为什么即使在关闭 WebSphere MQ 中的安全性后我仍然得到 AMQ7077?
Why I get AMQ7077 even after turning security in WebSphere MQ off?
在 Windows7 中,当我设置 MQSNOAUT=yes 时一切正常,我可以在 WebSphere MQ 中做任何我想做的事。但是在 RedHat 中,即使在将 MQSNOAUT 设置为 yes 之后,我也会收到此错误:
[root@RHEL6-135 bin]$ ll crtmqm
-rwxrwxrwx. 1 mqm mqm 41822 Oct 22 2015 crtmqm
[root@RHEL6-135 bin]$ crtmqm testqm
AMQ7077: You are not authorized to perform the requested operation.
[root@RHEL6-135 bin]$
使用 mqm 用户我可以创建队列管理器但无法启动它:
[mqm@RHEL6-135 bin]$ crtmqm testqm
WebSphere MQ queue manager created.
Directory '/var/mqm/qmgrs/testqm' created.
The queue manager is associated with installation 'Installation1'.
Creating or replacing default objects for queue manager 'testqm'.
Default objects statistics : 79 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
[mqm@RHEL6-135 bin]$ strmqm testqm
WebSphere MQ queue manager 'testqm' starting.
The queue manager is associated with installation 'Installation1'.
5 log records accessed on queue manager 'testqm' during the log replay phase.
Log replay for queue manager 'testqm' complete.
Transaction manager state recovered for queue manager 'testqm'.
The queue manager ended for reason 545284129, ''.
[mqm@RHEL6-135 bin]$
很遗憾,这些日志文件中没有有用的信息:
/var/mqm/errors/AMQERR01.日志:
----- amqxfdcx.c : 888 --------------------------------------------------------
03/14/2017 10:00:16 AM - Process(15859.1) User(mqm) Program(amqzmur0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4)
AMQ6125: An internal WebSphere MQ error has occurred.
EXPLANATION:
An internal error has occurred with identifier 2080520F. This message is
issued in association with other messages.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the MQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available. If you are unable to find a match, contact your
IBM support center. Do not discard these files until the problem has been
resolved.
...
repeated 27 times!
/var/mqm/qmgrs/testqm/errors/AMQERR01.LOG:
03/14/2017 10:00:16 AM - Process(15840.4) User(mqm) Program(amqzmuc0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4) QMgr(testqm)
AMQ5051: The queue manager task 'LOGGER-IO' has started.
EXPLANATION:
The critical utility task manager has started the LOGGER-IO task. This task has
now started 1 times.
ACTION:
None.
-------------------------------------------------------------------------------
....
-------------------------------------------------------------------------------
03/14/2017 10:00:16 AM - Process(15859.6) User(mqm) Program(amqzmur0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4) QMgr(testqm)
AMQ5037: The queue manager task 'DEFERRED_DELIVERY' has started.
EXPLANATION:
The restartable utility task manager has started the DEFERRED_DELIVERY task.
This task has now started 1 times.
ACTION:
None.
-------------------------------------------------------------------------------
mqm 用户是 sudoer,以下是我的 /etc/group 文件的一部分:
root:x:0:root, mqm, bin
adm:x:4:root,adm,daemon, mqm, mquser
mqm:x:500:root, mqm
mquser:x:502:mqm
...不管所有这些,我认为将 MQSNOAUT 变量设置为 yes 应该足以让任何用户使用 WebShpere MQ。可能与 RedHat 相关的问题导致了问题。
顺便说一句,搜索 The queue manager ended for reason 545284129, ''.,我找不到任何解决方案。
有什么想法吗?
更新
在 /opt/mqm/bin 上完成了 chmod -R 6550,现在我可以启动队列管理器并使用 IBM MQ 的命令行二进制文件创建队列、通道等。然而,为了更方便,我仍然无法使用 MQ Explorer,因为当我 运行 MQExplorer 时,我得到以下错误:
[mqm@RHEL6-135 bin]$ MQExplorer
No protocol specified
MQExplorer: Cannot open display:
No protocol specified
No protocol specified
MQExplorer: Cannot open display:
MQExplorer:
An error has occurred. See the log file
/var/mqm/IBM/WebSphereMQ/workspace-Installation1/.metadata/.log.
