可以创建 Websphere 队列管理器但无法连接
我需要编写一个连接到 WebSphere MQ 队列的 .Net 连接器,因此我在 Windows 7 计算机上安装了 IBM WebSphere MQ 的试用版。我最初在 MQ Explorer 中设置了一些虚拟队列来进行设置过程,并且我能够连接到这些队列管理器并创建队列。我删除了这些虚拟队列并遵循第一组指令 摘自 IBM 的第 1.1 课,我在其中通过命令创建了一些队列 我失败
了 运行课程 1.2 由于安全问题,我现在无法连接到 MQ Explorer 中的任何队列管理器。当我尝试连接时,收到错误消息
An unexpected error (2063) has occurred. (AMQ4999)
- “我是计算机上的本地管理员”。
- 我已将自己添加到创建的 mqm 组中
- 我已运行带有或不带有“以管理员身份运行”选项的 MQ Explorer
- 我已卸载 MQ 并重新安装它
- 我已经重新启动了几次
我还注意到当我在 MQ Explorer 中创建队列管理器时,最后一部分失败并显示 AMQ8135:未授权。(请参阅下面的输出)
是否有明显的我遗漏的内容?
有什么方法可以让我自己找出问题所在 - 日志文件似乎不让我知道该去哪里查看
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\crtmqm" -sa QM1
****************************************
There are 90 days left in the trial period for this copy of WebSphere MQ.
WebSphere MQ queue manager created.
Directory 'C:\Program Files (x86)\IBM\WebSphere MQ\qmgrs\QM1' created.
The queue manager is associated with installation 'Installation2'.
Creating or replacing default objects for queue manager 'QM1'.
Default objects statistics : 74 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
exitvalue = 0
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\strmqm" QM1
****************************************
There are 90 days left in the trial period for this copy of WebSphere MQ.
WebSphere MQ queue manager 'QM1' starting.
The queue manager is associated with installation 'Installation2'.
5 log records accessed on queue manager 'QM1' during the log replay phase.
Log replay for queue manager 'QM1' complete.
Transaction manager state recovered for queue manager 'QM1'.
WebSphere MQ queue manager 'QM1' started using V7.1.0.0.
exitvalue = 0
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\runmqsc" QM1
* Input: DEFINE LISTENER('LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR)
****************************************
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QM1.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
exitvalue = 20
I need to write a .Net connector to WebSphere MQ queues so I've installed a trial version of IBM WebSphere MQ on my Windows 7 machine. I initially setup some dummy queues in MQ Explorer to play with the setup process and I was able to connect to those queue managers and create queues. I deleted those dummy queues and followed the first set of instructions from Lesson 1.1 from IBM here where I created some queues from the command line
I failed to run Lesson 1.2 because of security issues, and I now cannot connect to any queue managers in MQ Explorer. when I try to connect I get the error message
An unexpected error (2063) has occurred. (AMQ4999)
- I am local admin on my machine.
- I've added myself to the mqm group that was created
- I've run the MQ Explorer both with and without the 'Run as Administrator' option
- I've uninstalled MQ and re-installed it
- I've rebooted several times
I've also noticed that when I create a queue manager in MQ Explorer, the last part fails with AMQ8135: Not authorized. (see output below)
Is there something obvious that I am missing?
Is there some way that I can work out what the problem is myself - the log files don't seem to give me any idea where to look
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\crtmqm" -sa QM1
****************************************
There are 90 days left in the trial period for this copy of WebSphere MQ.
WebSphere MQ queue manager created.
Directory 'C:\Program Files (x86)\IBM\WebSphere MQ\qmgrs\QM1' created.
The queue manager is associated with installation 'Installation2'.
Creating or replacing default objects for queue manager 'QM1'.
Default objects statistics : 74 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
exitvalue = 0
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\strmqm" QM1
****************************************
There are 90 days left in the trial period for this copy of WebSphere MQ.
WebSphere MQ queue manager 'QM1' starting.
The queue manager is associated with installation 'Installation2'.
5 log records accessed on queue manager 'QM1' during the log replay phase.
Log replay for queue manager 'QM1' complete.
Transaction manager state recovered for queue manager 'QM1'.
WebSphere MQ queue manager 'QM1' started using V7.1.0.0.
