× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Le 17/10/2022 à 22:24, Jeremy Ruth a écrit :
I have an update. I can now get a valid connection when starting System
Debugger from a 'Run SQL Scripts' session.

Progress... on the server, must issue both the following commands:
STRDBGSRV
STRTCPSRV *DBG


However, I have some authority issues. In System Debugger, I can now enter
a program name to debug, but when I do, I get the following error in System
Debugger:

"Not authorized to command STRSRVJOB in QSYS."

From the 'Established' entry below, I do an '8=Display Jobs':

Remote Remote Local
Opt Address Port Port Idle Time State
* * as-debug 002:14:14 Listen
10.51.96.212 62818 as-debug 001:59:44 Established

I get 1 job which appears to be assigned my user (JRUTH99):

Connection type . . . . . . : *TCP
Local address . . . . . . . : <IP address>
Local port . . . . . . . . . : 4026
Remote address . . . . . . . : <IP address>
Remote port . . . . . . . . : 62818

Type options, press Enter.
5=Work with job

Current
Opt Name User Number Type User
QTESDBGSVR JRUTH99 106777 *BCH JRUTH99


When I look at the joblog of that job, I can see the "Not authorized to
STRSRVJOB..." messages

So, my assumption is that this job is what is failing with the authorization
check. My user (JRUTH99) has *ALL authority to STRSRVJOB. I, using my
userID, started the debug server by issuing the STRSRVJOB command.

I have found some documents which talk about needed authority:

https://www.itjungle.com/2020/06/08/guru-graphical-debugging-through-acs/
https://community.ibm.com/community/user/power/discussion/system-debugger-getting-communications-error-when-starting-debug-server
https://www.ibm.com/support/pages/authorities-requried-debugging-using-graphical-gui-debugger
https://www.youtube.com/watch?v=z4nVNFKYNeI

But, I am not sure to understand you: do you mean that JRUTH99 has *ALL (this is too high, *USE is enough) authority on QSYS/STRSRVJOB command, but you still have an authority issue on that command?

Ideas:
Should STRSRVJOB be initiated by user with QSECOFR authority perhaps?

STRDBG, STRSRVJOB, ADDBKP commands will be initiated by your user profile. And all the commands must run within the same job. So you cannot ask someone to login with QSECOFR, use STRSRVJOB, then use other debugging commands with your user id. It will not work.

As far as I understand, all those commands will be initiated from the GUI within your QTESDBGSVR job.

What other user, group, jobd, etc. might cause the "Not authorized..."
message?
Does the user of the job that started the "Run SQL Scripts" job have any
bearing (<job#>/QUSER/QZDASOINIT)?

The current user of this job, yes. I mean not QUSER but it should be your user profile.

What user does the "System Debugger" session use when started from "Run SQL
Scripts"?

Your user profile, I mean the one you used to login within "Run SQL scripts".


Thanks,
Jeremy




On 10/16/22, 7:41 AM, "MIDRANGE-L on behalf of Marc Rauzier" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx on behalf of marc.rauzier@xxxxxxxxx> wrote:

Le 15/10/2022 à 19:32, Birgitta Hauser a écrit :
> Yep! You cannot do it on PUB400 ... I recently spoke with Holger about this problem (I have the same problem on my own partition).
> He thinks it is because the IBM i is accessed directly ... without any VPN (and this might be the problem).

Well, that's strange because I just tried to debug an ILE and and OPM CL
program with this System Debugger (initiated from iACS "Run SQL
scripts"), and I was successful to do it on PUB400. It was using 4026
tcp port.

On my laptop, I ran, at the same time, a Wireskark network capture and
all IP packets were initiated from my workstation (behind a NAT router,
so using a non-routed IP) to PUB400's IP using the 4026 port as the
target. So, from a network point of view, if there is no firewall, or if
there is one which allows traffic over this port, I cannot see any issue.


> I never have a problem with the customers where I access the IBM I via VPN.
>
> Mit freundlichen Grüßen / Best regards
>
> Birgitta Hauser
> Modernization – Education – Consulting on IBM i
>
>
> "Shoot for the moon, even if you miss, you'll land among the stars." (Les Brown)
> "If you think education is expensive, try ignorance." (Derek Bok)
> "What is worse than training your staff and losing them? Not training them and keeping them!"
> „Train people well enough so they can leave, treat them well enough so they don't want to.“ (Richard Branson)
>
>
> -----Original Message-----
> From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Marc Rauzier
> Sent: Samstag, 15. Oktober 2022 15:37
> To: midrange-l@xxxxxxxxxxxxxxxxxx
> Subject: Re: ACS System Debugger doesn't want to work
>
> Le 14/10/2022 à 19:57, jeremy.ruth@xxxxxxxxxxx a écrit :
>> Thank you Marc for your help.
> Yw, I often used this technique to check firewall issues.
>> I tried the SSH command from my workstation and it made a connection because I am seeing what you're seeing from netstat. An established entry from my workstation.
>>
>> So the port is not blocked. Any other ideas?
> I am not really used to use the debugger nor I have an access with enough authority to an IBM i system to be able to help you more.
>
> However, here is what happens on PUB400 when I start the debugger from iACS SQL scripts like you do.
>
> Job listening on 3825 port is QB5ROUTER in QUSRWRK subsystem.
> Unfortunately I cannot see job log of this job.
> Job handling the tcp session on port 3825 with my workstation is QTESDBGSVR in QUSRWRK subsystem. It is submitted by QPGMR/QTESDBGHUB which runs in QSYSWRK subsystem at the time I request to start debugger.
> Unfornately I cannot see job log of this job.
>
> Have you got those two QB5ROUTER and QTESDBGHUB jobs active? Maybe you could check their job log? I can't do it on PUB400.
>
>
>> Jeremy
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.