[mqm@RHEL6-135 bin]$
运行 它与 sudo 我得到这个错误:
[mqm@RHEL6-135 bin]$ sudo MQExplorer
[sudo] password for mqm:
/opt/mqm/java/jre64/jre/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
(process:4451): Gtk-WARNING **: This process is currently running setuid or setgid.
This is not a supported use of GTK+. You must create a helper
program instead. For further details, see:
http://www.gtk.org/setuid.html
Refusing to initialize GTK+.
[mqm@RHEL6-135 bin]$
而/var/mqm/IBM/WebSphereMQ/workspace-Installation1/.metadata/.log如下:
!SESSION 2017-03-15 16:41:52.369 -----------------------------------------------
eclipse.buildId=unknown
java.fullversion=JRE 1.7.0 IBM J9 2.7 Linux amd64-64 Compressed References 20150630_255653 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR3_20150630_2236_B255653
JIT - tr.r13.java_20150623_94888.01
GC - R27_Java727_SR3_20150630_2236_B255653_CMPRSS
J9CL - 20150630_255653
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
Command-line arguments: -os linux -ws gtk -arch x86_64
!ENTRY org.eclipse.osgi 4 0 2017-03-15 16:41:54.516
!MESSAGE Application error
!STACK 1
org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]
at org.eclipse.swt.SWT.error(SWT.java:4423)
at org.eclipse.swt.widgets.Display.createDisplay(Display.java:925)
at org.eclipse.swt.widgets.Display.create(Display.java:909)
at org.eclipse.swt.graphics.Device.<init>(Device.java:156)
at org.eclipse.swt.widgets.Display.<init>(Display.java:507)
at org.eclipse.swt.widgets.Display.<init>(Display.java:498)
at org.eclipse.ui.internal.Workbench.createDisplay(Workbench.java:691)
at org.eclipse.ui.PlatformUI.createDisplay(PlatformUI.java:162)
at com.ibm.mq.explorer.ui.rcp.internal.base.RcpApplication.start(RcpApplication.java:88)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:354)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:181)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:636)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:591)
at org.eclipse.equinox.launcher.Main.run(Main.java:1450)
at org.eclipse.equinox.launcher.Main.main(Main.java:1426)
log/stacktrace 看起来像 catch-all 异常处理。我还没有完全深入研究这个错误,但也许它也是由一些权限问题引起的。例如,当 MQExplorer 试图从 mqm 的子目录加载它的组件时,可能会引发一些授权错误!但是,运行在一些相关路径上chmod -R 6550并没有解决问题。
设置 MQSNOAUT=ANYVALUE 仅在创建队列管理器时设置时才关闭 MQ OAM。这会导致您在设置队列管理器时从 qm.ini 文件中省略几行。
如果 OAM 被关闭,这意味着任何连接到队列管理器的用户都将拥有完全权限。
Unix 上的队列管理器本身仍然需要 运行 在 mqm 用户标识下。
我注意到您对 crtmqm 二进制文件显示了以下权限:
-rwxrwxrwx. 1 mqm mqm
这是不正确的,Unix 上的 MQ 安装有许多具有 setuid 权限的文件,因为在 /var/mqm/qmgrs、/var/mqm/log、/var/mqm/sockets 下创建的文件的权限非常重要。根据我所做的研究,545284129 和 2080520F 错误与文件权限有关。我建议您将权限重置为以前的权限,如果您不知道,那么我建议您删除 IBM MQ 软件并重新安装。以下是 crtmqm 二进制文件的正常权限供参考:
-r-sr-s--- 1 mqm mqm
纠正 IBM MQ 二进制权限后,我建议您使用 dltmqm 删除您的队列管理器,并确保在 /var/mqm/qmgrs、[=14] 下没有任何与该队列管理器名称相关的内容=]、/var/mqm/sockets 和 /var/mqm/mqs.ini 文件中。
清理完毕后,以 mqm 用户身份重新创建并尝试启动它。我猜
我建议您尽量不要禁用安全性,而是设置适当的权限。即使这是一个开发环境,让事情在启用安全性的情况下工作也要好得多。当您在禁用安全性的情况下进行开发时,您最终需要解决为什么在真实环境中启用安全性后事情无法正常工作的原因。
看看我对问题“”的回答,了解更多关于如何保持安全启用以及禁用某些东西的信息,如果你想继续沿着这条路走的话。
在 Windows7 中,当我设置 MQSNOAUT=yes 时一切正常,我可以在 WebSphere MQ 中做任何我想做的事。但是在 RedHat 中,即使在将 MQSNOAUT 设置为 yes 之后,我也会收到此错误:
[root@RHEL6-135 bin]$ ll crtmqm
-rwxrwxrwx. 1 mqm mqm 41822 Oct 22 2015 crtmqm
[root@RHEL6-135 bin]$ crtmqm testqm
AMQ7077: You are not authorized to perform the requested operation.