exitvalue = 0
****************************************
* Command: "C:\Program Files (x86)\IBM\WebSphere MQ\bin\runmqsc" QM1
* Input: DEFINE LISTENER('LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR)
****************************************
5724-H72 (C) Copyright IBM Corp. 1994, 2011. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QM1.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
exitvalue = 20
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您有 WMQ 的最新试用版,那么您正在使用 v7.1 QMgr。从 v7.1 开始,WMQ 仅允许非特权远程连接。为了与管理员帐户连接,需要禁用限制,或者更好的是为管理连接定义一个新通道并对其进行身份验证。
对于 Windows,最大的问题是 WMQ 验证域 ID,并且必须查找它们的组。在企业环境中运行 WMQ 时,一个非常常见的问题是它尝试查找 ID 或组,但没有域权限来执行此操作。 域帐户,即使具有本地管理员权限,也常常会失败,因为它们无权在域 SAM 中查询以进行组查找。信息中心中有一个完整的部分 这里描述了 Windows 帐户的要求。
仅适用于开发环境的一种解决方法是创建本地管理员帐户,然后使用该帐户登录并创建 QMgr。或者确保默认帐户
MUSR_MQADMIN具有本地管理员权限和登录权限。同样,您必须实际使用该帐户登录才能完成此操作,因为这样就不需要在 Active Directory 中查找帐户,因为它都会访问本地 SAM 数据库。再次强调,这只是为了开发!在生产中,您需要使用真实的域帐户并授予其正确的访问权限来执行 SAM 查找,但不要使其成为本地管理员,如上面链接的信息中心部分所述。假设您已成功创建 QMgr,接下来创建一个新通道并授权其使用管理员帐户接受您的本地连接:
现在您有一个仅接受本地连接的通道,将它们映射到管理帐户,然后覆盖阻止管理帐户远程连接的安全性。使用管理员帐户意味着不需要队列或 QMgr 授权,并且该帐户是本地管理员意味着不存在域查找问题。
MCAUSER('MUSR_MQADMIN)将每个远程 ID 转换为本地管理员 ID,以便 WMQ 不需要查找远程 ID。映射规则仅限制与本地主机的连接。任何可以连接到该通道的人都将拥有本地管理员,能够远程执行操作系统代码,因此如果您想接受其他用户的连接,建议使用证书对他们进行身份验证。If you have a recent trial version of WMQ then you are working with a v7.1 QMgr. As of v7.1 WMQ will allow only non-privileged remote connections. In order to connect with an administrator account, it will be necessary to either disable the restrictions or, better yet, to define a new channel for the administrative connection and authenticate it.
With Windows the biggest issue is that WMQ authenticates domain IDs and must look up their groups. One very common problem when running WMQ in a corporate environment is that it attempts to lookup an ID or group and does not have the domain rights to do so. Domain accounts, even those with local admin rights, often fail because they don't have access to inquire in the domain SAM to do group lookups. There's a whole section in the Infocenter here describing the requirements for Windows accounts.
One workaround for this for dev environments only is to create a local administrator's account, then log on with that and create the QMgr. Or make sure that the default account
MUSR_MQADMINhas local admin rights and login rights. Again,, you must actually log in with the account to make this work because that way there is never a requirement to look up an account in Active Directory because it all hits the local SAM database. Again, this is just for development! In Production you'd want to use a real domain account and grant it the correct access rights to do SAM lookups but NOT make it a local admin, as described in the Infocenter section linked above.Assuming that you have succeeded in creating the QMgr, next create a new channel and authorize it to accept your local connections using the admin account:
Now you have a channel that will accept local connections ONLY, map these to an administrative account and then override the security that prevents administrative accounts from connecting remotely. Using the admin account means that no queue or QMgr authorizations are required and the account being a local admin means that there are no domain lookup issues. The
MCAUSER('MUSR_MQADMIN)converts every remote ID to the local admin ID so that WMQ doesn't need to look up the remote IDs. The mapping rule restricts connections to the local host only. Anyone who can connect to the channel will have local admin on the box with the ability to remotely execute OS code so if you wanted to accept connections from other users, authenticating them with certificates would be recommended.您可能想阅读 T.Rob 的这篇文章 这里。他还有其他与安全相关的帖子,它们非常有帮助。
You may want to read this post by T.Rob here. Also other security related posts from him, they are very helpful.
我有类似的问题。我的办公室桌面运行的是 windows xp 32 位,我的项目要求我在本地安装 Websphere MQ 7 (WMQ)。
在我的 PC 上拥有本地管理员权限,我能够在没有域控制器选项配置的情况下安装 WMQ 并添加 quemanager,但无法添加任何本地队列。
检查错误日志后,我发现我的用户 ID 没有足够的权限。
因此解决方法是 - 验证您的登录 ID 是您域中管理员组的一部分。
转到控制-->用户帐户以检查您的用户 ID。
如果您在电脑上拥有本地管理员权限,那么您可以将您的用户 ID 添加为管理员组的一部分。
现在删除先前创建的队列管理器。
重新启动WMQ &再次创建队列管理器。
您现在应该在新创建的队列管理器下看到用于添加本地队列、主题等的所有选项。
I had a similar problem. My office dektop is running windows xp 32 bit and my project required me to install Websphere MQ 7 (WMQ) on local.
Having local admin rights on my PC I was able to install WMQ without domain controller option configuration and add quemanager but was not able to add any local queues.
Upon checking the error logs I found that my user id is not having enough permission.
So the fix is - verify your login id is part of Administrators group on your domain.
Go to control-->user accounts to check your user id.
If you have local admin rights on your pc then you can add your user id as a part of Administrator group.
Now Delete the previously created queue manager.
Restart WMQ & create queuemanager again.
You should now see all the options for adding local queues, topics etc.. under newly created queue manager.
发生意外错误 (2063)。 (AMQ4999)
由于权限问题也可能出现上述错误,请检查组权限并添加用户
An unexpected error (2063) has occurred. (AMQ4999)
The above error can occur also because of the permission issue, check with the Groups permission and add the users