IBM Tivoli Identity Manager Pre 5.0 How To
How to access embedded MQ in WAS with global security enabled
Use websphere system acct to get into the MQ
F:\Program Files\ibm\WebSphere MQ\bin>runas /user:zidmsws "runmqsc WAS_astim_server1"
Alternatively you could (the following did not quite work for me) Lookup the ITIM admin EJB user in "G:\Program Files\WebSphere\AppServer\config\cells\astim\integral-jms-authorizations.xml" This is the file where MQ security is stored and edited. You could add yourself to the list or use the following:
F:\Program Files\ibm\WebSphere MQ\bin\runas /user:zidmswse /netonly "runmqsc WAS_astim_server1"
/netonly is important since the EJB is not allowed a local login
How to clear all ITIM queues
Applies to TIM 4.5, 4.6. 5.0 has MQ embedded in WAS and needs to be manipulated though WAS admin console
- Stop all WAS servers, including jmsserver.
- Go into websphere folder\tranlog and remove "transaction" subfolders from all the folders in the trainlog
- Start jmsserver only. now clear the MQ Queues per normal procedure:
dspmq
runmqsc WAS_name, dis ql('WQ*') CURDEPTH
clear ql('..'), dis ql('WQ*')
- Everything will be clean. Now start all WAS servers back up.
- Well, turns out some of the stuff is stored in the ITIM db so the queues, while initially clean, will start to fill up with the stuff from the DB once ITIM is back up unless you cleand the DB (which I do not know at this point how)
or try this:
clear ql ('WQ_itim_wf')
36 : clear ql ('WQ_itim_wf')
AMQ8143: WebSphere MQ queue not empty.
dis qstatus('WQ_itim_wf')
37 : dis qstatus('WQ_itim_wf')
AMQ8450: Display queue status details.
QUEUE(WQ_itim_wf) IPPROCS(0)
OPPROCS(0) CURDEPTH(96)
UNCOM(YES)
#:Recreate the queues per 1 or this:
stop ITIM WAS server F:\Program Files\WebSphere\AppServer\bin>deletemq WAS SERVER server1 F:\Program Files\WebSphere\AppServer\bin>createmq "F:\Program Files\WebSphere\AppServer" WAS SERVER server1 "F:\Program Files\ibm\WebSphere MQ" "F:\Program Files\ibm\WebSphere MQ\WEMPS" F:\Program Files\WebSphere\AppServer\bin>"F:\Program Files\ibm\WebSphere MQ\bin\"strmqm WAS_SERVER_server1
#:Delete
"A:\Program Files\WebSphere\AppServer\tranlog\server1\transaction\partnerlog" "A:\Program Files\WebSphere\AppServer\tranlog\server1\transaction\tranlog"
#:Start ITIM to recreate the queues
- Verify they exist and they are empty
F:\Program Files\WebSphere\AppServer\bin>"F:\Program Files\ibm\WebSphere MQ\bin\"runmqsc WAS_SERVER_server1
dis ql('W*') CURDEPTH
or this:
dis channel('*')
43 : dis channel('*')
AMQ8414: Display Channel details.
CHANNEL(WAS.JMS.SVRCONN) CHLTYPE(SVRCONN)
stop channel(WAS.JMS.SVRCONN)
45 : stop channel(WAS.JMS.SVRCONN)
AMQ8019: Stop WebSphere MQ channel accepted.
#:Stop whole itim
F:\Program Files\ibm\WebSphere MQ\bin>endmqm WAS_SERVER_server1
#:kill process tree if needed
F:\Program Files\ibm\WebSphere MQ\bin>strmqm WAS_SERVER_server1
cp "A:\Program Files\ibm\WebSphere MQ\Qmgrs\WAS_SERVER_server1\QUEUES\@MANGLED\0U000000\q"
How to find out current
length
of the ITIM queues
For TIM 4.5,4.6
dspmq
Look for the [running] MQ server name
echo dis ql('WQ_itim*') CURDEPTH | runmqsc WAS_MQ_SEREVER_NAME
How to find what PPs apply to a specific role
While logged into ITIM, click on Search on the top menu bar. Click on "Search by Filter" in the upper right corner of the window. Select "Provisioning Policy" from the listbox. In the Filter field, use "(erpolicymembership=*<role identifier>*)", without the quotes, but with the asterisks.
Note: <role identifier> must be the erglobalid of the role rather than the name of the role. To find the erglobalid for a role, navigate to My Organization -> Manage Organizational Roles, then mouseover the desired role. The erglobalid will appear in the status bar of the browser. For example, if the status bar reads:
javascript:getRoleDetail('org_role_mod','erglobalid=5592021780114339054,ou=roles,erglobalid=0000000000000000...
