We are using IBM MQ version 9.0 windows server. We require a little information about MUSR_MQADMIN. Can we rename MUSR_MQADMIN to some other user? If it's renamed to some other user and pointing to the "IBM Websphere MQ services", will it face any challenges?
#Team,
we have a one more question why we always get the " error 1069:the services didn't start due to the logon error " and we have seen logon properties ./musr_mqadmin is having some encrypted password.Kindly confirm us after installation this password is created by with operational user password( mqm#123 )( means Ex: user : op_mqm & password : mqm#123 )or is there any default password ? if it is default password how we can decrypt the default password
Yes, default user MUSR_MQADMIN can be deleted, before that you should create another user account and make this user member of mqm group, then associate this new user name with IBM MQ Services. If you are working with MQ Client then MUSR_MQADMIN user is NOT needed.
I have tried this and it works fine.
Related
I am new to IBM WebSphere MQ. I am running it within a docker container. The user 'sampleuser' and 'root' are part of the 'mqm' group within the conatiner. I am able to access the MQ from the host as a 'root' user and as a 'sampleuser' (I created 'sampleuser' in the host aswell).
I want to enable anonymous authentication, so that irrrespective of the client user id, they should be able to access the MQ. I though MCAUSER('sampleuser') would do it for me. But it does't work. I get error AMQ4036 (not authorized) from the eclipse IBM explorer. Please advice.
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
Update #1
I updated the code to allow privileged user. But still fails.
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
Here is the log, that I have got.
EXPLANATION:
The user ID 'sampleuser' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named
'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.
Update #2 Based on JohnMC's answer and refernce to Provide anonymous access to IBM WebSphere MQ I finally made it work.. : )
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
ALTER QMGR CHLAUTH(DISABLED)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
I will assume you are using a supported version of MQ (7.1 or later).
With MQ 7.1 and later a new queue manager by default will come with a few CHLAUTH rules, one of these disables connections to SVRCONN channels from users with MQ administrative authority. In this case you have placed the user sampleuser in the MCAUSER of the channel. Since sampleuser is a member of the mqm group it is disallowed by default.
Based on the setup you present if the connection was allowed you would be allowing any user that can connect over the network to your MQ listener port the ability to manage the queue manager, define queues, delete queues, add permissions, etc.
Look at this answer by T.Rob for some more detail on how to make this work without disabling security "Unable to connect to queue manager in WebSphere MQ 7.1".
I also have another post with some similar information "C# MQ Connect get Error 2035 but Java MQ Connect works well"
Update #1
The logs show that you are getting a connection authentication error. With MQ 8.0 and later by default the queue manager is configured to require a valid password be specified for MQ Administrative users, since sampleuser is part of the mqm group it falls into this category.
You can configure MQ Explorer to send a username and password when connecting to the queue manager.
Right click the queue manager name
Select Connection Details
Select Properties...
Select Userid
Check the box next to "Enable user identification"
Fill in the Userid field
If you leave it as "Prompt for password" it will ask you each time you open MQ Explorer for the password when you attempt to connect to the queue manager. You have the option of selecting "Use saved password" and then providing the password.
I do not recommend you do this, but if you want to disable security and allow anyone to connect as a MQ administrator to your queue manager with out providing a valid password you can disable this with the following command.
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
I have already installed Websphere Applcation Server 8.5.5 on my machine without username password.
But for some reason now after using it for several days without any problem, today I got a problem where I am asked to enter username and password in one of the applications which I deployed on WAS8.5.5.
Now how can I create a username and password in an already installed WAS 8.5.5?
If you want to disable application security,
in Security -> Global Security section, uncheck Enable application security
else you want to enable application security, configure User account repository with available realm definitions.
I was trying to configure my WMQ.
queue manager was running until i changed the password of my musr_mqadmin account.
Now it the local queue manager that i created cannot be start any more
The pop up says "The MQ service for installation "installation1" must be running"
While i tried to reset the musr_mqadmin account, it says "mq configuration an error while validating the security credentials "
I am really stuck and helpless. Please kindly advise.
MQ Service runs under MUSR_MQADMIN account. You will need to provide the same password for MQ Service also. Go to Administrative Tools/Services console. Select IBM WebSphere MQ service and open the properties by double clicking on the service. On the Log On tab provide the new password and OK to close the dialog and start the service.
HTH/Shashi
I have installed DB2 Express-C in my office machine. This machine does not allow me to create new account, so I installed DB2 using my local login account. Database installed successfully.
But when I try to connect to the database, it always says "Username/Password is invalid".
My local user account has appended with the domain name, for example: "INDDEV/Raghav"
"INDDEV" is the domain name, "Raghav" is my username.
I have tried all the possible combination, but am unable to connect
Please help me.
Thanks
The problem comes from your domain user. DB2 does not recognize by default domain users, thus your user cannot be authenticated. You can create a local user for you, OR you can use the instance user OR change the instance configuration to recognize domain users.
To configure heterogenous services for connecting to a SQL-SERVER 2005, we are trying to configure the Oracle 11gR2 database via EM.
We login using the SYS account and when we click on the listener link , Net Services Administration login page comes up, when we supply the same username , SYS , it throws out error :
" Validation Error
ERROR: Invalid username and/or password"
We are sure of the username and the password , if it was invalid it would be impossible to login as SYS.
The listener runs outside the database, and if I recall correctly when NSA prompts you it asks for the host login. You need to give the operating system credentials for a user in the DBA group.
Keep it simple..
Just make sure that you have logged in with admin account in your windows system.
If oracle is asking for OS credentials, provide your OS credentials(your windows admin username/password).
give username as "admin"
and password as"your-password".
worked for me!!