Hi John,
The Toolkit enables users to connect to:
- Local or remote integration nodes
- Local or remote independent integration servers
In designing this aspect of the Toolkit behaviour, we have tried to keep things as simple as possible, but it sounds like we've ended up confusing matters in your particular use case of a "local integration node secured under a different userid than the one you started Toolkit with".
Instead of creating separate menu options in the Toolkit which ask the user to tell us if they are connecting to a "local" or a "remote" runtime, we (attempt to) show the local integration nodes by default without the user having to give us any connection information at all, and then we have a separate option to "Connect to an integration node" which lets you type in the hostname/port/username/password etc.
For independent integration servers, we don't have a "local" option because there is no centralised file system location for us to gather the required information we would need in order to figure out which servers are available. This is a deliberate difference between a server and a node ... A node has a wider set of metadata and process hierarchy associated with it, where as a "standalone" server can be created and run anywhere with a working directory for its data being able to be held anywhere you like on your filesystem.
The UI design here is also aiming to maintain the behaviour which Toolkit has had stretching back multiple releases of being able to show you your local integration nodes without forcing you to tell us connection information.
So, with this backdrop hopefully you understand why things are defined the way they are. Where I have sympathy for you, and of course wish to apologise that this hasn't been intuitive for you, is that we could do a better job of explaining to users why their local connection doesn't have the authorisation access you were expecting. There could of course be many reasons for this - any change to current behaviour would need to take into account a solution that works across all operating systems, and all authentication models (LDAP, but also local OS mqbrkrs group based access). The error could / should be reported back to you at the location you expect as well (pop-up when Toolkit is first launched or when the connection is re-attempted / persisted to log file etc). These aspects are not best solved through a forum thread, but would be much better explored in the first instance through our service channel, and potentially (depending on the precise behaviours observed and the discussion through the service channel) through a future product Request For Enhancement.
Cheers,
Ben
------------------------------
Ben Thompson
IBM UK
------------------------------
Original Message:
Sent: Mon March 15, 2021 07:52 AM
From: John Hawkins
Subject: Running Server under local account fails to show in toolkit
Hmm, OK, so , thanks for that - the .broker file worked. But I realised that there was something I missed out when I described the scenario. This is a local node and server. So, now that I have a client connection to my local node the toolkit is now showing both the local node ( which isn't working correctly) and the client connection to the same node ( which works correctly).
Poor. I can see the authentication issue that's happening. When I connect to it using the local connection it's trying my username that I logged in with which is not correct for LDAP i.e. "JohnHaws" whereas, when I use the username "John Hawkins" - which is what LDAP is configured for, it works.
This is poor behaviour- I would still like to know what's going on so that I can use the local connection and not have to set up a client connection to a local node :-(
Any IBmers out there ??
------------------------------
John Hawkins
Integration Consultant
Original Message:
Sent: Fri March 12, 2021 10:26 AM
From: Matthias Jungbauer
Subject: Running Server under local account fails to show in toolkit
Well, based on your writing the system is running.
What you miss is some visibility in the toolkit, correct?
This visibility issue may have nothing to do with your technical user that is running the node and servers.
Perhaps your personal windows account is having no access to the resources that the technical user is providing.
With a broker file you can make a connection that is independent from your personal windows account.
Users who are running the toolkit do not require membership of mqbrkrs but require permissions.
They may also require a local firewall rule.
https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03984_.html
If the ID of your system account is the main worry, you can follow-up with these articles
https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03986_.html
https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/ap03982_.html#ap03982_mb
------------------------------
Matthias Jungbauer
Original Message:
Sent: Thu March 11, 2021 01:06 PM
From: John Hawkins
Subject: Running Server under local account fails to show in toolkit
Hi,
not sure how that would help me? how is the ID that the server running under going to affect whether it allows a specific user to view it or not?
------------------------------
John Hawkins
Integration Consultant
Original Message:
Sent: Thu March 11, 2021 12:39 PM
From: Matthias Jungbauer
Subject: Running Server under local account fails to show in toolkit
Hi John
Do you work with Broker Connection files?
------------------------------
Matthias Jungbauer
Original Message:
Sent: Thu March 11, 2021 11:47 AM
From: John Hawkins
Subject: Running Server under local account fails to show in toolkit
Hi Folks,
Happily running the server under the "System Account". However I would prefer it to run under a specific local user - then I can keep track of it when it's accessing MQ. I've created the local user and they're in the mqbrkrs group.
Server starts OK - and I can see flows are running (connections in MQ etc. etc.).
However, from the toolkit all I can do is start and stop the node. I can't "see" the servers under the node and, therefore, none of their flows etc. Starting and stopping the node is also starting and stopping the integration servers under the node - as expected.
The Main Integration Server Main Service hasn't changed and is still running as "System Account".
I can see no errors anywhere that I look. Servers are configured against LDAP for admin authority. I start the toolkit using the same "John Hawkins" user as I do when the server was running as System Account i.e. no change there.
Any ideas what I need to authorise and where to get the server using a non-"System account" ?? Is this something to do with the server not being able to access LDAP when running under the non System Account?
many thanks,
john.
------------------------------
John Hawkins
Integration Consultant
------------------------------