[root@RHEL6-135 bin]$
使用 mqm 用户我可以创建队列管理器但无法启动它:
[mqm@RHEL6-135 bin]$ crtmqm testqm
WebSphere MQ queue manager created.
Directory '/var/mqm/qmgrs/testqm' created.
The queue manager is associated with installation 'Installation1'.
Creating or replacing default objects for queue manager 'testqm'.
Default objects statistics : 79 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
[mqm@RHEL6-135 bin]$ strmqm testqm
WebSphere MQ queue manager 'testqm' starting.
The queue manager is associated with installation 'Installation1'.
5 log records accessed on queue manager 'testqm' during the log replay phase.
Log replay for queue manager 'testqm' complete.
Transaction manager state recovered for queue manager 'testqm'.
The queue manager ended for reason 545284129, ''.
[mqm@RHEL6-135 bin]$
很遗憾,这些日志文件中没有有用的信息:
/var/mqm/errors/AMQERR01.日志:
----- amqxfdcx.c : 888 --------------------------------------------------------
03/14/2017 10:00:16 AM - Process(15859.1) User(mqm) Program(amqzmur0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4)
AMQ6125: An internal WebSphere MQ error has occurred.
EXPLANATION:
An internal error has occurred with identifier 2080520F. This message is
issued in association with other messages.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the MQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available. If you are unable to find a match, contact your
IBM support center. Do not discard these files until the problem has been
resolved.
...
repeated 27 times!
/var/mqm/qmgrs/testqm/errors/AMQERR01.LOG:
03/14/2017 10:00:16 AM - Process(15840.4) User(mqm) Program(amqzmuc0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4) QMgr(testqm)
AMQ5051: The queue manager task 'LOGGER-IO' has started.
EXPLANATION:
The critical utility task manager has started the LOGGER-IO task. This task has
now started 1 times.
ACTION:
None.
-------------------------------------------------------------------------------
....
-------------------------------------------------------------------------------
03/14/2017 10:00:16 AM - Process(15859.6) User(mqm) Program(amqzmur0)
Host(RHEL6-135) Installation(Installation1)
VRMF(8.0.0.4) QMgr(testqm)
AMQ5037: The queue manager task 'DEFERRED_DELIVERY' has started.
EXPLANATION:
The restartable utility task manager has started the DEFERRED_DELIVERY task.
This task has now started 1 times.
ACTION:
None.
-------------------------------------------------------------------------------
mqm 用户是 sudoer,以下是我的 /etc/group 文件的一部分:
root:x:0:root, mqm, bin
adm:x:4:root,adm,daemon, mqm, mquser
mqm:x:500:root, mqm
mquser:x:502:mqm
...不管所有这些,我认为将 MQSNOAUT 变量设置为 yes 应该足以让任何用户使用 WebShpere MQ。可能与 RedHat 相关的问题导致了问题。
顺便说一句,搜索 The queue manager ended for reason 545284129, ''.,我找不到任何解决方案。
有什么想法吗?
更新
在 /opt/mqm/bin 上完成了 chmod -R 6550,现在我可以启动队列管理器并使用 IBM MQ 的命令行二进制文件创建队列、通道等。然而,为了更方便,我仍然无法使用 MQ Explorer,因为当我 运行 MQExplorer 时,我得到以下错误:
[mqm@RHEL6-135 bin]$ MQExplorer
No protocol specified
MQExplorer: Cannot open display:
No protocol specified
No protocol specified
MQExplorer: Cannot open display:
MQExplorer:
An error has occurred. See the log file
/var/mqm/IBM/WebSphereMQ/workspace-Installation1/.metadata/.log.
