You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Lamaxu is distributed as a compressed archive. At a high level, the installation procedure is extract the archive, specify the location of required client jars and configure it with the connection details of your queue managers.

Minimum System Requirements

Minimum System Requirements

Java Virtual Machine

Oracle JDK or JRE at version 1.8.0 or above

Operating Systems

Anything that supports Java 8

Memory

1GB RAM to support up to 4 queue managers with approximately 200 objects (queues, channels, etc) and 5000 event or accounting / statistics messages.

Disk Space

100MB

WebSphere MQ

WebSphere MQ v6 or above.

NOTE: PUBSUB functionality does not work monitoring MQ6 queue managers.

                                                                               Table 4: Datatype to Category mapping

Preparing for installation

Before installing, ensure all the prerequisite requirements have been met by completing this checklist.

Prerequisite Installation Requirements

File system

A file system with 250mb of space is required for the installation and the ongoing logging which will be done by the Lamaxu. This requirement may increase if you choose to maintain logs for a longer period.

Ensure the file system is owned by the user you plan to run the Lamaxu as and has been granted read, write and execute rights for the owner.

User account

A user which owns the file system created earlier and has read, write and execute rights on it.

Installation archive

Download the installation archive from the customer portal of the QueueMetrix website.

The available artefacts are:

  • LAMAXU-N.N.N-[NNNN]-bundle.tar.gz (Unix variants)
  • LAMAXU-N.N.N-[NNNN]-bundle.zip (windows or other)

Where N.N.N = to the appropriate version (for example 1.0.5) and [NNNN] is a qualifier which may be the mode (e.g. BETA) or another build instance number.

JAVA_HOME

You must have the JAVA_HOME environment variable set and pointing to a valid Java 8 installation home path before starting Lamaxu.

LAMAXU_HOME

Path to the home directory of Lamaxu

                                                                              Table 5: Prerequisite Installation Requirements


Installing on Linux

Unable to render {include} The included page could not be found.

Installing on Windows

Unable to render {include} The included page could not be found.

Configuring a Queue Manager

As of version 7.1 of MQ, the default security configuration is more restrictive and as such will probably need to be modified further before you can get a successful connection via a channel that has mcauser('mqm').

Refer to the WebSphere MQ documentation for further information if you still want to use the ‘mqm’ user. It is recommended that you create a new user for LAMAXU to user and apply the OAM authorities as described below.

Please replace the values below with the correct ones for your installation.

{qmgr} Queue Manager Name
{User} The MQ user being used by Lamaxu

Enable Queue Manager Monitoring and Statistics

For LAMAXU to work, the MONQ and MONCHL properties on the queue manager MUST be set to MEDIUM or higher to enable MQ to publish the Status and event information.

Use the MQSC commands below to modify the queue manager configuration and restart the LAMAXU agent.

ALTER QMGR CHLEV(ENABLED) +
MONCHL(MEDIUM) +
MONQ(MEDIUM) +
PERFMEV(ENABLED) +
STATCHL(MEDIUM) +
STATQ(ON) +
STATINT(60) +
FORCE

Define the Lamaxu Channel

For the purposes of this example the username 'lamaxu' has been used.

DEFINE CHANNEL('LAMAXU.CHANNEL') CHLTYPE(SVRCONN) MCAUSER('lamaxu')

MQ8/9 Unauthenticated Setup

To disable the security on the SVRCONN channels execute the following runmqsc commands below.
Note: This should only be performed in DEV for testing purposes.

ALTER AUTHINFO('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
ALTER QMGR CHLAUTH(DISABLED)

MQ8/9 Authenticated Setup

To enable username/password authentication on the queue manager, the changes below need to be made to the queue manager configuration.
Note: The CHLAUTH(DISABLED) command below is required to disable the IP address filtering on CLIENT channels that MQ has enabled by default.  Disabling CHLAUTH does not disable username/password checks.

The commands below are MQ 'runmqsc' commands that need to be executed by an MQ privileged user, like the 'mqm' user. 

ALTER QMGR CONNAUTH(USE.PW) CHLAUTH(DISABLED)
ALTER AUTHINFO(USE.PW) +
AUTHTYPE(IDPWOS) +
FAILDLAY(10) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED)
REFRESH SECURITY TYPE(CONNAUTH)

Setmqaut OAM Commands

OAM Configuration for Objects

The Lamaxu agent needs to be granted access to the following queue manager objects to enable it work.

setmqaut -m {qmgr} -t qmgr -p {User} +connect +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -p {User} +put +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -p {User} +get +dsp
setmqaut -m {qmgr} -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue –p {User} +get +dsp +inq
setmqaut -m {qmgr} -n "**" -t queue -p {User} +inq +dsp
setmqaut -m {qmgr} -n "**" -t topic -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t channel -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t authinfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t clntconn -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t comminfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t listener -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t namelist -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t process -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t service -p {User} +dsp

OAM Configuration for Events, Accounting and Statistics

The Lamaxu agent needs to be granted access to the following queue manager event queues to enable it work.

setmqaut -m {qmgr} -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.CONFIG.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.LOGGER.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PERFM.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PUBSUB.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.QMGR.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.STATISTICS.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.ACCOUNTING.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ROUTE.QUEUE -t queue -p {User} +get +dsp +inq +browse

AUTHREC OAM Authorities

The following OAM authorities can be used in situations where it's not possible to execute the usual 'setmqaut' command, such as the MQ appliance.
You must perform a search and replace of {userName} with your MQ Service user name.

