you needed to do run the strmqm or dltmqm commands.

I figured it out that I can do this by command STRMQM 'qmName' or DLTMQM 'qmName' as an alternative to using MQ Explorer.

Related

IBM MQ service on Windows not starting

What's the difference of amqsvc and strmqsvc?
I have installed IBM MQ and configured for multi instance. It uses amqsvc.exe to start the service as installed, the service is logon from a domain account, and the account is a member of group mqm.
It was working fine but yesterday for some unknown reason the service is not starting properly, here is what happened:
when amqsvc is run on automatic or manual, amqzxma0 runs on full cpu usage until timeout and windows prompted the service not starting with error 1053, but the MQ service is started, then I tried to start the queue manager but fail to start, however it can be started on interactive.
However I can start the service fine with strmqsvc and can start the queue manager normally. So what's the difference between these two and what is the problem behind it?
amqsvc is the actual windows service.
strmqsvc is the command used to start the above service.
The IBM v7.5 Knowledge Center documents the error 1053 as:
Windows: amqmsrvn.exe process removed
The amqmsrvn.exe DCOM process was replaced by a Windows service,
amqsvc.exe, in Version 7.1. This change is unlikely to cause any
problems. However, you might have to make some changes. You might have
configured the user that runs the IBM® WebSphere® MQ Windows service
MQSeriesServices without the user right to Log on as a service.
Alternatively, the user might not have List Folder privilege on all the subdirectories from the root of the drive to the location of the
service amqsvc.exe.
If you omitted the Log on as a service user privilege, or one of
the subdirectories under which IBM WebSphere MQ is installed does not
grant the List Folder privilege to the user, the MQ_InstallationName
IBM WebSphere MQ Windows services in Version 7.5 fails to start.
...
If you did not give the user the List Folder privilege, the Windows Service Control Manager adds an event: 7009: Timed out waiting for the
service to connect. The strmqsvc command reports error 1053.
Ensure that you have provided List Folder privilege on all the subdirectories from the root of the drive to the location of the service amqsvc.exe. This should resolve the issue.

An unexpected error (2063) occurs when I connect to my queue manager

I'm looking to setup a Queue Manager Using WebSphere MQ V7 MQ Explorer.
After Creating my Queue Manager, normally I expect that some sub directories are automatically generated under it, "Queues", "Topics", "Channels" .. as illustrated in the photo below.
In my case, no sub directories are generated, as illustrated below in the second snapshot.
PS: the status of my Queue manager is : Running but disconnected from WebSphere MQ Explorer.
When I right-click on the QMgr Name and choose Connect, I get "An unexpected error (2063) has occurred (AMQ4999)"
Could you advise please about a possible cause of this behavior ?
Administrative tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service -> Properties -> add your user here
Same problem with MQ v9 and i solved it this way.
Go to control panel – Administrative tools
Control Panel\All Control Panel Items\Administrative Tools
Local
Inside Local Security Policy
Enter your domain user name then click check names – finalize by clicking ok. Then apply.
Now the domain user can log on as a service – Now open the services running on your machine.
Double click on the MQ service – then go on log on tab
Then apply click okay button – from the restart your machine for the changes to take effect
Finally open WebSphere MQ Explorer as admin - queue manager should be able to connect
Same issue with MQ 9.0 installed on Windows 10 EE.
(Run as Administrator) secpol.msc /s
(open) Local Policies > User Rights Assignment > Log on as a service
then add your User. Same user should be used for "IBM MQ (Installation1)" (Properties> Log On), installation default (when you do not setup the Domain Policy during installation) is MUSR_MQADMIN.
(Maybe you can try to run "MQ Explorer" as MUSR_MQADMIN user, but it's password is automatically generated during the installation. It's possible to change it, but it doesn't seem to be a safer against the using local account to run the MQ service)

can not create queue for QManager

I encountered a really wired problem. I have successfully install Websphere MQ on my windows machine and want to create QManager and Queue to connect to a remote Qmanager server. I have already created a QManager as you can see in the picture below. However, when I tried to create a queue for this QManager, I could not find any expand button as the IBM tutorial mentioned.
I have already tried to create a queue with MQSC but when I run runmqsc in the command prompt with administrator user, it shows AMQ8135: Not Authorized error!
Check your error logs (AMQERR01.LOG) for an explanation of why AMQ8135 was returned to the client - for security reasons clients aren't given more information and so you have to go to the logs to get the detail.
I suspect the user you're running MQ Explorer and runmqsc as isn't in the 'mqm' group, or is otherwise not authorised to connect to the queue manager.
Run your IBM MQ Explorer as administrator and it will solve most of the issues.

Websphere MQ Managed File Transfer Agents

I’m new to MQ. I have successfully installed WebSphere MQ, setup the queue managers, queues and channels between the queue managers. I have set up agents and I can start, stop and successfully ping the agents but the agents are not listed as shown on the attached screen shot. I have been trying to make the agents work so that I can test file transfer and set it up in our environment.
I even tried to create new coordination and command queue managers and no luck. I even tried the fteListAgents -p (coordination queue manager) and -v
I will really appreciate all the help I can get.
What is the user id you are logged into machine as? Is it Administrator (on Windows)? If so you may be hitting the 12 character user id issue. Administrator is 13 character long and the 'r' at the end may be getting chopped off. I recommend you to look at this troubleshooting link.
If your windows user id is longer than 12 character, check this out:
1) Agents are started, but MQ Explorer agent list is empty?
2) Check under Queuemanager->YOURQM->Subscriptions -> User. Do you see your windows user name truncated to 12 characters?
3) Create a new windows user, with the user name as the 12 characters trancated user.
4) Add this 12 characters username to the Admin group.
MQ FTE used the queued PubSub mechanism. Usually this problem happens because the ID being used doesn't have access to publish. The procedure to diagnose this is as follows:
Download the MS0P SupportPac and install it into WMQ Explorer.
Enable authorization events on the Coordination Qmgr.
Stop and restart an agent or two.
Open MQ Explorer to the queues panel and find the SYSTEM.ADMIN.QMGR.EVENT queue.
Right click on the queue and select "Format Event Messages."
You should find some auths errors.
If the problem is authorization failures MS0P will tell you exactly which ID MQ thinks was used, the API call that failed and the object it failed on.

How might I delete selected alias queues in IBM Websphere's Queue Manager?

How might I delete selected alias queues in IBM Websphere's Queue Manager?
If you have a local sign-on to the server where MQ lives you can use the runmqsc facility to issue delete commands:
runmqsc qmgrname
delete qa(qalias.name)
You can use WebSphere MQ Explorer to remotely delete the QAliases in a graphical user interface.
You can use PCF commands in a custom application to issue delete against the queue.
For any of these, the ID connected to the queue manager must either be in the mqm group or have been granted rights to delete the queue. If the PCF commands are used (WMQ Explorer or custom code) the ID used must also have been granted access to put messages to SYSTEM.ADMIN.COMMAND.QUEUE or be in the mqm group. There are other GUI clients and applications available but they all rely on the same methods I've outlined here - direct access to runmqsc or ability to put to the command queue.
WebSphere MQ Explorer is available fore free download as SupportPac MS0T. (The main SupportPacs landing page is here.
The manual for PCF commands is here.

Resources