unable to connecting application to queue manager getting error JMSWMQ2013 - ibm-mq

we are using websphere MQ version 9.0.0.1,basically we have configured the active/passive cluster setup on linux machine, all queue managers are running on fine on both active/passive node.we have configured the channels queues in queue managers,
while application is trying to connecting my queue manager we are facing errors
below error getting at application side.
The Security athuntication was not valid that supplied for QUEUEMANAGER 'xxxxx_OUTWARD'WITH CONNECTION 'CLIENT' and HOST NAME 'xxxxx'PLEASE CHECK IF THE ERROR QUEUEMANAGER 'xxxxx_OUTWARD'WITH CONNECTION MODE 'CLIENT'AND HOST NAME'xxxxxx.
below ERROR we found in queuemanager level error logs
----- cmqxrsrv.c : 2362 -------------------------------------------------------
04/27/2018 07:52:35 PM - Process(29498.16) User(mqm) Program(amqzlaa0)
Host(xxxxxxx) Installation(Installation2)
VRMF(9.0.0.1) QMgr(xxxxx_INWARD)
AMQ5534: User ID 'mqm' authentication failed
EXPLANATION:
The user ID and password supplied by the 'WebSphere MQ Client for Java' program
could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4486 -------------------------------------------------------
04/27/2018 07:52:35 PM - Process(29498.16) User(mqm) Program(amqzlaa0)
Host(JPRIPAYMENTMQ2) Installation(Installation2)
VRMF(9.0.0.1) QMgr(xxxxx_INWARD)
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.
EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.
To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
04/27/2018 07:52:36 PM - Process(18265.105) User(xxx) Program(amqrmppa)
Host(xxxxx) Installation(Installation2)
VRMF(9.0.0.1) QMgr(xxxxx_INWARD)
AMQ9557: Queue Manager User ID initialization failed for 'mqm'.
EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was 'mqm'.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2362 -------------------------------------------------------
after this i have provided permission to 'mqm' user in queue manager level and queue level with the below command still we are facing same error.
setmqaut -m queue manager name -t qmgr -p mqm +connect &
setmqaut -m queue manager name -n queue name -t queue -p mqm user name +all
can any one help this issue
#Morag Hughson:-
How to turn off userid and password in queue manager level
#Morag Hughson:-
any command for turn off user id and password please share the command to resolve this issue.
#JoshMC:- if i was turn it off it is a good practice or is there any other option to resolve this issue from queue manager/application side?
#Hello all , i was informed to application to place the messages without mentioning any user id and password.after that my application able to access the all queue managers.
issue got resolved. Thanks to all for helping this issue.

The queue manager error messages tell you exactly the problem. First it says:-
AMQ5534: User ID 'mqm' authentication failed
EXPLANATION:
The user ID and password supplied by the 'WebSphere MQ Client for Java' program
could not be authenticated.
So the Java application that was trying to connect over a client was sending up 'mqm' as the user id and either the wrong password (or possibly no password at all).
The password is being checked by the queue manager. The second error message tells you WHY it is being checked.
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.
EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).
The configuration described in the second error message is there by default on your queue manager.
You have two options.
Send the correct password to go with the 'mqm' user id on your Java application.
Choose to turn off user id and password checking on the queue manager.

First off, no applications should be using the 'mqm' account except for MQAdmins and those MQ services that run under 'mqm' account. Regular business applications should NEVER EVER use the 'mqm' account. It is a BIG security risk and goes against the IBM's MQ Best Practices.
Secondly, the 'mqm' account already has full authority to everything.
setmqaut -m queue manager name -t qmgr -p mqm +connect &
setmqaut -m queue manager name -n queue name -t queue -p mqm +all
You are trying to give permission to a UserId that already has full permission.
Third, by doing those commands, you are potentially messing up your queue manager.
Fouth, the error message is not about authorization but as JoshMc pointed out it is about authentication. setmqaut command is for authorization (i.e. permission).
Fifth, create a UserId and Password on the server where you are running the queue manager (or use MS AD) and supply those credentials when your application connects to the queue manager. Note: you will need to use the setmqaut command to give your new UserId permission to access the queue manager and the queues.

