MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How can I authenticate DataDog agent to IBM MQ?

    Posted Thu August 18, 2022 04:23 PM

    Context

    I am trying to integrate IBM MQ with DataDog following [this][1] documentation.
    However, the DataDog agent fails to authenticate.

    # What's not working
    When running datadog-agent status I am getting:
    ```
    $ datadog-agent status
    ...
    ibm_mq (3.22.0)
    ---------------
    Instance ID: ibm_mq:5d5551cfb3b60a9a [WARNING]
    Configuration Source: file:/etc/datadog-agent/conf.d/ibm_mq.d/conf.yaml
    Total Runs: 10
    Metric Samples: Last Run: 2, Total: 20
    Events: Last Run: 0, Total: 0
    Service Checks: Last Run: 5, Total: 50
    Average Execution Time : 16ms
    Last Execution Date : 2022-08-17 12:21:28 UTC (1660738888000)
    Last Successful Execution Date : 2022-08-17 12:21:28 UTC (1660738888000)

    Warning: Error getting queue stats for TEST_TOM: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED
    Warning: Error getting pcf queue status for TEST_TOM: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED
    Warning: Error getting pcf queue reset metrics for TEST_TOM: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED
    ```

    Configurations

    To help you help me I will list some of my configurations below.

    Note that for testing purpose (and as a desperate attempt), I added a "dd-agent" user in the mqm group which is group that runs the IBM MQ process (as recommended by the documentation [here][2])​
    user
    ```
    $ cat /etc/passwd | grep "\(mqm\|dd-agent\)"
    ...
    mqm:x:999:1001::/var/mqm:
    dd-agent:x:113:118::/opt/datadog-agent:/usr/sbin/nologin

    $ cat /etc/group | grep "\(mqm\|dd-agent\)"
    ...
    mqm:x:1001:dd-agent
    dd-agent:x:118:dd-agent
    ```
    systemd
    ```
    $ cat /lib/systemd/system/datadog-agent.service
    ...
    [Unit]
    Description=Datadog Agent
    After=network.target
    Wants=datadog-agent-trace.service datadog-agent-process.service datadog-agent-sysprobe.service datadog-agent-security.service

    [Service]
    Type=simple
    PIDFile=/opt/datadog-agent/run/agent.pid
    User=dd-agent
    Restart=on-failure
    ExecStart=/opt/datadog-agent/bin/agent/agent run -p /opt/datadog-agent/run/agent.pid
    # Since systemd 229, should be in [Unit] but in order to support systemd <229,
    # it is also supported to have it here.
    StartLimitInterval=10
    StartLimitBurst=5

    [Install]
    WantedBy=multi-user.target
    ```
    ​​
    ibm_mq.d/conf.yaml
    ```
    $ cat conf.d/ibm_mq.d/conf.yaml
    ...
    init_config:

    instances:
    - queue_manager: QM.FOO.STAGING
    channel: QM.FOO.STAGING.APP
    host: 11.11.111.1
    port: 2514
    auto_discover_queues: false
    queues:
    - TEST_TOM
    ```

    # How I verified if I have the right access
    ```
    $ su - mqm
    $ dspmqaut -m QM.FOO.STAGING -t qmgr -p dd-agent
    ...
    Entity dd-agent has the following authorizations for object QM.FOO.STAGING:
    inq
    set
    connect
    altusr
    crt
    dlt
    chg
    dsp
    setid
    setall
    ctrl
    system

    $ dspmqaut -m QM.FOO.STAGING -t queue -n "TEST_TOM" -p dd-agent
    ...
    Entity dd-agent has the following authorizations for object TEST_TOM:
    get
    browse
    put
    inq
    set
    crt
    dlt
    chg
    dsp
    passid
    passall
    setid
    setall
    clr
    ​​

    $ dspmqaut -m QM.FOO.STAGING -t channel -n QM.FOO.STAGING.APP -p dd-agent
    ...
    Entity dd-agent has the following authorizations for object QM.FOO.STAGING.APP:
    crt
    dlt
    chg
    dsp
    ctrl
    ctrlx
    ```

