MQ

 View Only
  • 1.  AMQ8101S: IBM MQ error (80F) has occurred MQ

    Posted Thu June 03, 2021 03:36 PM
    I'm having issues running MQ admin commands with a domain user, MQ Service is running under Local System and the domain user is a member of the groups, "Administrators" and "mqm". Appreciate if anyone can help.
    I've  installed MQ V9.2.1.0 and i was able to create queue manager start stop use runmqsc command .Today i am creating a queue manager .i am not able to create and got below error : 
    AMQ8101S: IBM MQ error (80F) has occurred MQ.
    6/3/2021 13:11:03 - Process(13648.1) User(HJUser) Program(CRTMQM.EXE) --today log -- old log is bottom of the page
    Host(PWADC9JMPLB01) Installation(Installation1)
    VRMF(9.2.1.0)
    Time(2021-06-03T17:11:03.404Z)
    ArithInsert1(13648)
    CommentInsert1(Testpoc)

    AMQ6184W: An internal IBM MQ error has occurred on queue manager Testpoc.
    EXPLANATION:
    An error has been detected, and the IBM MQ error recording routine has been
    called. The failing process is process 13648.
    ACTION:
    Use the standard facilities supplied with your system to record the problem
    identifier and to save any generated output files. Use either the MQ Support
    site: https://www.ibm.com/support/home/, or IBM Support Assistant (ISA):
    https://www.ibm.com/support/home/product/C100515X13178X21/other_software/ibm_support_assistant,
    to see whether a solution is already available. If you are unable to find a
    match, contact your IBM support center. Do not discard these files until the
    problem has been resolved.

    /3/2021 07:33:09 - Process(19040.1) User(HJUser) Program(crtmqm.exe)

                          Host(PWADC9JMPLB01) Installation(Installation1)

                          VRMF(9.2.1.0)

                          Time(2021-06-03T11:33:09.164Z)

                          ArithInsert1(545261583)

                          CommentInsert1(The local or domain user this IBM MQ command is running under is not authorized, if running as domain user then please ensure this user has all appropriate privileges on domain controller such as query group membership)

                        

    AMQ6125E: An internal IBM MQ error has occurred.

     

    EXPLANATION:

    An internal error has occurred with identifier 2080080F.  This message is

    issued in association with other messages

    Old log :
    4/29/2021 11:17:09 - Process(6024.1) User(HJUser) Program(CRTMQM.EXE)
    Host(PWADC9JMPLB01) Installation(Installation1)
    VRMF(9.2.1.0)
    Time(2021-04-29T15:17:09.586Z)
    CommentInsert3(TEST)

    AMQ8001I: IBM MQ queue manager created.
    EXPLANATION:
    IBM MQ queue manager TEST created.
    ACTION:
    None.
    Please advice me what i have to do to resolve the issue.

    ------------------------------
    Brajendra Kumar
    ------------------------------


  • 2.  RE: AMQ8101S: IBM MQ error (80F) has occurred MQ

    IBM Champion
    Posted Thu June 03, 2021 05:45 PM

    80F is MQRC_SECURITY_ERROR.

    Your error log says:-

    The local or domain user this IBM MQ command is running under is not authorized, if running as domain user then please ensure this user has all appropriate privileges on domain controller such as query group membership.

    You say you are running as a domain user.

    So have you ensured this user has all appropriate privileges on domain controller such as query group membership. What changed on your domain controller since yesterday when it worked?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: AMQ8101S: IBM MQ error (80F) has occurred MQ

    IBM Champion
    Posted Fri June 04, 2021 03:59 AM
    Hello Brajendra 

    I have seen this sort of error many times on Windows when MQ is set up to run with a local SYSTEM account (or with MUSR_MQADMIN) on a Windows domain.

    That configuration isn't really supported, because of the way that Windows domain security works. 

    When the queue manager tries to find out information about the user, the user is a domain user, so it has to send the request to the domain. But the user running the queue manager service ISN'T a domain user, and so doesn't have the permissions needed to query the domain for that information.

    So even though your domain account is a member of the local mqm group, MQ can't work that out because it can't properly determine whether your domain account is valid.

    There are two approaches you can take to resolve this issue. Method 1 is the proper way, and will work well and keep working well.
    Method 2 is a workaround that will continue to lead to pain (although will still work).

    1. Follow the instructions in the manual to create a new special domain account for the mqm service to use. Also create a domain mqm group, and make the special service account a member of domain mqm. Run the MQ setup wizard and specify that MQ is running in a domain, and provide the name and password of the special mqm service account. This is documented in https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mq-creating-setting-up-windows-domain-accounts and https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mq-configuring-prepare-wizard

    2. Keep using the local SYSTEM account for the MQ service. Create a local account for yourself on the Windows system (not a domain account) and make it a member of the mqm group on the server. When you want to run MQ, start the process by right-clicking on the icon and selecting run as ... . Provide the local account userid and password so that the MQ Explorer, CMD.EXE or whatever runs as the local account instead of your domain account. Things accessing MQ should now work. Note: Any application program using server bindings will also need to run with a local account, not a domain account. You can see why this can get painful, and is not as good a solution as option 1.

    I have seen (and used) option 2 at sites where domain admins would not create the needed groups and accounts, but we needed to run local queue managers for development. For production workloads on Windows, make sure that you get proper domain groups and users built and use those.

    Regards,



    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    IBM Champion (Cloud) 2019-21
    ------------------------------



  • 4.  RE: AMQ8101S: IBM MQ error (80F) has occurred MQ

    Posted Tue June 08, 2021 04:38 AM
    Hi Neil ,
    thank you very much for ur kind help.I have followed method one and create one Domain and made member of  users .As per my understanding of error log.