Related

on AIX and Linux, an MQ MFT agent runs as the user mqm by default - how to specify a different user

On AIX and Linux , MQ MFT agent files are all owned by mqm, and subsequently the agent processes run as mqm in the process list.
In addition, when the agent connects to an MQ Manager, the connection user is mqm. Due to security - I would like to have a different user appear in the connections to the MQ manager.
Is there a way to run an MQ MFT agent as the mqm user, but the outbound connections to the MQ Manager are done as a different user, for example mqmftuser001, rather than mqm?
You can use MQMFTCredentials.xml file to map a local user to mquserid for connecting to agent queue manager. For example -
<tns:qmgr name="MFTQM" user="localuser" mqUserId="mqagentuser" mqPassword="Password" useMQCSPAuthentication="true"/>.
The file can need to be placed in a secure folder where no user other than the one that starts the agent has access permissions. Generally it will be users home directory, $HOME.
You can override the default credential path by setting the agent property agentQMgrAuthenticationCredentialsFile. The path specified for the property must be secure as mentioned before.

Websphere MQ Explorer (AMQ4036) error when trying to access to MQ running in docker (ibmcom/mq)

I'm running a Queue Manager on docker using the latest ibmcom/mq image, but I have an access denied when I try to connect to it from my windows using MQ Explorer.
I've disabled CHLAUTH in MQSC (runmqsc) using the command:
ALTER QMGR CHLAUTH(DISABLED)
I've disabled CONNAUTH using the commands:
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)
I've removed the default CHLAUTH rules of the image
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
I've set a Listener and a channel, and added a queue to them
DEFINE LISTENER(LISTENER.TCP) TRPTYPE(TCP) PORT(30002) CONTROL(QMGR) REPLACE
START LISTENER(LISTENER.TCP)
DEFINE CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) REPLACE
DEFINE QLOCAL('MyQueue') REPLACE
When I try to connect to the Channel SYSTEM.DEF.SVRCONN from windows using MQ Explorer, I'm getting the error (AMQ4036). The error in /var/mqm/qmgrs/MyQueueManager/errors/AMQERR01.LOG into the docker container is:
----- cmqxrsrv.c : 2552 -------------------------------------------------------
02/06/20 10:18:13 - Process(1658.19) User(mqm) Program(amqrmppa)
Host(5652aa2322eb) Installation(Installation1)
VRMF(9.1.4.0) QMgr(MyQueueManager)
Time(2020-02-06T10:18:13.718Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1(myWindowsId)
AMQ9557E: Queue Manager User ID initialization failed for 'myWindowsId'.
EXPLANATION:
The call to initialize the User ID 'myWindowsId' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a
userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.
I want to used the queue manager for local development. Do you have any idea on how to disable the security for my windows user id to be able to connect with MQ Explorer and Application Server Weblogic ?
I am wondering why you need to disable security. If you have explorer running then the next step will be to add your queue manager in explorer. From the tutorial -
https://developer.ibm.com/tutorials/mq-macos-dev/
(I know it's for Mac, but the principal is the same for windows).
This will be:
Right click on ‘Queue managers’ in the MQ Explorer Navigator box, then ‘Add remote queue manager’. A pop up appears.
Add your queue manager name – if Docker – QM1, then click Next.
Add Host name or IP Address – if Docker – localhost.
Add Server connection channel – if Docker – DEV.ADMIN.SVRCONN, then click ‘Next’ twice
Tick ‘Enable user identification’, if Docker – default is admin. Leave ‘Prompt for password’ selected.
Click Finish, then add password for user – if Docker – passw0rd. Your queue manager should appear.
If you truly want to disable security and don't care anything about access to this queue manager, just do the following (in addition to all the turning off of security settings you have already done).
ALTER CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('user-id-in-mqm-group-on-docker')
The problem is that your 'myWindowsId' is not defined to the OS in your docker container. The above command asserts the user id specified in the MCAUSER field, and will ignore the user id flowed by the channel from your Windows box.
I would however, encourage you to try the earlier answer, and learn how to do enough in security to let yourself in rather than turning it all off.

