| Author |
Message
|
| ASkydiver |
 Posted: Wed Nov 16, 2011 8:43 am Post subject: ALTERNATE_USER_AUTHORITY - Connecting with another UserID |
 |
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
Hi All,
I'm new to using MQ Series and I'm trying to get the first simple stage working.
Here's my environment, running Windows XP - SP3 on my development PC, I've loaded Websphere MQ fix pack 7.0.1.6. I'm using Visual Studio 2010 and writting in C# using .NET 4.0 framework. Our MQ Administrator has setup a Host / Port / QueueManager / Channel and requesting and response queues. A windows service account has been created for the use of the queues.
I've tried 2 different ways of creating the QueueManager (see below) but am getting the error 2537 - MQRC_CHANNEL_NOT_AVAILABLE. Our MQ Administrator has told me that I'm trying to make the connection with my Windows UserID and not the service account that was created for this. I've tried to use the "Hashtable" option (which you'll see has been commented out), I've also tried the "Environment" option, to no avail.
Would someone be able to give me some direction as how to connect using the service account?
| Code: |
using System;
using System.Collections;
using System.Collections.Generic;
using System.ComponentModel;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using IBM.WMQ;
namespace LoanAppStatusMonitor {
public partial class LoanAppStatusMonitor : Form {
bool runManuallyFlag = true;
SQLEngine sqlEngine = new SQLEngine ();
SQLServerConfig sqlServerConfig = new SQLServerConfig ();
Hashtable MQProperties = new Hashtable ();
MQQueueManager queueManager;
public LoanAppStatusMonitor (string[] runTimeArgs) {
InitializeComponent ();
if (runTimeArgs.Length > 0) {
runManuallyFlag = (runTimeArgs [0] == "1" ? true : false);
sqlServerConfig.ServerNo = Convert.ToInt32 (runTimeArgs [1]);
}
if (!runManuallyFlag) {
button_start.Visible = false;
}
sqlServerConfig.ClarifyAppSrv = Properties.Settings.Default.ClarifyAppSrv;
sqlServerConfig.HeartBeatFile = Properties.Settings.Default.HeartBeatFile;
//MQProperties = new Hashtable ();
//MQProperties.Add (MQC.HOST_NAME_PROPERTY, Properties.Settings.Default.MQHost);
//MQProperties.Add (MQC.PORT_PROPERTY, Properties.Settings.Default.MQPort);
//MQProperties.Add (MQC.TRANSPORT_PROPERTY, 1);
//MQProperties.Add (MQC.CHANNEL_PROPERTY, Properties.Settings.Default.MQChannelName);
//MQProperties.Add (MQC.USER_ID_PROPERTY, Properties.Settings.Default.MQUserID);
//MQProperties.Add (MQC.PASSWORD_PROPERTY, Properties.Settings.Default.MQUserPassword);
//MQProperties.Add (MQC.MQOO_ALTERNATE_USER_AUTHORITY, Properties.Settings.Default.MQUserID);
MQEnvironment.Hostname = Properties.Settings.Default.MQHost;
MQEnvironment.Port = Properties.Settings.Default.MQPort;
MQEnvironment.Channel = Properties.Settings.Default.MQChannelName;
MQEnvironment.UserId = Properties.Settings.Default.MQUserID;
MQEnvironment.Password = Properties.Settings.Default.MQUserPassword;
MQEnvironment.properties.Add (MQC.MQOO_ALTERNATE_USER_AUTHORITY, Properties.Settings.Default.MQUserID);
MQEnvironment.properties.Add (MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES);
}
private void button_sendToMF_Click (object sender, EventArgs e) {
this.Cursor = Cursors.WaitCursor;
try {
MFConnect ();
} catch (Exception ex) {
lbl_MFFeedback.Text = ex.Message;
lbl_MFFeedback.Location = new Point ((this.Width - lbl_MFFeedback.Width) / 2, 100 );
lbl_MFFeedback.Visible = true;
}
this.Cursor = Cursors.Default;
}
public MQQueueManager MFConnect () {
try {
// Attempt the connection
//queueManager = new MQQueueManager (Properties.Settings.Default.MQqueueManagerName, MQProperties);
queueManager = new MQQueueManager (Properties.Settings.Default.MQqueueManagerName, Properties.Settings.Default.MQChannelName, Properties.Settings.Default.MQHost + "(" + Properties.Settings.Default.MQPort + ")");
txtBx_MFFeedback.Text = "Connected Successfully";
} catch (MQException mexc) {
throw new Exception ("Queue Manager Name: " + Properties.Settings.Default.MQqueueManagerName + "\r\nUserID: " + Properties.Settings.Default.MQUserID + "\r\nHost: " + Properties.Settings.Default.MQHost + "\r\nPort: " + Properties.Settings.Default.MQPort + "\r\nChannel: " + Properties.Settings.Default.MQChannelName + "\r\n\r\nError ReasonCode: " + mexc.ReasonCode + "\r\nError Message: " + mexc.Message + "\r\n\r\nStackTrace: " + mexc.StackTrace, mexc);
}
// For now, return the queueManager to use in reading/writing messages next
return queueManager;
}
|
|
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Nov 16, 2011 9:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
What does MQC.TRANSPORT_MQSERIES resolve to? If you're trying to establish a client connection I would have expected MQC.TRANSPORT_MQSERIES_CLIENT as indicated here
I wonder if it's defaulting to a binding connection which only uses the running app id.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 9:50 am Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
Thank you for the reply.
MQC.TRANSPORT_MQSERIES resolves to a string of "MQ Series".