Download script

** OAM Configuration for EVENTS and Activity Trace
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.CHANNEL.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.COMMAND.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.CONFIG.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.LOGGER.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.PERFM.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.PUBSUB.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.QMGR.EVENT') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.STATISTICS.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.ACCOUNTING.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.TRACE.ROUTE.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(BROWSE,DSP,GET,INQ)
*
** OAM Configuration for Objects
SET AUTHREC +
 PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,PUT,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,GET,INQ)
*
SET AUTHREC +
 PROFILE('SYSTEM.MQEXPLORER.REPLY.MODEL') +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,GET,INQ)
*
SET AUTHREC +
 GROUP('{userName}') +
 OBJTYPE(QMGR) +
 AUTHADD(CONNECT,INQ)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(QUEUE) +
 AUTHADD(DSP,INQ)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(TOPIC) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(CHANNEL) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(AUTHINFO) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(CLNTCONN) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(COMMINFO) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(LISTENER) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(NAMELIST) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(PROCESS) +
 AUTHADD(DSP)
*
SET AUTHREC +
 PROFILE(**) +
 GROUP('{userName}') +
 OBJTYPE(SERVICE) +
 AUTHADD(DSP)

ZOS RACF Commands for Events, Accounting and Statistics

You must perform a search and replace of {USER} with your MQ Service user name and {QMGR} with the name of the MQ queue manager.

Generic Display

PE {QMGR}.DISPLAY.* CLASS(MQCMDS) ID({USER}) ACCESS(READ)

Event Queues

PE {QMGR}.SYSTEM.ADMIN.CHANNEL.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.COMMAND.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.CONFIG.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.PERFM.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.QMGR.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.ACTIVITY.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.TRACE.ROUTE.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)

Model and Command Queues

PE {QMGR}.SYSTEM.COMMAND.REPLY.MODEL CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.DEFAULT.MODEL.QUEUE CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.ADMIN.CHANNEL.EVENT CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.AMQ.MQEXPLORER.* CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)
PE {QMGR}.SYSTEM.MQEXPLORER.REPLY.MODEL CLASS(MQQUEUE) ID({USER}) ACCESS(UPDATE)

Statistics

PE {QMGR}.RESET.* CLASS(MQCMDS) ID({USER}) ACCESS(CONTROL) 
PE {QMGR}.QUEUE.* CLASS(MQADMIN) ID({USER}) ACCESS(CONTROL)
SETR GENERIC(MQCMDS) REFRESH 
SETR GENERIC(MQADMIN) REF
SETR RACLIST(MQADMIN) REF

MQ command

REFRESH SECURITY

Multi-Instance Queue Managers

To monitor a multi-instance queue manager, enter a comma separated list of hosts into the 'Host Name' field as shown below. The list can consist of an IP address or DNS host name.
Port number must remain the same for all hosts.


 


Queue Manager SSL Configuration

Lamaxu versions greater than 1.0.5.9 are required in order to use SSL Connections to the MQ queue manager.

Open a web browser and navigate to the Lamaxu Admin page.

Example, http://localhost:8085/admin/dashboard/#/mq/admin (the default username and password is admin/password)

Navigate to the 'Queue Managers' tab and enter the required Cipher Suite into the Cipher input box. Note the Cipher Suite used needs to match the Cipher Spec on the MQ channel.

To Import a Trust Certificate

 keytool -importcert -file mycert.txt -keystore truststore.jks -alias mycert

Where mycert.txt is is your trust certificate.

The default password for the truststore.jks file is 'changeit'

Recommended CipherSpecs and Equivalent CipherSuites 

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm 

MQ CipherSpec
Equivalent CipherSuite (Oracle JRE)
Protocol
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS v1
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS v1.2
TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS v1
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS v1.2

Defining a Private Keystore for Mutual SSL 

To use Mutual certificate authentication, enter the keystore Filename and Keystore Password, of the keystore with the private key, in the in the Agent Config. The password can be obfuscated here as well.

 

Password Obfuscation

On Linux

/opt/queuemetrix/lamaxu.{version}/bin/obfuscate.sh password
Obfuscated password is: {obf}hZSGhoKah5E=

On Windows

The command below will obfuscate the password 'password'.

C:\Program Files (x86)\QueueMetrix\LAMAXU\bin>obfuscate.bat password
Obfuscated password is: {obf}hZSGhoKah5E=


  • No labels