| Author |
Message
|
| hklbj |
 Posted: Tue Dec 02, 2014 1:07 am Post subject: query about CLNTUSER & MCAUSER |
 |
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
Hi,
I have setup some Chl Auth. rules for MQ client connection as below;
| Code: |
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.CCS.APP) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER([b]wing[/b])
MCAUSER([b]mqccsapps[/b]) USERSRC(MAP)
WARN(NO) ALTDATE(2014-12-02)
ALTTIME(14.14.54)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.CCS.APP) TYPE(ADDRESSMAP)
DESCR(CCS apps to access the channel) CUSTOM( )
ADDRESS(*) MCAUSER( )
USERSRC(CHANNEL) WARN(NO)
ALTDATE(2014-11-18) ALTTIME(15.27.43) |
I have a .net MQ client program to connect with QM, when I pass the MQEnvironment.UserId = 'wing', the connection was failed. When i omit this field or using 'mqccsapps', the connection was success.
Error log from QM
| Code: |
----- amqrmrsa.c : 898 --------------------------------------------------------
12/02/2014 02:21:16 PM - Process(25776.93) User(mqm) Program(amqrmppa)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 1972 -------------------------------------------------------
12/02/2014 02:21:16 PM - Process(25776.93) User(mqm) Program(amqrmppa)
AMQ9999: Channel 'CH.CCS.APP' to host '10.145.1.11 (10.145.1.11)' ended
abnormally.
EXPLANATION:
The channel program running under process ID 25776 for channel 'CH.CCS.APP'
ended abnormally. The host name is '10.145.1.11 (10.145.1.11)'; in some cases
the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------
|
I would like to clarify what value should be CLNTUSER & MCAUSER such that my MQ client app can use userid='wing' to connect.
According to knowledge center:
CLNTUSER
The client asserted user ID to be mapped to a new user ID or blocked.
MCAUSER
The user identifier to be used when the inbound connection matches the SSL or TLS DN, IP address, client asserted user ID or remote queue manager name supplied.
The response looks like different or my rules setting have some problem? Thanks for pointing out.
 |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Dec 02, 2014 2:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| hklbj |
| Posted: Tue Dec 02, 2014 7:00 pm Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
I tried to run check with following result.
It shows me that both userid 'mqccsapps' and 'WING' match same rule, i.e. USERSRC(CHANNEL)
When userid 'wing', it match the rule that USERSRC(MAP). My understanding it should map client user id 'wing' to QM local mcauser 'mqccsapps'. However, it just disallow to connect with error "initialize the User ID failed".
I found similar thread talking about this issue but no conclusion yet.
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014914383
| Code: |
dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('wing')
4 : dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('wing')
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.CCS.APP) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(wing)
MCAUSER(mqccsapps) USERSRC(MAP)
WARN(NO) ALTDATE(2014-12-02)
ALTTIME(14.14.54)
dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('mqccsapps')
5 : dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('mqccsapps')
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.CCS.APP) TYPE(ADDRESSMAP)
DESCR(CCS apps to access the channel) CUSTOM( )
ADDRESS(*) MCAUSER( )
USERSRC(CHANNEL) WARN(NO)
ALTDATE(2014-11-18) ALTTIME(15.27.43)
dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('WING')
8 : dis chlauth(ch.ccs.app) match(runcheck) all address('127.0.0.1') clntuser('WING')
AMQ8878: Display channel authentication record details.
CHLAUTH(CH.CCS.APP) TYPE(ADDRESSMAP)
DESCR(CCS apps to access the channel) CUSTOM( )
ADDRESS(*) MCAUSER( )
USERSRC(CHANNEL) WARN(NO)
ALTDATE(2014-11-18) ALTTIME(15.27.43)
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 03, 2014 9:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
There is a huge lot you're not saying and you did not display the prior records of the log that could have helped diagnose.
First you need to make sure that the user accessing the channel is not privileged or that a privileged user could access the channel.
Then you need to test with the user and look at the error log to see the user is comming in as 'WING' or 'wing' or 'wing@domain'
Finally you need to create the right mapping rule.
Then verify using match runcheck and test again...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Dec 03, 2014 1:57 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| hklbj |
| Posted: Sun Dec 07, 2014 6:52 pm Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
Hello guys, I have some test similar to Peter but have some behavior that I don't understand. I am not sure it is related to Channel Auth. or MQ client API on dotnet platform. I have captured below screen shot for your advice.
Channel status summary
Channel status
Channel authentication record
Object authorization
QM error log
I don't know why when MQEnvironment userid is not set (i.e. null), my pc login name 'wing' is used and mapped to 'mqjmsapps' and disconnected is expected. However, when MQEnvironment userid is set to 'wing', the QM can be connected with mcauserid 'wing'. This is not my expectation and really confused why it didn't mapped to 'mqjmsapps' accordinly.
Many Thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 07, 2014 7:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Probably because there is a subtle difference between userid 'wing' and MQ.Environment,userID= "wing "; (case, domain = machine name, no domain, missing trailing blanks, etc...)