Provide anonymous access to IBM WebSphere MQ

I am new to IBM WebSphere MQ. I am running it within a docker container. The user 'sampleuser' and 'root' are part of the 'mqm' group within the conatiner. I am able to access the MQ from the host as a 'root' user and as a 'sampleuser' (I created 'sampleuser' in the host aswell).
I want to enable anonymous authentication, so that irrrespective of the client user id, they should be able to access the MQ. I though MCAUSER('sampleuser') would do it for me. But it does't work. I get error AMQ4036 (not authorized) from the eclipse IBM explorer. Please advice.
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
Update #1
I updated the code to allow privileged user. But still fails.
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
Here is the log, that I have got.
EXPLANATION:
The user ID 'sampleuser' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named
'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.
Update #2 Based on JohnMC's answer and refernce to Provide anonymous access to IBM WebSphere MQ I finally made it work.. : )
ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
ALTER QMGR CHLAUTH(DISABLED)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
I will assume you are using a supported version of MQ (7.1 or later).
With MQ 7.1 and later a new queue manager by default will come with a few CHLAUTH rules, one of these disables connections to SVRCONN channels from users with MQ administrative authority. In this case you have placed the user sampleuser in the MCAUSER of the channel. Since sampleuser is a member of the mqm group it is disallowed by default.
Based on the setup you present if the connection was allowed you would be allowing any user that can connect over the network to your MQ listener port the ability to manage the queue manager, define queues, delete queues, add permissions, etc.
Look at this answer by T.Rob for some more detail on how to make this work without disabling security "Unable to connect to queue manager in WebSphere MQ 7.1".
I also have another post with some similar information "C# MQ Connect get Error 2035 but Java MQ Connect works well"
Update #1
The logs show that you are getting a connection authentication error. With MQ 8.0 and later by default the queue manager is configured to require a valid password be specified for MQ Administrative users, since sampleuser is part of the mqm group it falls into this category.
You can configure MQ Explorer to send a username and password when connecting to the queue manager.
Right click the queue manager name
Select Connection Details
Select Properties...
Select Userid
Check the box next to "Enable user identification"
Fill in the Userid field
If you leave it as "Prompt for password" it will ask you each time you open MQ Explorer for the password when you attempt to connect to the queue manager. You have the option of selecting "Use saved password" and then providing the password.
I do not recommend you do this, but if you want to disable security and allow anyone to connect as a MQ administrator to your queue manager with out providing a valid password you can disable this with the following command.
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)

How to connect to remote Queue Manager using MQExplorer 8.0

I installed MQ8.0.0.4 on a ubuntu(14.4) server. I am able to launch a local MQ explorer and connect to local Queue Managers. I want to connect to the same Queue Manager from a remote windows machine. When I try this I get authorization errors:
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
This link shows a list of auth commands to enable remote windows connection, but the page only lists upto version 7.5 for which this is applicable. Will I have to do the same setup on 8.0 as well?
I already enabled remote administration using the local MQ Explorer.
"The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object." Are you using the mqm ID or another ID? You could use the MQS_REPORT_NOAUTH or MQSAUTHERRORS setting to get more info the authority failure.
To answer your other question, I believe the settings in the link will also apply to v8 - but v8 also has additional new authority checks as well.

Oracle Service Bus and MQ - connecting without setting the context data

I am using MQ Transport on the Oracle Service Bus to connect to external MQ server. The problem, however, is that the external MQ server cannot have any authority records other than:
CONNECT/INQUIRE (for Queue Manager)
PUT/GET/INQUIRE (for Queue)
This is a problem, because the OSB MQ Transport is always trying to connect with a context, and also put message with context as well. Even when I set up the MQC.MQPMO_NO_CONTEXT on the PUT message options, in the business service settings.
Is it even possible to exchange the messages with MQ, using the OSB MQ Transport and not having SET/SETALL authority records set?
PS. The MQ logs the following errors:
AMQ8077: Entity 'osbtest ' has insufficient authority to access
object 'TESTQMGR'.
EXPLANATION: The specified entity is not authorized to access the
required object. The following requested permissions are unauthorized:
setall
// ...
AMQ8077: Entity 'osbtest ' has insufficient authority to access
object 'TEST.QUEUE'.
EXPLANATION: The specified entity is not authorized to access the
required object. The following requested permissions are unauthorized:
set
Versions:
Oracle Service Bus: 11gR1
Websphere MQ: 7.5
Try creating an environment variable on the MQ server host named "MQSNOAUT" and setting its to "YES"

Resources