| Author |
Message
|
| Shytiy.Andrew |
 Posted: Fri Oct 23, 2015 2:39 am Post subject: |
 |
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| Vitor wrote: |
I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.
|
I connect to the MQ Server from workstation. I understand that I must use MQCHT_CLNTCONN in MQCD.
I initialized СlientСonnPtr (MQCD) and SecurityParmsPtr (MQCSP). Correct errors 2077 and still received an error 2035. 
Although I pass MQCSP login that is allowed access to MQ.
| Code: |
ASSIGN QMgrName = "UNIQM"
AlternateUserId = "extmqusr"
ChannelName = "EXTMQUSER.SVRCONN.CH"
ConnectionName = "vprwmq(1422)".
..
/*initialize MQCSP structure - Security parameters*/
SET-SIZE(CSPUserIdPtr) = 20.
SET-SIZE(CSPPasswordPtr) = 20.
PUT-STRING(CSPUserIdPtr,1) = AlternateUserId.
ASSIGN CharString = "".
PUT-STRING(CSPPasswordPtr,1) = CharString.
..
ASSIGN CharString = "CSP "
StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(SecurityParmsPtr,1) = CharString.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 1. /*Version (MQLONG), 4-byte: MQCSP_VERSION_1*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 1. /*AuthenticationType (MQLONG), 4-byte: MQCSP_AUTH_USER_ID_AND_PWD*/
ASSIGN StrLength = StrLength + 4
CharString = "".
PUT-STRING(SecurityParmsPtr,StrLength + 1) = CharString. /*Reserved1 (MQBYTE4), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = GET-POINTER-VALUE(CSPUserIdPtr). /*CSPUserIdPtr (MQPTR), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 0. /*CSPUserIdOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 20. /*CSPUserIdLength (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4
CharString = "".
PUT-STRING(SecurityParmsPtr,StrLength + 1) = CharString. /*Reserved2 (MQBYTE8), 8-byte*/
ASSIGN StrLength = StrLength + 8.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = GET-POINTER-VALUE(CSPPasswordPtr). /*CSPPasswordPtr (MQPTR), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 0. /*CSPPasswordOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 20. /*CSPPasswordLength (MQLONG), 4-byte*/
..
/*initialize MQCNO structure - Connect options*/
ASSIGN CharString = "CNO "
StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(ConnectOpts,1) = CharString.
PUT-LONG(ConnectOpts,StrLength + 1) = 3. /*Version (MQLONG), 4-byte: MQCNO_VERSION_3*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*Options (MQLONG), 4-byte: MQCNO_NONE*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*ClientConnOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr). /*ClientConnPtr (MQPTR), 1200-byte*/
ASSIGN StrLength = StrLength + 4
CharString = "".
PUT-STRING(ConnectOpts,StrLength + 1) = CharString. /*ConnTag (MQBYTE128), 128-byte: MQCT_NONE*/
ASSIGN StrLength = StrLength + 128.
PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(SSLConfigPtr). /*SSLConfigPtr (MQPTR), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*SSLConfigOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4
ConnectionId = GET-STRING(ConnectOpts,StrLength + 1, 24).
ASSIGN StrLength = StrLength + 24. /*output field ConnectionId (MQBYTE24)*/
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*SecurityParmsOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(SecurityParmsPtr). /*SecurityParmsPtr (MQPTR), 4-byte*/
/*Connect to certain queue manager with connect options*/
RUN MQCONNX (QMgrName,
INPUT-OUTPUT ConnectOpts,
OUTPUT Hconn,
OUTPUT CompCode,
OUTPUT Reason).
|
|
|
| Back to top |
|
 |
| Shytiy.Andrew |
| Posted: Fri Oct 23, 2015 3:50 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| And again, I asked whether the administrator is allowed altusr. He said that is not allowed. Can I get 2035 error because of this? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Oct 23, 2015 4:13 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Shytiy.Andrew wrote: |
| Can I get 2035 error because of this? |
Yes. You're trying to perform an operation which the administrator has not given you permission to do. Most administrators (including me) do not grant altuser because:
| Vitor wrote: |
I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.
I'm also not clear on why the administrator hasn't insisted you do that.
|
This is a much more common (and from the administrator's view, much better) way of controlling access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Fri Oct 23, 2015 4:28 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
Vitor, I am newbie to MQ and I apologize in advance for my persistence. Could you explain in simple words what do you mean under "having the administrator set the MCAUser on the SVRCONN"?
Do I understand correctly that the administrator must create a group in which to add list of users (logins) that connected to MQ manager?
If so, the administrator said that the staff of information security will not allow to do so. I'm confused. The Administrator proposes to me to write the MQ adapter. I do not really imagine what I must do. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Oct 23, 2015 4:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Shytiy.Andrew wrote: |
| Do I understand correctly that the administrator must create a group in which to add list of users (logins) that connected to MQ manager? |
No. I'm proposing that the administrator set the id for the application to use via the attribute of the channel I mentioned, rather than have you set it via the application in the header.
| Shytiy.Andrew wrote: |
| If so, the administrator said that the staff of information security will not allow to do so. |
There's no need for further IS changes. You already seem to have a valid id in place - the one you're trying to set.
| Shytiy.Andrew wrote: |
| The Administrator proposes to me to write the MQ adapter. |
Perhaps he intends you to write a common adapter to package the MQI for other users. I certainly don't think I (or anyone here) can comment with authority on what your MQ administrator has in mind.
| Shytiy.Andrew wrote: |
| I do not really imagine what I must do. |
Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Oct 23, 2015 4:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record). |
And if the queue manager is at MQ8 level there is a way to set the MCAuser to the user presented in the MQCSP structure but it is set at the qmgr level.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 23, 2015 5:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| Vitor wrote: |
| Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record). |
And if the queue manager is at MQ8 level there is a way to set the MCAuser to the user presented in the MQCSP structure but it is set at the qmgr level.
|
There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Fri Oct 23, 2015 5:29 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| Vitor, thank you. I got it. |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Fri Oct 23, 2015 5:43 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| mqjeff wrote: |
There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5. |
I pass UserId (CSPUserIdPtr) in the SecurityParmsPtr (MQCSP). I assign empty string values to the fields: UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier in the ClientConnPtr (MQCD structure). Maybe I have something misunderstood? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 23, 2015 5:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can only do user authentication in v8.
It seems that setting the UserIdPtr in the csp may be trying to use an altuser instead of the regular user. That might be normal behavior in v7.5.
Try the other user fields. I doubt the mcauser will work, since you're setting the clntconn side. But it might.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Oct 23, 2015 5:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
You can only do user authentication in v8.
It seems that setting the UserIdPtr in the csp may be trying to use an altuser instead of the regular user. That might be normal behavior in v7.5. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Oct 23, 2015 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Shytiy.Andrew wrote: |
| mqjeff wrote: |
There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5. |
I pass UserId (CSPUserIdPtr) in the SecurityParmsPtr (MQCSP). I assign empty string values to the fields: UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier in the ClientConnPtr (MQCD structure). Maybe I have something misunderstood? |
I think the key issue with your code is that you're one version too early for it to work.
While you're speaking to your administrator, see what the plan is for upgrading to v8, which will solve many of your issues.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Tue Oct 27, 2015 1:31 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
I tried to use field UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier but unsuccessfully - error 2035.
Despite the fact that I could not connect to the queue manager programmatically (mqconnx), I do this running a program as required user (mqconn + system environment variable MQSERVER). Doing the launch of the program under desired user I can put a message in a queue, get a message from the queue, close queue and disconnect from queue manager.
Thanks for your help! |
|
| Back to top |
|
|
|
|
