IBM Tivoli Identity Manager Pre 5.0 How To

How to access embedded MQ in WAS with global security enabled

Use websphere system acct to get into the MQ
F:\Program Files\ibm\WebSphere MQ\bin>runas /user:zidmsws "runmqsc WAS_astim_server1"

Alternatively you could (the following did not quite work for me) Lookup the ITIM admin EJB user in "G:\Program Files\WebSphere\AppServer\config\cells\astim\integral-jms-authorizations.xml" This is the file where MQ security is stored and edited. You could add yourself to the list or use the following:


F:\Program Files\ibm\WebSphere MQ\bin\runas /user:zidmswse /netonly "runmqsc WAS_astim_server1"

/netonly is important since the EJB is not allowed a local login

How to clear all ITIM queues

Applies to TIM 4.5, 4.6. 5.0 has MQ embedded in WAS and needs to be manipulated though WAS admin console

  1. Stop all WAS servers, including jmsserver.
  2. Go into websphere folder\tranlog and remove "transaction" subfolders from all the folders in the trainlog
  3. Start jmsserver only. now clear the MQ Queues per normal procedure:
dspmq
runmqsc WAS_name, dis ql('WQ*') CURDEPTH
clear ql('..'), dis ql('WQ*')

  1. Everything will be clean. Now start all WAS servers back up.
  2. Well, turns out some of the stuff is stored in the ITIM db so the queues, while initially clean, will start to fill up with the stuff from the DB once ITIM is back up unless you cleand the DB (which I do not know at this point how)

or try this:


clear ql ('WQ_itim_wf')
    36 : clear ql ('WQ_itim_wf')
AMQ8143: WebSphere MQ queue not empty.

dis qstatus('WQ_itim_wf')
    37 : dis qstatus('WQ_itim_wf')
AMQ8450: Display queue status details.
   QUEUE(WQ_itim_wf)                       IPPROCS(0)
   OPPROCS(0)                              CURDEPTH(96)
   UNCOM(YES)

#:Recreate the queues per 1 or this:


stop ITIM WAS server
F:\Program Files\WebSphere\AppServer\bin>deletemq WAS SERVER server1
F:\Program Files\WebSphere\AppServer\bin>createmq "F:\Program Files\WebSphere\AppServer" WAS SERVER server1 "F:\Program Files\ibm\WebSphere MQ" "F:\Program Files\ibm\WebSphere MQ\WEMPS"
F:\Program Files\WebSphere\AppServer\bin>"F:\Program Files\ibm\WebSphere MQ\bin\"strmqm WAS_SERVER_server1

#:Delete


"A:\Program Files\WebSphere\AppServer\tranlog\server1\transaction\partnerlog"
"A:\Program Files\WebSphere\AppServer\tranlog\server1\transaction\tranlog"

#:Start ITIM to recreate the queues

  1. Verify they exist and they are empty

F:\Program Files\WebSphere\AppServer\bin>"F:\Program Files\ibm\WebSphere MQ\bin\"runmqsc WAS_SERVER_server1
dis ql('W*') CURDEPTH

or this:


dis channel('*')
    43 : dis channel('*')
AMQ8414: Display Channel details.
   CHANNEL(WAS.JMS.SVRCONN)                CHLTYPE(SVRCONN)
stop channel(WAS.JMS.SVRCONN)
    45 : stop channel(WAS.JMS.SVRCONN)
AMQ8019: Stop WebSphere MQ channel accepted.

#:Stop whole itim

F:\Program Files\ibm\WebSphere MQ\bin>endmqm WAS_SERVER_server1

#:kill process tree if needed

F:\Program Files\ibm\WebSphere MQ\bin>strmqm WAS_SERVER_server1
cp "A:\Program Files\ibm\WebSphere MQ\Qmgrs\WAS_SERVER_server1\QUEUES\@MANGLED\0U000000\q"

How to find out current

length

of the ITIM queues

For TIM 4.5,4.6

dspmq

Look for the [running] MQ server name

echo dis ql('WQ_itim*') CURDEPTH | runmqsc WAS_MQ_SEREVER_NAME


How to find what PPs apply to a specific role

While logged into ITIM, click on Search on the top menu bar. Click on "Search by Filter" in the upper right corner of the window. Select "Provisioning Policy" from the listbox. In the Filter field, use "(erpolicymembership=*<role identifier>*)", without the quotes, but with the asterisks.

