| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| JMS to MQ authorization issues. |
« View previous topic :: View next topic » |
| Author |
Message
|
| kenward |
 Posted: Fri Oct 14, 2011 5:55 am Post subject: JMS to MQ authorization issues. |
 |
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
I'm trying to read an MQ queue from Java and running into authorization issues I can't seem to pin down.
We're using MQ V7. I created a jndi bindings file using MQ explorer. It's running in client mode. I'm using this same .bindings file in the java program.
| Code: |
Exception in thread "main" com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager '' with connection mode 'Client' and host name 'mibint.serv.dteco.com(44010)'.
Please check if the supplied username and password are correct on the QueueManager you are connecting to
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:540)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:236)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:452)
at com.ibm.msg.client.wmq.internal.WMQXAConnection.<init>(WMQXAConnection.java:70)
at com.ibm.msg.client.wmq.factories.WMQXAConnectionFactory.createV7ProviderConnection(WMQXAConnectionFactory.java:190)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6582)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:295)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6232)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:115)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:198)
at com.dteco.mqjmstest.TestClient.main(TestClient.java:19)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223)
... 14 more |
I'm connecting from windows using a channel that has the unix group listed in the MCA. The name of my windows account is the same as my unix account and my unix account is a member of the unix group listed in the MCA.
I end up with this in the FDC file that gets generated:
| Code: |
+-----------------------------------------------------------------------------+
| |
| WebSphere MQ First Failure Symptom Report |
| ========================================= |
| |
| Date/Time :- Fri October 14 2011 09:30:09 EDT |
| UTC Time :- 1318599009.109009 |
| UTC Time Offset :- -240 (EST) |
| Host Name :- lnx647.dteco.com |
| Operating System :- Linux 2.6.18-194.26.1.el5 |
| PIDS :- 5724H7230 |
| LVLS :- 7.0.1.4 |
| Product Long Name :- WebSphere MQ for Linux (x86-64 platform) |
| Vendor :- IBM |
| Probe Id :- ZF039010 |
| Application Name :- MQM |
| Component :- zfu_as_checkobjectauthority |
| SCCS Info :- lib/exits/oam/amqzfubx.c, 1.136.1.4 |
| Line Number :- 648 |
| Build Date :- Jan 14 2011 |
| CMVC level :- p701-104-110114 |
| Build Type :- IKAP - (Production) |
| Effective UserID :- 9595 (mqm) |
| Real UserID :- 2147 (mibint) |
| Program Name :- amqzlaa0 |
| Addressing mode :- 64-bit |
| Process :- 24528 |
| Process(Thread) :- 24555 |
| Thread :- 8 |
| ThreadingModel :- PosixThreads |
| QueueManager :- MIBINT |
| UserApp :- FALSE |
| ConnId(1) IPCC :- 114 |
| ConnId(2) QM :- 85 |
| Last HQC :- 2.5.5-4714048 |
| Last HSHMEMB :- 1.2.2-485168 |
| Major Errorcode :- MQRC_UNKNOWN_ENTITY |
| Minor Errorcode :- OK |
| Probe Type :- INCORROUT |
| Probe Severity :- 4 |
| Probe Description :- AMQ6125: An internal WebSphere MQ error has occurred. |
| FDCSequenceNumber :- 0 |
| |
+-----------------------------------------------------------------------------+
|
These are the setmqaut commands I'm using (and I refresh security after I run these):
| Code: |
setmqaut -m MIBINT -t qmgr -g amimsapp +connect +inq +dsp
setmqaut -m MIBINT -n "**" -t q -g amimsapp +dsp +browse +get
setmqaut -m MIBINT -n "**" -t topic -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t channel -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t process -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t namelist -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t authinfo -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t clntconn -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t listener -g amimsapp +dsp
setmqaut -m MIBINT -n "**" -t service -g amimsapp +dsp
# The following commands provide administrative access for MQ Explorer.
setmqaut -m MIBINT -n SYSTEM.MQEXPLORER.REPLY.MODEL -t q -g amimsapp +dsp +inq +get
setmqaut -m MIBINT -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g amimsapp +dsp +inq +put
|
Any ideas? We don't have SSL enabled yet.
