App Connect

 View Only

  • 1.  Running Server under local account fails to show in toolkit

    IBM Champion
    Posted Thu March 11, 2021 11:47 AM
    Edited by John Hawkins Fri March 12, 2021 11:00 AM

    Hi Folks,
    Happily running the server under the "System Account". However I would prefer it to run under a specific local user - then I can keep track of it when it's accessing MQ. I've created the local user and they're in the mqbrkrs group.
    Server starts OK - and I can see flows are running (connections in MQ etc. etc.).

    However, from the toolkit all I can do is start and stop the node. I can't "see" the servers under the node and, therefore, none of their flows etc. Starting and stopping the node is also starting and stopping the integration servers under the node - as expected.

    The Main Integration Server  Main Service hasn't changed and is still running as "System Account".

    I can see no errors anywhere that I look. Servers are configured against LDAP for admin authority. I start the toolkit using the same "John Hawkins" user as I do when the server was running as System Account i.e. no change there.

    Any ideas what I need to authorise and where to get the server using a non-"System account" ?? Is this something to do with the server not being able to access LDAP when running under the non System Account?

    Also - where do you think I can see some errors that might actually give me a clue as to what's going wrong ??

    many thanks,
    john.

     



    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------


  • 2.  RE: Running Server under local account fails to show in toolkit

    Posted Thu March 11, 2021 12:39 PM
    Hi John
    Do you work with Broker Connection files?

    ------------------------------
    Matthias Jungbauer
    ------------------------------

    Original Message


  • 3.  RE: Running Server under local account fails to show in toolkit

    IBM Champion
    Posted Thu March 11, 2021 01:06 PM
    Hi,
    not sure how that would help me? how is the ID that the server running under going to affect whether it allows a specific user to view it or not?

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------

    Original Message


  • 4.  RE: Running Server under local account fails to show in toolkit

    Posted Fri March 12, 2021 10:27 AM
    Well, based on your writing the system is running.
    What you miss is some visibility in the toolkit, correct?

    This visibility issue may have nothing to do with your technical user that is running the node and servers.
    Perhaps your personal windows account is having no access to the resources that the technical user is providing.

    With a broker file you can make a connection that is independent from your personal windows account.

    Users who are running the toolkit do not require membership of mqbrkrs but require permissions.
    They may also require a local firewall rule.
    https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03984_.html

    If the ID of your system account is the main worry, you can follow-up with these articles
    https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03986_.html
    https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03982_.html#ap03982_mb


    ------------------------------
    Matthias Jungbauer
    ------------------------------

    Original Message


  • 5.  RE: Running Server under local account fails to show in toolkit

    IBM Champion
    Posted Fri March 12, 2021 10:59 AM
    Edited by John Hawkins Fri March 12, 2021 11:00 AM

    To add some extra context...

    I have two integration servers on the same machine with identical auth mechanisms and groups.
    server1: running as "System account".
    Server2: running as "ACE" (a locally defined user account - which is in mqbrkrs).

    From the toolkit I can quite happily see the server1.
    Server2 - only the node is visible and can start/stop it, can'tt see the servers 

    If I change Server2 to run as System account the problem is resolved. My thoughts are that toolkit makes a REST call to the node using myusername, but somehow the node then connects to the Servers using its ID not mine ?? 

    In which case, I guess I have to allow the locally defined  "ACE" account access to its servers. This seems reasonable I guess but for the fact that ACE is in the group mqbrkrs and why does this work with the System account !?

    Also - where do you think I can see some errors that might actually give me a clue as to what's going wrong ??

    thoughts?

      



    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------

    Original Message


  • 6.  RE: Running Server under local account fails to show in toolkit

    IBM Champion
    Posted Mon March 15, 2021 07:52 AM

    Hmm, OK, so , thanks for that - the .broker file worked. But I realised that there was something I missed out when I described the scenario. This is a local node and server. So, now that I have a client connection to my local node the toolkit is now showing both the local node ( which isn't working correctly) and the client connection to the same node ( which works correctly).

    Poor. I can see the authentication issue that's happening. When I connect to it using the local connection it's trying my username that I logged in with  which is not correct for LDAP i.e. "JohnHaws" whereas, when I use the username "John Hawkins" - which is what LDAP is configured for, it works.

    This is poor behaviour- I would still like to know what's going on so that I can use the local connection and not have to set up a client connection to  a local node :-(

    Any IBmers out there ??  



    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------

    Original Message


  • 7.  RE: Running Server under local account fails to show in toolkit

    IBM TechXchange Speaker
    Posted Mon March 15, 2021 09:15 AM
    Hi John,

    The Toolkit enables users to connect to:
    • Local or remote integration nodes
    • Local or remote independent integration servers

    In designing this aspect of the Toolkit behaviour, we have tried to keep things as simple as possible, but it sounds like we've ended up confusing matters in your particular use case of a "local integration node secured under a different userid than the one you started Toolkit with".
    Instead of creating separate menu options in the Toolkit which ask the user to tell us if they are connecting to a "local" or a "remote" runtime, we (attempt to) show the local integration nodes by default without the user having to give us any connection information at all, and then we have a separate option to "Connect to an integration node" which lets you type in the hostname/port/username/password etc.

    For independent integration servers, we don't have a "local" option because there is no centralised file system location for us to gather the required information we would need in order to figure out which servers are available. This is a deliberate difference between a server and a node ... A node has a wider set of metadata and process hierarchy associated with it, where as a "standalone" server can be created and run anywhere with a working directory for its data being able to be held anywhere you like on your filesystem.

    The UI design here is also aiming to maintain the behaviour which Toolkit has had stretching back multiple releases of being able to show you your local integration nodes without forcing you to tell us connection information.

    So, with this backdrop hopefully you understand why things are defined the way they are. Where I have sympathy for you, and of course wish to apologise that this hasn't been intuitive for you, is that we could do a better job of explaining to users why their local connection doesn't have the authorisation access you were expecting. There could of course be many reasons for this - any change to current behaviour would need to take into account a solution that works across all operating systems, and all authentication models (LDAP, but also local OS mqbrkrs group based access). The error could / should be reported back to you at the location you expect as well (pop-up when Toolkit is first launched or when the connection is re-attempted / persisted to log file etc). These aspects are not best solved through a forum thread, but would be much better explored in the first instance through our service channel, and potentially (depending on the precise behaviours observed and the discussion through the service channel) through a future product Request For Enhancement.

    Cheers,
    Ben

    ------------------------------
    Ben Thompson
    IBM UK
    ------------------------------

    Original Message


  • 8.  RE: Running Server under local account fails to show in toolkit

    IBM Champion
    Posted Mon March 15, 2021 11:44 AM
    hi Ben,
     I don't quite recognise "local integration node secured under a different userid than the one you started Toolkit with" as my exact problem.

    The issue I have is more like "authorisation to servers different depending which account the node is started under".

    i.e. Both starting toolkit with my local userid...
    1) Start the node service under "Local System account" and all is well in the toolkit.
    2) Start the node as a local user account (which happens to be in mqbrkrs) and the toolkit denies access to the servers under it unless I use a client connection.

    I guess the strange bit is not how come (2) doesn't work but is more - how come (1) works given the same toolkit userid each time?

    thanks,
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------

    Original Message