| Author |
Message
|
| TheAndroid |
 Posted: Wed Jun 03, 2015 12:45 pm Post subject: More fun with MQCONNX and MQ Authorizations. |
 |
|
Novice
Joined: 04 Dec 2007
Posts: 23
|
I am still trying to get this WebSphere on Windows to allow my MQ Client which runs on 64-bit Linux to connect using MQCONNX and passing the credentials for a service id.
In a nutshell, I as user ANDY on the Linux machine, want to connect to the QMGR as ID WORKER. I am passing the appropriate password and userid information as well as setting the appropriate bitflags in the MQSCP associated with my MQCONNX call.
On the MQServer, I have the user WORKER defined and assigned all the rights possible to select via the checkboxes when using MQ Explorer. I also have the user ANDY defined on the machine in the same manner.
Now, when I connect using MQCONNX with the ANDY id and password, everything works just fine. However, when I connect with the WORKER id and password, I get a 2035 (NOT AUTHORIZED). Keep in mind, these two ID's are defined exactly the same way. What I see in the wire traces is a CLNT_AUTH message goes across which contains the user/pswd information. In the logs on the Server, I see a message from amqrmppa.exe (the channel program) that the user is not authorized.
What could I possibly be missing here? The initial connection to the server sends USERID info for ANDY. Is the fact that both ID's are on the Server machine and ANDY simply does not have the rights to "become" WORKER? If so, how do I go about bestowing those rights?
When I set the MCA User ID to WORKER, lo and behold, everything works for WORKER. But no longer for ANDY. I will have multiple service ID's active simultaneously. Am I going to have to define a channel for each of them?
So far, the documentation has been less than forthcoming on these subjects. |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Jun 03, 2015 2:07 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It would help greatly if you specified which version of MQ (at both ends), and whether you're using an exit or CONNAUTH (the latter assumes MQ V8.0). Also, the detail of the 2035 failure, i.e. the specific authority that's failing.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dragonMastar |
| Posted: Wed Jun 03, 2015 9:57 pm Post subject: |
|
|
Newbie
Joined: 27 Apr 2015
Posts: 9
|
| how about adding the user to mqm group in lower case (preferable)? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 04, 2015 1:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dragonMastar wrote: |
| how about adding the user to mqm group in lower case (preferable)? |
Yes, what a fantastically unpreferable idea to completely break security by giving cart blanche access to every authorisation known to man, probably to a user that needs only a subset...
...and if the OP is using any version of MQ that utilises CHLAUTH that suggestion will fail as privileged users, i.e. anything in the mqm group, are automatically blocked without further configuration work.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| TheAndroid |
| Posted: Thu Jun 04, 2015 8:42 am Post subject: |
|
|
Novice
Joined: 04 Dec 2007
Posts: 23
|
Sorry, should've mentioned this.
I am using MQClient 7.0.12 with a 64-bit C program on Redhat Server 6.6 on Intel. I connect using the QMGR name and a channel table.
I am connecting to a Websphere 7.5 server running on Windows 64-bit on Intel.
No exits. No CONAUTH. I am simply calling MQCONNX and passing the ID credentials. The 2035 is occuring on the MQCONNX call. I don't get far enough to open a queue.
| Code: |
#include <stdio.h>
#include <string.h>
#include "cmqc.h"
void main(void)
{
MQCHAR48 wrkQMGRName;
MQLONG wrkHandle = MQHC_DEF_HCONN;
MQLONG wrkCompCode = 0;
MQLONG wrkReasonCode = 0;
MQCNO wrkCNO={MQCNO_DEFAULT};
MQCSP wrkCSP={MQCSP_DEFAULT};
strcpy((char *) &wrkQMGRName, "THEQMGR");
wrkCNO.Version = MQCNO_VERSION_5;
wrkCNO.SecurityParmsPtr = &wrkCSP;
wrkCSP.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
wrkCSP.CSPUserIdPtr = "WORKER";
wrkCSP.CSPPasswordPtr = "workpass";
/*
wrkCSP.CSPUserIdPtr = "ANDY";
wrkCSP.CSPPasswordPtr = "andypass";
*/
wrkCSP.CSPUserIdLength = strlen(wrkCSP.CSPUserIdPtr);
wrkCSP.CSPPasswordLength = strlen(wrkCSP.CSPPasswordPtr);
printf("Calling using %s\n", wrkCSP.CSPUserIdPtr);
MQCONNX((PMQVOID) &wrkQMGRName,
&wrkCNO,
&wrkHandle,
&wrkCompCode,
&wrkReasonCode);
printf("Completing [%d] [%d]!\n", wrkCompCode, wrkReasonCode);
};
|
If in the above I uncomment the ANDY credentials, life is good. The way this is right now, no joy. I should note that I run this executable logged onto the Linux box as andy. I mention this because the message flow betweent the client and the server shows the client initially sending my Linux userid information first, then the MQCSP and MQCNO information.
Thanks. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 04, 2015 11:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
With the 7.0.1.x client, the MQ CSP structure may not work the way you think it does.
I vaguely remember that it is only at 7.1.x.x and later that the CSP structure will be used in the way you expect - by the queue manager without any exits and etc.
It's worth a try with a coexisted 7.5 client, to see if the behavior is different.
If it works, you can then remove the 7.0.1.x client and make the 7.5 the default. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jun 04, 2015 1:30 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| TheAndroid wrote: |
I am using MQClient 7.0.12 with a 64-bit C program on Redhat Server 6.6 on Intel. I connect using the QMGR name and a channel table.
I am connecting to a Websphere 7.5 server running on Windows 64-bit on Intel. |
For MQ v7.5, the queue manager does NOT use the credentials in the MQCSP structure. The queue manager simply passes the credentials to a security exit. If you are not using a security exit then the MQCSP is not used.
For MQ v7.5, the UserID used for authorization (not authentication) is the UserID that the application is running under.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 05, 2015 4:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You may want to create a conauth record for the channel with user mapping.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 05, 2015 6:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
You may want to create a conauth record for the channel with user mapping.
Have fun |
OP stated (paraphrased) "...I am using MQClient 7.0.12 with a 7.5 server..."
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jun 05, 2015 10:39 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| TheAndroid wrote: |
| I am connecting to a Websphere 7.5 server running on Windows 64-bit on Intel. |
| fjb_saper wrote: |
| You may want to create a conauth record for the channel with user mapping. |
CONNAUTH is not available for MQ v7.5. It was introduce in MQ V8.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 05, 2015 10:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Sorry I meant ChlAuth of course... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
