| Author |
Message
|
| whiting |
 Posted: Wed Oct 16, 2002 8:11 am Post subject: JMS Client Connection 2035 error |
 |
|
Acolyte
Joined: 26 Mar 2002
Posts: 64
Location: Greenville, SC
|
I want to setup a connection from Java applications without creating a security exit, but with restrictions on what queues the Java app can access.
I've setup a SVRCONN channel for Java applications to connect to. I am controlling what queues that they can put to by setting the MCAUSER('extern') on the channel. When I try to put a message the Java app fails w/ MQ error 2035. If I put using amqsputc I get the behavior that I expect (I can put to queues that are enabled for the 'extern' user and put to other queue fail w/ error 2035).
If I remove the MCAUSER() restriction on the channel then the Java app can put messages, but they have a username of 'mqm'.
Shouldn't this work?
//Bill |
|
| Back to top |
|
 |
| whiting |
| Posted: Wed Oct 16, 2002 8:47 am Post subject: More details |
|
|
Acolyte
Joined: 26 Mar 2002
Posts: 64
Location: Greenville, SC
|
I forgot to note. The Queue Manager is running w/ MQSeries 5.2 - CSD05 on AIX. The java client is running on Win2k with Java 1.3 or 1.4.1 /JMS over MQ.
//Bill |
|
| Back to top |
|
|
| mrlinux |
| Posted: Wed Oct 16, 2002 8:48 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Well 2 issues
1) what platforms are you trying to this on ??
2) You should create a special ID for this application or class of apps.
on both Server and client machines. Dont use the MCAUSER in the svrconn channel definition, because anyone can connect and will have the same access
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| whiting |
| Posted: Wed Oct 16, 2002 9:29 am Post subject: Platforms and users |
|
|
Acolyte
Joined: 26 Mar 2002
Posts: 64
Location: Greenville, SC
|
1). The MQ Queue Manager is on AIX 5.1 (MQSeries v5.2). The client is on Win2k.
2). I realize that any client that connects through the channel will have the same access to the queues. I'm providing an authentication token inside the message body.
At the moment I don't know of any security exit that I can implement on the Java end to do real authentication without writing it myself. This scheme is intended to be a stopgap measure until I can implement an exit or switch to 5.3
//Bill |
|
| Back to top |
|
|
| whiting |
| Posted: Thu Oct 24, 2002 6:00 pm Post subject: Resolution |
|
|
Acolyte
Joined: 26 Mar 2002
Posts: 64
Location: Greenville, SC
|
I've found the solution to my problem. In case anyone else is working with a similar problem. The root cause is the way JMS maps onto base MQ. JMS does not have the concept of opening a queue in read-only or write-only mode. As a result any time a queue is opened through JMS it's opened read/write/browse. Any queue that will be opened by JMS needs have authorized something like this.
setmqaut -m QMGR.NAME -t queue -name JAVA.QUEUE -g java_group +get +put +inq +dsp +browse
Good luck to anyone else using JMS.
//Bill |
|
| Back to top |
|
|
|
|
