My intention with this page is to share some Gold Nuggets here of general Interest for WebSphere MA developers and system programmers.

Password validation exit (z/OS only)

Password validation exit (Windows idea only)

BlockIP2 security exit (old one)

How to improve triggering, circumvent bad programming

How to remove a pageset on MQSeries for OS/390 and Z/OS

How to remove a Queue Manager from a Cluster after problems....

How to save a WebSphere Z/OS configuration

Download the old ms05 support pack from IBM

LogIP security exit

BlockIP security exit

Download a queue copy routine 

When you have chosen to use triggertype(FIRST), it's a good idea to take a look on TRIGINT() on the queue manager. Normally all system administrators forgets this little beauty, and leaves it on the default (lot of 9), this means that the queue manager only will generate one trigger event, and only when the queue depth changes from 0 to 1. (we remember that the message might not be available yet due to syncpoint/commit!!).

On the queue managers I administer I chosen to set the TRIGINT(60000), this means that the queue manager will generate additional triggers even if the queue depth is above 1, but it still requires that the queue is not open for input.

With WebSphere MQ version 6.0 for z/OS there is a minor changes that causes some applications (like the batch trigger monitor) to misbehave because the triggers is fired each time the trigger interval has expired.... I had to create some dedicated batch queue managers to deal with this issue.

So a VERY good point here is of cause to read the MQSeries Application programming guide cover to cover, and take a look on TRIGINT() in MQSeries Command Guide under ALTER QMGR.

CICS triggering 

Working triggering example for Windows

1. Drain the storage class, move all queues that contains data to another pageset
2. Change CSQINP1, so there are no spec. of buffers for that pageset (comment it out).
3. Remove the pageset from the JCL-procedure (comment it out).
4. Stop the Queue Manager. Be sure it is stopped ok and not abnormally.
5. Define new BSDS and LOG datasets. 
6. Issue a RESETPAGE against all pagesets using CSQUTIL.
7. Start the Queue Manager again, and now it don't know the pageset anymore.
8. Stop the Queue Manager again. Be sure it is stopped ok and not abnormally.
9. Delete, define and format the pageset with the right size.
10. Change CSQINP1 and the JCL-procedure again.
11. Start the Queue Manager again.
12. Move the storage class back to the original pageset.

This is all documented in System Administration Guide for z/OS, under CSQUTIL. 

Why not just delete and define the pageset with the right size ?

Because the queue manager will go into recovery of that pageset, and look on the RBA (which is zero) for the pageset, and compare it to the RBA in the LOG and BSDS. This will cause the queue manager to recover from it's oldest log, and it might cause a very long recovery...... 

1. First remove the cluster attribute on CLUSRCVR.
2. Stop the CLUSRCVR channel.
3. Delete the CLUSRCVR channel.
4. Remove the cluster attribute on CLUSSDR.
5. Wait a while... 2 minutes.
6. Stop the CLUSSDR channel.
7. Delete the CLUSSDR channel.
8. Do a refresh cluster.
9. Display the CLUSQMGR and see if all is gone...
10. If the cluster is complete wiped out in the Queue Manager, continue with step 15.
11. Make the Queue Manager Full-Repository holder (ALTER QMGR.....)
12. Do a REFRESH CLUSTER..
13. Drop the Full-Repository again.
14. Display the CLUSQMGR and now it should be clean.
15. Take a look on the other queue Managers in the cluster, and if they still have traces of the deleted on, issue a RESET CLUSTER(..) ACTION(FORCEREMOVE) QMNAME(deleted_qmgr) it.
16. Repeat step 15 on each one.
17. Congratulations, The Queue Manager should not completely have left the Cluster.

How to save a WebSphere Z/OS configuration

Under final editorial validation

The CSQUTIL is a utility provided with WebSphere MQ to help issue commands, perform backup and restore, and reorganize tasks. 

MAKEDEF COMMAND 

In this example, MQSeries commands are passed from an input dataset referenced by DDname REBUILD to Queue Manager MQM1 on the Z/OS platform in batch. A list of DEFINE statements is produced that describes the objects in this WebSphere MQ subsystem. Any changes or new definitions are encompassed and the statements are used to regenerate all or part of MQM1's objects and storage classes. 

Together with WebSphere MQ version 5.3 is there supplied an Security exit sample (CSQ4BCX3) placed in SYS1.SCSQC37S.

This exit is using Unix function BPX1PWD to validate the users credentials userid and password. This exit was supplied to help validating users using WebSphere Application Server or other JAVA client connections.

This exit is very easy to customize for your own purposes, tie it together with a security exit on the client end, and you're all most home. 

SupportPac IC72 can be used as a password validation exit quite easy and work with for example WAS applications.

Allmost what you need is give the userid and password presented in MQCD to the windows LogonUser() API, you can ignore reason 1385 (user has not been granted priv....).

Remember also to add the version 6.0 exit point MQXR_SEC_PARMS.

You can also use the new fields here to pass-on userid/password from your client application. 

It's far beyond my capabilities to describe in full details what's needed to change IC72 to do what you need. But this is meant as an inspiration.

Information on LogIP have been moved to a new page here

Information on BlockIP have been moved to a new page here

BlockIP2  

Information on BlockIP2 have been moved to a new page here