    MQ is making a call to the Operating System to get the groups that the hjuser is a member but never receives a response from the function call. . If groups can not be obtained then MQ will not be able to work properly. The only reason that queue manager PWADC9JMPLB01_QM was running before was because the MQ user configured in the IBM MQ service was the local MUSR_MQADMIN account.

    .

    17:01:59.512586 13352.1 CONN:000002 Specified entity name is not a group

    17:01:59.512617 13352.1 CONN:000002 --------------{ zfu_as_UserGetGroups

    17:01:59.512627 13352.1 CONN:000002 wszQualifiedName -> bdx\hjuser

    17:02:11.649512 13352.1 CONN:000002 !! - Using local groups only

    17:02:11.649541 13352.1 CONN:000002 --------------} zfu_as_UserGetGroups (rc=OK)

    17:02:11.649548 13352.1 CONN:000002 !! - Server busy/resource related error

    17:02:11.649553 13352.1 CONN:000002 --------------{ xcsSleep

    17:02:12.664645 13352.1 CONN:000002 --------------} xcsSleep (rc=OK)

    17:02:12.664673 13352.1 CONN:000002 --------------{ zfu_as_UserGetGroups

    17:02:12.664686 13352.1 CONN:000002 wszQualifiedName -> bdx\hjuser

    17:02:25.433010 13352.1 CONN:000002 !! - Using local groups only

    17:02:25.433036 13352.1 CONN:000002 --------------} zfu_as_UserGetGroups (rc=OK)

    17:02:25.433042 13352.1 CONN:000002 !! - Server busy/resource related error

    17:02:36.729353 13352.1 CONN:000002 -------------}! zfu_as_GetGroupSidList (rc=krcE_UNEXPECTED_ERROR)

    17:02:36.729360 13352.1 CONN:000002 ------------}! zfu_as_CalculateAuthority (rc=krcE_UNEXPECTED_ERROR)

    17:02:36.729367 13352.1 CONN:000002 -----------}! zfu_as_CheckObjectAuthority (rc=MQRC_SERVICE_ERROR)

    17:02:36.729377 13352.1 CONN:000002 -----------{ zapInquireStatus

    17:02:36.729382 13352.1 CONN:000002 -----------} zapInquireStatus (rc=OK)

    17:02:36.729388 13352.1 CONN:000002 -----------{ zfp_ss_unlock_service

    17:02:36.729393 13352.1 CONN:000002 -----------} zfp_ss_unlock_service (rc=OK)

    17:02:36.729398 13352.1 CONN:000002 ----------}! gpiCheckObjectAuthority (rc=lrcE_SECURITY_ERROR)

    17:02:36.729408 13352.1 CONN:000002 ---------}! kqiAuthorityChecks (rc=lrcE_SECURITY_ERROR)

    17:02:36.729423 13352.1 CONN:000002 !! - Returning an error to the AI Layer: CompCode 2 Reason 80f (rc 545261583)MQRC_SECURITY_ERROR

     

     

    C:\Users\HjUser>NET USER  HjUser /domain

    The request will be processed at a domain controller for domain

    na.ad.crbard.com.

     

     

    The user name could not be found.

     

     

    More help is available by typing NET HELPMSG 2221.

     

    C:\Users\HjUser>net user MUSR_MQADMIN

    User name MUSR_MQADMIN

    Full Name MUSR_MQADMIN

    Comment IBM MQ Administrator

    User's comment

    Country/region code 000 (System Default)

    Account active Yes

    Account expires Never

    Password last set 1/25/2021 5:21:24 AM

    Password expires Never

    Password changeable 1/26/2021 5:21:24 AM

    Password required Yes

    User may change password Yes

    Workstations allowed All

    Logon script

    User profile

    Home directory

    Last logon 6/7/2021 7:08:59 AM

    Logon hours allowed All

    Local Group Memberships *Administrators *mqm

    Global Group memberships *None

    The command completed successfully.

    Please suggest me what i have to do further.so i can resolve my problem.

    thanks and Regards
    Brajendra



    ------------------------------
    Brajendra Kumar
    ------------------------------



  • 5.  RE: AMQ8101S: IBM MQ error (80F) has occurred MQ

    IBM Champion
    Posted Wed June 09, 2021 01:58 AM
    Hi

    I'm not a Windows domain admin, so I can't diagnose why the account doesn't show up.

    The critical things to get right are:
    Create a group called 'domain mqm' on the domain. (This can have a different name, but it works better if it is called 'domain mqm').
    Create a user (whatever name you want) on the domain for the MQ server (lets call it mqservice). Make it a member of 'domain mqm', and give it the rights as specified in the manual. Make sure you know the password to the mqservice account.

    As a domain user, run the Prepare IBM MQ Wizard. Configure the MQ service to use the domain account mqservice (which is why you need to know the password).

    If you get an error on the wizard, use the Services plugin in Windows to edit the IBM MQ (Installation x) service definition and set the mqservice account and password in the Log On tab. Then run the Wizard again, and it should work this time. Stop and restart the service.

    The 'domain mqm' group should be added to the local mqm group, but if you've given it a different name, this won't work, so check that the domain level group for mq is in the local mqm group, and add it if it is missing.

    You may need to restart your machine for everything to work properly because of how group memberships are discovered, so if things don't work immediately, try rebooting before giving up.

    If your machine can't see the domain properly though (as is perhaps indicated by the unexpected response to the net user command) you need to resolve that issue first.

    Regards,

    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------