Then you would use "5592021780114339054" as the <role identifier>
http://www-1.ibm.com/support/docview.wss?rs=644&context=SSTFWV&q1=provisioning+policy+javascript&uid=swg21153942&loc=en_US&cs=utf-8&lang=en
How to manually re-create the ITIM 4.5 Queues (MQ 5.3 and WAS 5.0) on Windows
In the commands shown below - typical values for parameters are: For <server> the typical value is "server1" For <nodename> the typical value is the server host name
Examples of similar commands being used during the ITIM installation process can be seen in the $WAS_HOME\logs\createMQ.<nodename>_<server>.log file.
To Delete the Queue Manager and underlying content: Stop ITIM via the "stopServer" command in $WAS_HOME\bin
stopServer <server>
Delete the existing queue manager via the deletemq command in $WAS_HOME\bin
deletemq WAS <nodename> <server>
To create the Queue Manager: Create a new queue manager via the createmq command in $WAS_HOME\bin
createmq $WAS_HOME WAS <nodename> <server> $MQ_HOME $MQ_HOME\WEMPS
To start the Queue Manager: Start the queue manager via the "strmqm" command in $MQ_HOME\bin
strmqm WAS_<nodename>_<server>
To create the local queues within the queue manager: Start ITIM via the "startServer" command in $WAS_HOME\bin
startServer <server>
To verify that the local queues have been created: Utilize "runmqsc" found in the $MQ_HOME\bin directory against the queue manager (note: after the runmqsc command, you will enter the display qlocal command at a blank prompt.):
runmqsc WAS_<nodename>_<server> display qlocal(*) end
Look for the following local queues: WQ_itim_adhocSync, WQ_itim_ms, WQ_itim_rs, WQ_itim_wf, WQ_itim_wf_pending
Note: If the local queues are not created after starting up ITIM, the WebSphere transaction logs might have to be deleted and ITIM restarted. To clear the WebSphere transaction logs, go to the $WAS_HOME\tranlog\<server> and remove the four files in this directory.
Note2: If the queues still do not start then make careful checks on completion of software updates. Updating WAS to FP2 includes a number of MQ updates. These might partially fail (perhaps if elements of MQ are running during the update). Check $WAS_HOME\logs\update\MQCSDLog.txt.
http://www-1.ibm.com/support/docview.wss?uid=swg21153866
How to manually re-create the ITIM 4.6.0 Queues (MQ 5.3 and WAS 5.1.1) on UNIX
Technote (FAQ)
Problem From time to time, it is necessary to re-create the ITIM Queues that reside in MQ Series.
Solution In the commands shown below - typical values for parameters are: For <server> the typical value is "server1" For <nodename> the typical value is the server host name
Examples of similar commands being used during the ITIM installation process can be seen in the $WAS_HOME/logs/createMQ.<nodename>_<server>.log file.
To delete the Queue Manager and underlying content: Stop ITIM via the "stopServer" command in $WAS_HOME/bin
sh stopServer.sh <server>
Delete the existing queue manager via the deletemq command in $WAS_HOME/bin
sh deletemq.sh WAS <nodename> <server>
To create the Queue Manager: Create a new queue manager via the createmq command in $WAS_HOME/bin
sh createmq.sh $WAS_HOME WAS <nodename> <server>
To start the Queue Manager: Start the queue manager via the "strmqm" command in $MQ_HOME/bin
strmqm WAS_<nodename>_<server>
To create the local queues within the queue manager: Start ITIM via the "startServer" command in $WAS_HOME/bin
sh startServer.sh <server>
To verify that the local queues have been created:
Utilize "runmqsc" found in the $MQ_HOME/bin directory against the queue manager (note: after the runmqsc command, you will enter the display qlocal command at a blank prompt.):
runmqsc WAS_<nodename>_<server> display qlocal(*) end
Look for the following local queues:
WQ_itim_adhocSync WQ_itim_import_export WQ_itim_ms WQ_itim_policy WQ_itim_policy_simulation WQ_itim_ps WQ_itim_rs WQ_itim_rs_pending WQ_itim_wf WQ_itim_wf_shared
Note: If the local queues are not created after starting up ITIM, the WebSphere transaction logs might have to be deleted and ITIM restarted. To clear the WebSphere transaction logs, go to the $WAS_HOME/tranlog/<server>/transaction and enter a "rm -Rf *" to remove the two directories and the two files in each directory. 2
@HowTo @ITIM