    Versions

    IBM MQ version:
    ```bash
    $ /opt/mqm/bin/dspmqver
    ...
    Name: IBM MQ
    Version: 9.0.4.0
    Level: p904-L171031.DE
    BuildType: IKAP - (Production)
    Platform: IBM MQ for Linux (x86-64 platform)
    Mode: 64-bit
    O/S: Linux 4.4.0-1113-aws
    InstName: Installation1
    InstDesc:
    Primary: Yes
    InstPath: /opt/mqm
    DataPath: /var/mqm
    MaxCmdLevel: 904
    LicenseType: Developer
    ```
    DataDog agent version:
    ```bash
    $ datadog-agent status
    ...
    =============
    Process Agent
    =============

    Version: 7.38.2
    Status date: 2022-08-17 12:13:42.363 UTC (1660738422363)
    Process Agent Start: 2022-08-17 10:23:50.682 UTC (1660731830682)
    Pid: 17213
    Go Version: go1.17.11
    Build arch: amd64
    Log Level: DEBUG
    Enabled Checks: [process rtprocess]
    Allocated Memory: 12,617,008 bytes
    Hostname: i-081a004251a122513
    ```

    S.O version:
    ```bash
    $ cat /etc/os-release
    ...
    NAME="Ubuntu"
    VERSION="16.04.6 LTS (Xenial Xerus)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 16.04.6 LTS"
    VERSION_ID="16.04"
    HOME_URL="http://www.ubuntu.com/"
    SUPPORT_URL="http://help.ubuntu.com/"
    BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
    VERSION_CODENAME=xenial
    UBUNTU_CODENAME=xenial
    ```

    Happy to provide further information if needed

    [1]: https://docs.datadoghq.com/integrations/ibm_mq/?tab=host
    [2]: https://www.ibm.com/docs/en/ibm-mq/7.5?topic=systems-managing-mqm-group

    ------------------------------
    I M
    ------------------------------


  • 2.  RE: How can I authenticate DataDog agent to IBM MQ?

    Posted Thu August 18, 2022 04:55 PM

    Anything noticed in the queue manager error logs ?



    ------------------------------
    Nishchal Gahoi
    ------------------------------

    Original Message


  • 3.  RE: How can I authenticate DataDog agent to IBM MQ?

    Posted Thu August 18, 2022 05:25 PM
    Hello,

    I can see that Datadog connects in MQ client mode via the QM.FOO.STAGING.APP channel.
    Once on the Queue Manager, the rights of the account used are not sufficient: "Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED"
    You should check under which account Datadog launches its actions on the Queue Manager side.
    In a SVRCONN channel, the user account sent by the MQ client can be overloaded, either statically via the MCAUSER parameter, or dynamically via a CHLAUTH.
    It is possible that as a result of this overloading, the actual account is no longer dd-agent, but another account that does not have enough MQ rights.
    The quickest way is to look in the var/mqm/qmgrs/<qm_name>/errors/amqerr01.log file and search for AMQ8077 messages.
    The user account used by DD and the missing MQ rights will be in the message.
    Also check that a REFRESH SECURITY (or a restart of the Queue Manager) has been done since the dd-agent account was attached to the mqm group.

    HTH, LMD.

    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------

    Original Message


  • 4.  RE: How can I authenticate DataDog agent to IBM MQ?

    Posted Thu August 18, 2022 05:35 PM
    One recommendation apart from  the error you see is to upgrade your MQ Client version. 9.0.4 is very old; Use 9.2.x to begin and upgrade your client as required.

    to the error you r experiencing - The queue manager error log should display more details error. It will display the id and permission issue.

    ------------------------------
    om prakash
    ------------------------------

    Original Message


  • 5.  RE: How can I authenticate DataDog agent to IBM MQ?

    Posted Fri August 19, 2022 05:41 AM
    On top of this and since you changed the group membership you should do the following:
    • On the queue manager: run the refresh security command
    • At the OS level either
      • run newgrp - that newgrp followed by a space and a dash
      • log out and log back in to make sure the system returns the new group membership.


    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


Related Content