I've tried what you suggested after reading what you indicated, but am still getting the same error.
I'm not to sure what you mean by "defaulting to a binding connection which only uses the running app id". Is there anything that I could do to check that? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 16, 2011 10:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ASkydiver wrote: |
| I'm not to sure what you mean by "defaulting to a binding connection which only uses the running app id". Is there anything that I could do to check that? |
If you're now explicitly specifying a client connection instead of a bindings then it's not doing that.
Aside from that your code looks like it should do what you want, but .NET is not my strongest suit. Someone more use will be along in a minute.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 10:47 am Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
Thank you for your replies.
I look forward to any help with regards to this. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 16, 2011 10:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MQ's notion of Alternate Authority is not what you think it is, and is not relevant to MQ Connection time.
You need to Log In as The Right User. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Nov 16, 2011 11:16 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 16, 2011 11:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I suspect (given the reason code and the admin's quoted response in the OP) that there's a security exit that will only pass the service id.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 12:40 pm Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
Thank you all for all the comments so far.
As a newbie, I'm not completely au fait with the whole MQ environment, but learning quickly; when the MQ administrator setup the channel/host/port/queuemanager, the IP addresses for the development PC's and final production servers were requested, also a particular Windows account and group were requested. Would this lead to a different thinking of the possible issue?
| mqjeff wrote: |
MQ's notion of Alternate Authority is not what you think it is, and is not relevant to MQ Connection time.
You need to Log In as The Right User. |
mqjeff Are you suggessting that I log in to the Windows Network on my DEV PC with the "Right User", if so, the doesn't make much sense, as that is a service account to be used when this application goes into production. The MQ Admin mentioned that the security had been set to ignore passwords (I'm not to sure what that means from the MQ Admin point of view), would the MQ Admin have to add my network account ID to the MQ Manager?
I've asked our MQ Admin to check the status of the Channel as implied by
and the channel is not in a "stopped state", and none of the "maximum allowable limits" have been reached.
I'm busy following up with the MQ Admin about the possibility of a "Channel security exit program" on the channel definition. |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 1:15 pm Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
I've now confirmed with the MQ Admin, they do have a "Channel security exit program" on the channel definition. This has been setup to reject any connection if the user id is not authenticated correctly.
So I'm back to step 1, how do I impersonate the correct user from a .NET environment without having to log into the network with the service account?
We do have other java applications that connect via the same procedure and don’t have the issue that I’m having. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 16, 2011 1:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ASkydiver wrote: |
| We do have other java applications that connect via the same procedure and don’t have the issue that I’m having. |
Java & .NET provide user credentials in 2 separate ways; there's a lot of discussion on this forum about that!
Is the service user id you're trying to use local to the queue manager's machine or a domain account, i.e. is it properly qualified?
Are any additional diagnostics available from the channel security exit? Such things often log failed access attempts for audit purposes & it may be useful to see what the exit is receiving to validate and compare it against what you believe you're supplying.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Nov 16, 2011 2:23 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| ASkydiver wrote: |
| So I'm back to step 1, how do I impersonate the correct user from a .NET environment without having to log into the network with the service account? |
I might hope that your admins, who seem to have set up the security of this MQ system, will have an answer for this, from their policy documents.
Or it's possible there is no answer, and you just have to run your app under the ID it's intended to be run under. Is that not possible? Please explain why. |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 2:24 pm Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
| Vitor wrote: |
Is the service user id you're trying to use local to the queue manager's machine or a domain account, i.e. is it properly qualified?
|
The service user id is a domain account.
| Vitor wrote: |
Are any additional diagnostics available from the channel security exit? Such things often log failed access attempts for audit purposes & it may be useful to see what the exit is receiving to validate and compare it against what you believe you're supplying.
|
Here are some snippets from the log file. "dv43xxx" is my windows user id and "losuser" is the service user id. I hope this is enough of the log file.
2011-11-16|09:55:32|Connection refused, Channel [LOS.SECURE.CHANNEL] ConName [10.xxx.xx.xxx] User [dv43xxx] not in positive list [losuser,]
2011-11-16|09:55:32|Channel closed [LOS.SECURE.CHANNEL] Connection Name [10.xxx.xx.xxx] |
|
| Back to top |
|
|
| ASkydiver |
| Posted: Wed Nov 16, 2011 2:38 pm Post subject: |
|
|
Newbie
Joined: 16 Nov 2011
Posts: 8
|
| mvic wrote: |
| Or it's possible there is no answer, and you just have to run your app under the ID it's intended to be run under. Is that not possible? Please explain why. |
This is where my lack of MQ experience may show, I'm in the development phase of the program, so to make the connection to the QueueManager I set the
MQEnvironment.UserId = Properties.Settings.Default.MQUserID;
MQEnvironment.Password = Properties.Settings.Default.MQUserPassword;
where "Properties.Settings.Default.MQUserID" = "losuser"and "Properties.Settings.Default.MQUserPassword" = "password" but when looking at the log file from the MQ audit, it's showing my windows user id of "dv43xxx". I've not set any MQEnvironment variable with my windows user id.
I really appreciate everyone's input so far. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 16, 2011 2:59 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can NOT change the identity of the user from WITHIN your program.
You would not expect Microsoft Word to allow you to pretend to be the domain administrator, would you?
You *must* ensure that your *program* is *running* as the userid that needs to connect.
The admins who have configured your MQ security exits appear fully qualified to understand your needs, and to provide you with a suitable mechanism to execute your code to meet your development, test, and production requirements.
You should be talking to THEM more. |
|
| Back to top |
|
|
|
|