The java code:
| Code: |
Hashtable props = new Hashtable();
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");
props.put(Context.PROVIDER_URL, "file:/Temp/jms-jndi");
Context ctx = new InitialContext(props);
ConnectionFactory cf = (ConnectionFactory) ctx.lookup("com.mibint.ConnectionFactory");
Connection conn = cf.createConnection();
|
All this works if I point the jndi binding at a svrconn channel that has 'mqm' in the MCA (and Yes, I know that's a bad idea). |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Oct 14, 2011 6:19 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9405
Location: US: west coast, almost. Otherwise, enroute.
|
You might want to search Google for the probe id and the reasoncode
MQRC_UNKNOWN_ENTITY.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kenward |
| Posted: Fri Oct 14, 2011 6:26 am Post subject: |
|
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
| bruce2359 wrote: |
You might want to search Google for the probe id and the reasoncode
MQRC_UNKNOWN_ENTITY. |
I've been doing that. Also, I enabled authorization events on the queue manager but those events don't seem to contain much useful(additional) information. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Oct 14, 2011 6:57 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9405
Location: US: west coast, almost. Otherwise, enroute.
|
What information did the auth events provide?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kenward |
| Posted: Fri Oct 14, 2011 7:39 am Post subject: |
|
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
| bruce2359 wrote: |
| What information did the auth events provide? |
| Code: |
Message
Properties
MessageSet:CHARACTER:
MessageType:CHARACTER:
MessageFormat:CHARACTER:
Encoding:INTEGER:546
CodedCharSetId:INTEGER:1208
Transactional:BOOLEAN:true
Persistence:BOOLEAN:false
CreationTime:TIMESTAMP:java.util.GregorianCalendar[time=1318621096020,areFieldsSet=true,areAllFieldsSet=false,lenient=true, zone=sun.util.calendar.ZoneInfo[id="America/New_York",offset=-18000000,dstSavings=3600000,useDaylight=true, transitions=235,lastRule=java.util.SimpleTimeZone[id=America/New_York, offset=-18000000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=3,startMonth=2,startDay=8,startDayOfWeek=1,startTime=7200000,startTimeMode=0, endMode=3,endMonth=10,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=0]], firstDayOfWeek=1,minimalDaysInFirstWeek=1, ERA=?,YEAR=2011,MONTH=9,WEEK_OF_YEAR=?, WEEK_OF_MONTH=?,DAY_OF_MONTH=14,DAY_OF_YEAR=?, DAY_OF_WEEK=?,DAY_OF_WEEK_IN_MONTH=?,AM_PM=1,
HOUR=3,HOUR_OF_DAY=15,MINUTE=38,SECOND=16,MILLISECOND=20,ZONE_OFFSET=?,DST_OFFSET=?]
ExpirationTime:INTEGER:-1
Priority:INTEGER:0
ReplyIdentifier:BLOB:[B@153a153a
ReplyProtocol:CHARACTER:MQ
Topic:UNKNOWN:null
ContentType:CHARACTER:
IdentitySourceType:CHARACTER:
IdentitySourceToken:CHARACTER:
IdentitySourcePassword:CHARACTER:
IdentitySourceIssuedBy:CHARACTER:
IdentityMappedType:CHARACTER:
IdentityMappedToken:CHARACTER:
IdentityMappedPassword:CHARACTER:
IdentityMappedIssuedBy:CHARACTER:
MQMD
SourceQueue:CHARACTER:SYSTEM.ADMIN.QMGR.EVENT
Transactional:BOOLEAN:true
Encoding:INTEGER:546
CodedCharSetId:INTEGER:1208
Format:CHARACTER:MQEVENT
Version:INTEGER:2
Report:INTEGER:0
MsgType:INTEGER:8
Expiry:INTEGER:-1
Feedback:INTEGER:0
Priority:INTEGER:0
Persistence:INTEGER:0
MsgId:BLOB:[B@2b742b74
CorrelId:BLOB:[B@2c1c2c1c
BackoutCount:INTEGER:0
ReplyToQ:CHARACTER:
ReplyToQMgr:CHARACTER:MIBINT
UserIdentifier:CHARACTER:
AccountingToken:BLOB:[B@301a301a
ApplIdentityData:CHARACTER:
PutApplType:INTEGER:7
PutApplName:CHARACTER:MIBINT
PutDate:DATE:java.util.GregorianCalendar[time=1318564800000,areFieldsSet=true,areAllFieldsSet=false,lenient=true, zone=sun.util.calendar.ZoneInfo[id="America/New_York",offset=-18000000,dstSavings=3600000,useDaylight=true, transitions=235,lastRule=java.util.SimpleTimeZone[id=America/New_York,offset=-18000000,dstSavings=3600000,useDaylight=true, startYear=0,startMode=3,startMonth=2,startDay=8,startDayOfWeek=1, startTime=7200000,startTimeMode=0, endMode=3,endMonth=10,endDay=1,endDayOfWeek=1, endTime=7200000,endTimeMode=0]], firstDayOfWeek=1,minimalDaysInFirstWeek=1, ERA=?,YEAR=2011,MONTH=9,WEEK_OF_YEAR=?,WEEK_OF_MONTH=?, DAY_OF_MONTH=14,DAY_OF_YEAR=?,DAY_OF_WEEK=?,DAY_OF_WEEK_IN_MONTH=?, AM_PM=0,HOUR=0,HOUR_OF_DAY=0,MINUTE=0,SECOND=0,MILLISECOND=?,ZONE_OFFSET=?,DST_OFFSET=?]