Note: <role identifier> must be the erglobalid of the role rather than the name of the role. To find the erglobalid for a role, navigate to My Organization -> Manage Organizational Roles, then mouseover the desired role. The erglobalid will appear in the status bar of the browser. For example, if the status bar reads:

javascript:getRoleDetail('org_role_mod','erglobalid=5592021780114339054,ou=roles,erglobalid=0000000000000000... 
Then you would use "5592021780114339054" as the <role identifier>
http://www-1.ibm.com/support/docview.wss?rs=644&context=SSTFWV&q1=provisioning+policy+javascript&uid=swg21153942&loc=en_US&cs=utf-8&lang=en

How to manually re-create the ITIM 4.5 Queues (MQ 5.3 and WAS 5.0) on Windows

In the commands shown below - typical values for parameters are: For <server> the typical value is "server1" For <nodename> the typical value is the server host name
Examples of similar commands being used during the ITIM installation process can be seen in the $WAS_HOME\logs\createMQ.<nodename>_<server>.log file.

To Delete the Queue Manager and underlying content: Stop ITIM via the "stopServer" command in $WAS_HOME\bin

stopServer <server>

Delete the existing queue manager via the deletemq command in $WAS_HOME\bin

deletemq WAS <nodename> <server>

To create the Queue Manager: Create a new queue manager via the createmq command in $WAS_HOME\bin

createmq $WAS_HOME WAS <nodename> <server> $MQ_HOME $MQ_HOME\WEMPS

To start the Queue Manager: Start the queue manager via the "strmqm" command in $MQ_HOME\bin

strmqm WAS_<nodename>_<server>

To create the local queues within the queue manager: Start ITIM via the "startServer" command in $WAS_HOME\bin

startServer <server>

To verify that the local queues have been created: Utilize "runmqsc" found in the $MQ_HOME\bin directory against the queue manager (note: after the runmqsc command, you will enter the display qlocal command at a blank prompt.):

runmqsc WAS_<nodename>_<server>
display qlocal(*)
end

Look for the following local queues: WQ_itim_adhocSync, WQ_itim_ms, WQ_itim_rs, WQ_itim_wf, WQ_itim_wf_pending

Note: If the local queues are not created after starting up ITIM, the WebSphere transaction logs might have to be deleted and ITIM restarted. To clear the WebSphere transaction logs, go to the $WAS_HOME\tranlog\<server> and remove the four files in this directory.

Note2: If the queues still do not start then make careful checks on completion of software updates. Updating WAS to FP2 includes a number of MQ updates. These might partially fail (perhaps if elements of MQ are running during the update). Check $WAS_HOME\logs\update\MQCSDLog.txt.

http://www-1.ibm.com/support/docview.wss?uid=swg21153866

How to manually re-create the ITIM 4.6.0 Queues (MQ 5.3 and WAS 5.1.1) on UNIX

Technote (FAQ)
Problem From time to time, it is necessary to re-create the ITIM Queues that reside in MQ Series.
Solution In the commands shown below - typical values for parameters are: For <server> the typical value is "server1" For <nodename> the typical value is the server host name
Examples of similar commands being used during the ITIM installation process can be seen in the $WAS_HOME/logs/createMQ.<nodename>_<server>.log file.

To delete the Queue Manager and underlying content: Stop ITIM via the "stopServer" command in $WAS_HOME/bin


sh stopServer.sh <server>

Delete the existing queue manager via the deletemq command in $WAS_HOME/bin


sh deletemq.sh WAS <nodename> <server>

To create the Queue Manager: Create a new queue manager via the createmq command in $WAS_HOME/bin


sh createmq.sh $WAS_HOME WAS <nodename> <server>

To start the Queue Manager: Start the queue manager via the "strmqm" command in $MQ_HOME/bin


strmqm WAS_<nodename>_<server>

To create the local queues within the queue manager: Start ITIM via the "startServer" command in $WAS_HOME/bin


sh startServer.sh <server>

To verify that the local queues have been created:
Utilize "runmqsc" found in the $MQ_HOME/bin directory against the queue manager (note: after the runmqsc command, you will enter the display qlocal command at a blank prompt.):

runmqsc WAS_<nodename>_<server>
display qlocal(*)
end

Look for the following local queues:

WQ_itim_adhocSync
WQ_itim_import_export
WQ_itim_ms
WQ_itim_policy
WQ_itim_policy_simulation
WQ_itim_ps
WQ_itim_rs
WQ_itim_rs_pending
WQ_itim_wf
WQ_itim_wf_shared

Note: If the local queues are not created after starting up ITIM, the WebSphere transaction logs might have to be deleted and ITIM restarted. To clear the WebSphere transaction logs, go to the $WAS_HOME/tranlog/<server>/transaction and enter a "rm -Rf *" to remove the two directories and the two files in each directory. 2

@HowTo @ITIM