| Author |
Message
|
| huwgb |
 Posted: Mon Sep 23, 2013 3:36 pm Post subject: Websphere MQ Security - Solaris |
 |
|
Novice
Joined: 07 May 2013
Posts: 21
|
Hi,
I thought I had a relatively good understanding of MQ Authorities and all that jazz, apparently not.
I am getting MQRC 2035 not authorized errors when attempting to connect to a server connection channel using RFHUtilC and SSL on a solaris server.
These are the steps I took on the server:
| Code: |
groupadd mq.client
useradd -d /export/home/mqclient -g mq.client mqclient
runmqsc <QMGR> < mqclient.mqsc |
mqclient.mqsc contains the following:
| Code: |
define qlocal('MQCLIENT.BO')
define qlocal('MQCLIENT.REQUEST') boqname('MQCLIENT.BO') bothresh(1)
define qlocal('MQCLIENT.REPLY') boqname('MQCLIENT.BO') bothresh(1)
define channel('MQCLIENT.CHL') chltype(svrconn) trptype(tcp) mcauser('mqclient') sslciph('TRIPLE_DES_SHA_US') sslpeer('<DN>') |
Afterwords I run the following:
| Code: |
setmqaut -m <QMGR> -n MQCLIENT.REQUEST -t q -g mq.client +put +inq +set
setmqaut -m <QMGR> -n MQCLIENT.REPLY -t q -g mq.client +get +browse +inq
setmqaut -m <QMGR> -n MQCLIENT.BO -t q -g mq.client +put +inq +set
setmqaut -m <QMGR> -t qmgr -g mq.client +connect +inq +set |
Connecting via RFHUtilC I set the following variables in a batchfile:
| Code: |
SET MQSERVER=MQCLIENT.CHL/TCP/<HOSTIP>(<Listener Port>)
SET AMQ_SSL_ALLOW_DEFAULT_CERT=1
SET AMQ_SSL_OCSP_NO_CHECK_AIA=1
SET MQSSLKEYR=C:\ih03\key
rfhutilc.exe |
The keydatabase file contains the private key for the client and the public keys for the server. The Set Connection ID in RFHUtil has the correct cipher spec, mutual auth enabled.and the key file location set correctly. The server truststore contains the correct CA's for the client private key.
On attempting to browse MQCLIENT.REPLY queue I get an MQRC 2035 not authorized message. I do not see any evidence of a connection in the /var/mqm/qmgrs/<QMGR>/errors log
Would my next step be: setting the MQS_REPORT_NOAUTH variable and restarting the server (a lot of red tape even though it is only a test server)? Or is there something else I can do first.
Last edited by huwgb on Mon Sep 23, 2013 6:57 pm; edited 1 time in total |
|
| Back to top |
|
 |
| huwgb |
| Posted: Mon Sep 23, 2013 4:13 pm Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 21
|
It would appear that the first script to create the user and add to a group did not work due to an invalid group name...
Worked in lower environments though |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Sep 23, 2013 5:06 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
What do you mean by 'It would appear?' Are you saying that you received an error with that description?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| huwgb |
| Posted: Mon Sep 23, 2013 5:13 pm Post subject: |
|
|
Novice
Joined: 07 May 2013
Posts: 21
|
I always seem to resolve these issues within an hour or two of posting them on a message board.
I had spent the better part of yesterday not able to resolve the issue before I was finally given direct access to the server.
It turns out that there was an error in the /etc/group file which was affecting the creation of users and assignment of default groups.
There was a newline character in the /etc/group file which was somehow causing every new user to be added to the group after the newline character, rather than the group specified in the script.
That other group had +connect permission on the queue manager, but no permissions on individual queues, hence the MQRC 2035 error.
I ended up manually removing the newline character, deleting the groups, users and authorities and re-running the script as is. It worked first time and the connection worked after refreshing the security on the Queue Manager.
That was a little out of left field for me...
regarding my previous post.
Warnings were spat out after creating the groups/users stating that the group names were too long and contained invalid characters (full stops). However they were still successfully created and in the lower environments users were successfully added to the correct groups. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 23, 2013 6:05 pm Post subject: Re: Websphere MQ Security - Solaris |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| huwgb wrote: |
...Connecting via RFHUtilC I set the following variables in a batchfile:
| Code: |
SET MQSERVER=MQTEST.CLIENT/TCP/<HOSTIP>(<Listener Port>)
SET AMQ_SSL_ALLOW_DEFAULT_CERT=1
SET AMQ_SSL_OCSP_NO_CHECK_AIA=1
SET MQSSLKEYR=C:\ih03\key
rfhutilc.exe |
|
Just out of curiosity, but just which channel do you think you are connecting through?
| huwgb wrote: |
| Would my next step be: setting the MQS_REPORT_NOAUTH variable and restarting the server (a lot of red tape even though it is only a test server)? |
As far as I'm concerned that should be set on every WMQ server installation, regardless of environment.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| huwgb |
| Posted: Mon Sep 23, 2013 6:56 pm Post subject: Re: Websphere MQ Security - Solaris |
|
|
Novice
Joined: 07 May 2013
Posts: 21
|
| Quote: |
| Just out of curiosity, but just which channel do you think you are connecting through? |
Sorry, that was a typo in entering the commands into the message body. The scripts were on another server so I could not easily cut/paste (plus I did not want to include real server/Queue Manager names on a public forum).
I will correct my post above
| Quote: |
| As far as I'm concerned that should be set on every WMQ server installation, regardless of environment. |
True, I was not even aware of it until yesterday. I usually work on windows servers which have nearly always provided enough logging to debug an issue. I intend on raising it as an issue but considering how slowly everything churns around here I doubt I will get it actioned until sometime next year... |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 23, 2013 7:48 pm Post subject: Re: Websphere MQ Security - Solaris |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| huwgb wrote: |
| Quote: |
| Just out of curiosity, but just which channel do you think you are connecting through? |
Sorry, that was a typo in entering the commands into the message body... |
My question was asked because from what I could see you gave the impression you thought you would connect via an SSL enabled channel, but was setting the MQSERVER variable to point to a completely different channel, and the variable takes precedence over any other setting, e.g. a CCDT file.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