[mqm@RHEL6-135 bin]$
运行 它与 sudo 我得到这个错误:
[mqm@RHEL6-135 bin]$ sudo MQExplorer
[sudo] password for mqm:
/opt/mqm/java/jre64/jre/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
(process:4451): Gtk-WARNING **: This process is currently running setuid or setgid.
This is not a supported use of GTK+. You must create a helper
program instead. For further details, see:
http://www.gtk.org/setuid.html
Refusing to initialize GTK+.
[mqm@RHEL6-135 bin]$
而/var/mqm/IBM/WebSphereMQ/workspace-Installation1/.metadata/.log如下:
!SESSION 2017-03-15 16:41:52.369 -----------------------------------------------
eclipse.buildId=unknown
java.fullversion=JRE 1.7.0 IBM J9 2.7 Linux amd64-64 Compressed References 20150630_255653 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR3_20150630_2236_B255653
JIT - tr.r13.java_20150623_94888.01
GC - R27_Java727_SR3_20150630_2236_B255653_CMPRSS
J9CL - 20150630_255653
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
Command-line arguments: -os linux -ws gtk -arch x86_64
!ENTRY org.eclipse.osgi 4 0 2017-03-15 16:41:54.516
!MESSAGE Application error
!STACK 1
org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]
at org.eclipse.swt.SWT.error(SWT.java:4423)
at org.eclipse.swt.widgets.Display.createDisplay(Display.java:925)
at org.eclipse.swt.widgets.Display.create(Display.java:909)
at org.eclipse.swt.graphics.Device.<init>(Device.java:156)
at org.eclipse.swt.widgets.Display.<init>(Display.java:507)
at org.eclipse.swt.widgets.Display.<init>(Display.java:498)
at org.eclipse.ui.internal.Workbench.createDisplay(Workbench.java:691)
at org.eclipse.ui.PlatformUI.createDisplay(PlatformUI.java:162)
at com.ibm.mq.explorer.ui.rcp.internal.base.RcpApplication.start(RcpApplication.java:88)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:354)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:181)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:636)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:591)
at org.eclipse.equinox.launcher.Main.run(Main.java:1450)
at org.eclipse.equinox.launcher.Main.main(Main.java:1426)
log/stacktrace 看起来像 catch-all 异常处理。我还没有完全深入研究这个错误,但也许它也是由一些权限问题引起的。例如,当 MQExplorer 试图从 mqm 的子目录加载它的组件时,可能会引发一些授权错误!但是,运行在一些相关路径上chmod -R 6550并没有解决问题。
设置 MQSNOAUT=ANYVALUE 仅在创建队列管理器时设置时才关闭 MQ OAM。这会导致您在设置队列管理器时从 qm.ini 文件中省略几行。
如果 OAM 被关闭,这意味着任何连接到队列管理器的用户都将拥有完全权限。
Unix 上的队列管理器本身仍然需要 运行 在 mqm 用户标识下。
我注意到您对 crtmqm 二进制文件显示了以下权限:
-rwxrwxrwx. 1 mqm mqm
这是不正确的,Unix 上的 MQ 安装有许多具有 setuid 权限的文件,因为在 /var/mqm/qmgrs、/var/mqm/log、/var/mqm/sockets 下创建的文件的权限非常重要。根据我所做的研究,545284129 和 2080520F 错误与文件权限有关。我建议您将权限重置为以前的权限,如果您不知道,那么我建议您删除 IBM MQ 软件并重新安装。以下是 crtmqm 二进制文件的正常权限供参考:
-r-sr-s--- 1 mqm mqm
纠正 IBM MQ 二进制权限后,我建议您使用 dltmqm 删除您的队列管理器,并确保在 /var/mqm/qmgrs、[=14] 下没有任何与该队列管理器名称相关的内容=]、/var/mqm/sockets 和 /var/mqm/mqs.ini 文件中。
清理完毕后,以 mqm 用户身份重新创建并尝试启动它。我猜
我建议您尽量不要禁用安全性,而是设置适当的权限。即使这是一个开发环境,让事情在启用安全性的情况下工作也要好得多。当您在禁用安全性的情况下进行开发时,您最终需要解决为什么在真实环境中启用安全性后事情无法正常工作的原因。
看看我对问题“