Make a rule that will reject everybody, leave the mcauserid blank and check what shows up in the error log.
You should see a subtle difference in those 2 cases. You may need to cater for that difference.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hklbj |
| Posted: Mon Dec 08, 2014 1:11 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
| fjb_saper wrote: |
Probably because there is a subtle difference between userid 'wing' and MQ.Environment,userID= "wing "; (case, domain = machine name, no domain, missing trailing blanks, etc...)
Make a rule that will reject everybody, leave the mcauserid blank and check what shows up in the error log.
You should see a subtle difference in those 2 cases. You may need to cater for that difference.
Have fun |
fjb_saper, currently i have the back stop rule defined (from Morag) to block the invalid client user. I am really confusing.
 |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 08, 2014 4:55 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| hklbj wrote: |
However, when MQEnvironment userid is set to 'wing', the QM can be connected with mcauserid 'wing'. This is not my expectation and really confused why it didn't mapped to 'mqjmsapps' accordinly.
|
You have a rule that maps wing to mqjmsapps.
You show the runcheck test that proves that an incoming connection from wing will get mapped to mqjmsapps.
Are you saying that when you actually run your program as wing, the mapping does not occur and you connect to the queue manager as wing? If yes, show us a screen shot of the running channel in that case showing the MCAUSER that the running channel is using.
The screen shots are very helpful by the way, thanks for taking the trouble to post them.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| hklbj |
| Posted: Mon Dec 08, 2014 5:46 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
Peter, yes I have a rule to map 'wing' to 'mqjmsapps' and expect it cannot be connected as the object authorization didn't set for 'mqjmsapps'. All the detail can be found in my screen shots in post today. When i explicitly set MQEnvironment userid to 'wing', the channel can be connect and running as mcauser = 'wing' instead of mapping to 'mqjmsapps' and fail to connect 
| PeterPotkay wrote: |
| hklbj wrote: |
However, when MQEnvironment userid is set to 'wing', the QM can be connected with mcauserid 'wing'. This is not my expectation and really confused why it didn't mapped to 'mqjmsapps' accordinly.
|
You have a rule that maps wing to mqjmsapps.
You show the runcheck test that proves that an incoming connection from wing will get mapped to mqjmsapps.
Are you saying that when you actually run your program as wing, the mapping does not occur and you connect to the queue manager as wing? If yes, show us a screen shot of the running channel in that case showing the MCAUSER that the running channel is using.
The screen shots are very helpful by the way, thanks for taking the trouble to post them. |
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Dec 08, 2014 5:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
... does "dis CONN" show the MCAUSER? I've forgotten.
The big question, really, is if 'wing' is not getting mapped to 'mqjmsapps', then what is it getting mapped to? |
|
| Back to top |
|
|
| hklbj |
| Posted: Mon Dec 08, 2014 6:24 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
| mqjeff wrote: |
... does "dis CONN" show the MCAUSER? I've forgotten.
The big question, really, is if 'wing' is not getting mapped to 'mqjmsapps', then what is it getting mapped to? |
Jeff, it didn't mapped to any id, but the mcauser is 'wing' displayed in channel status of MQ explorer and it has been posted in the screen shot. And that's why I am confusing. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Dec 08, 2014 6:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
... Are you seeing the same information in MQExplorer's view of the connection as you are seeing in a runmqsc 'DIS CONN' (or at least for 'DIS CHSTATUS') for the same connection?
Also, remember that there's more than one status for a SVRCONN - there's one for each instance of the channel.
I would double-check the channel status and the connection information using runmqsc, and then compare the resolved IP address and the resolved mcauser.
I know you've probably done that, but you haven't posted the data.
If that doesn't work, you need to a) open a PMR, b) enable authority events, c) enable tracing on the channels. |
|
| Back to top |
|
|
| hklbj |
| Posted: Mon Dec 08, 2014 6:44 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2007
Posts: 34
Location: HK
|
| mqjeff wrote: |
... Are you seeing the same information in MQExplorer's view of the connection as you are seeing in a runmqsc 'DIS CONN' (or at least for 'DIS CHSTATUS') for the same connection?
Also, remember that there's more than one status for a SVRCONN - there's one for each instance of the channel.
I would double-check the channel status and the connection information using runmqsc, and then compare the resolved IP address and the resolved mcauser.
I know you've probably done that, but you haven't posted the data.
If that doesn't work, you need to a) open a PMR, b) enable authority events, c) enable tracing on the channels. |
Since I am not in office, will try it tomorrow to see any other hints.  |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 08, 2014 6:54 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You show the permissions for the wing group, but can you tell us what groups the wing ID is in.
Is the wing ID in the mqm group? Or if on Windows, in the Administrators or mqm group? Or in some other group that does have connect access?
That still doesn't explain why the CHLAUTH mapping is not working. If the channel is running as wing, I would have expected the CHLAUTH rule you have to have fired and changed that to mqjmsapps.
Is CHLAUTH enabled at the Queue Manager level?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