PutTime:TIME:java.util.GregorianCalendar[time=-62167404103980,areFieldsSet=false,areAllFieldsSet=false,lenient=true, zone=sun.util.calendar.ZoneInfo[id="America/New_York",offset=-18000000,dstSavings=3600000,useDaylight=true, transitions=235,lastRule=java.util.SimpleTimeZone[id=America/New_York,offset=-18000000,dstSavings=3600000,useDaylight=true, startYear=0,startMode=3,startMonth=2,startDay=8,startDayOfWeek=1,startTime=7200000,startTimeMode=0, endMode=3,endMonth=10,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=0]], firstDayOfWeek=1,minimalDaysInFirstWeek=1, ERA=0,YEAR=2,MONTH=11,WEEK_OF_YEAR=?,WEEK_OF_MONTH=?,DAY_OF_MONTH=31,DAY_OF_YEAR=?, DAY_OF_WEEK=?,DAY_OF_WEEK_IN_MONTH=?,AM_PM=1,HOUR=3,HOUR_OF_DAY=15,MINUTE=38,SECOND=16,MILLISECOND=20, ZONE_OFFSET=?,DST_OFFSET=?]
ApplOriginData:CHARACTER:
GroupId:BLOB:[B@549c549c
MsgSeqNumber:INTEGER:1
Offset:INTEGER:0
MsgFlags:INTEGER:0
OriginalLength:INTEGER:-1
MQPCF
Type:INTEGER:7
Version:INTEGER:1
Command:INTEGER:44
MsgSeqNumber:INTEGER:1
Control:INTEGER:1
CompCode:INTEGER:1
Reason:INTEGER:2035
Parameter:INTEGER:2015
CHARACTER:MIBINT
Parameter:INTEGER:1020
INTEGER:1
Parameter:INTEGER:3025
CHARACTER:amimsapp
Parameter:INTEGER:1
INTEGER:28
Parameter:INTEGER:3024
CHARACTER:WebSphere MQ Client for Java
|
|
|
| Back to top |
|
|
| kenward |
| Posted: Fri Oct 14, 2011 7:43 am Post subject: |
|
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
| Let me ask the question in a different way. For those of you who have successfully connected JMS remotely to MQ, how did you do it? What setmqaut commands did you have to use? What security steps were necessary? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 14, 2011 7:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I didn't think you could put the name of a group into an MCAUSER... I thought it had to be a user who's primary group was...
? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Oct 14, 2011 8:25 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
Remember if you are using JMS that all authorizations must include +inq
I did not see that... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kenward |
| Posted: Fri Oct 14, 2011 10:07 am Post subject: |
|
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
| mqjeff wrote: |
I didn't think you could put the name of a group into an MCAUSER... I thought it had to be a user who's primary group was...
? |
I can't tell if you're being serious. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Oct 14, 2011 10:17 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kenward wrote: |
| I can't tell if you're being serious. |
I won't speak for my most worthy associate, but I thought MCAUser had to be a single user rather than a group. How that user picks up authorities varies between Unix / non-Unix but I thought that was the rule.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kenward |
| Posted: Fri Oct 14, 2011 10:19 am Post subject: |
|
|
Apprentice
Joined: 01 Jun 2010
Posts: 41
Location: Detroit, MI
|
That was the problem. I confused the way setmqaut worked with the way MCAuser worked. If you give setmqaut a user name, it maps it to the group.
I solved this by blanking the MCAUSER. That forced MQ to use my windows user name, which it then mapped to my secondary group membership. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 14, 2011 10:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| kenward wrote: |
| I can't tell if you're being serious. |
I won't speak for my most worthy associate, but I thought MCAUser had to be a single user rather than a group. How that user picks up authorities varies between Unix / non-Unix but I thought that was the rule. |
For the record, I was being serious. The question mark was intended to indicate that I had not verified this against the documentation...
Rather than blanking the mcauser, I might instead set it to the name of a user who's primary group is the group name you had put in the MCAUSER. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
