| Author |
Message
|
| EricL |
 Posted: Tue Feb 14, 2017 1:29 pm Post subject: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs |
 |
|
Centurion
Joined: 10 Oct 2014
Posts: 102
|
Hi there,
I'm stuck with an issue for several days....I have 2 Qmgrs setup with exactly same CHLAUTH settings, when make connection test from a client application, it connects to 1st Qmgr perfectly while couldn't connect to the 2nd one, got error messages:
AMQ9557: Queue Manager User ID initialization failed for 'system'.
EXPLANATION:
The call to initialize the User ID 'system' failed with CompCode 2 and Reason
2035.
ACTION: Correct the error and try again.
After double checking, it is confirmed that CHLAUTH settings are the same on both Qmgrs, really not sure what happened, any suggestion is welcomed !
Thanks... |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Feb 14, 2017 6:46 pm Post subject: Re: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| EricL wrote: |
| I have 2 Qmgrs setup with exactly same CHLAUTH settings ... |
Are the two o/s's the same? Are the versions of MQ the same? Same fixpack level? Same security domain?
Any additional information you care to provide?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 15, 2017 12:09 am Post subject: Re: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| EricL wrote: |
| AMQ9557: Queue Manager User ID initialization failed for 'system'. |
And the userid 'system' is definitely defined on the server with the failing connection?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| EricL |
| Posted: Wed Feb 15, 2017 3:45 pm Post subject: |
|
|
Centurion
Joined: 10 Oct 2014
Posts: 102
|
Thanks for your quick response.
Yes, both qmgrs are setup on same version AIX boxes with same version MQ installations...
The connection channel is "ONLINE.SECURE.MQADMIN", and relevant rule records are as:
AMQ8878: Display channel authentication record details.
CHLAUTH(ONLINE.SECURE.MQADMIN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(110.221.170.165) MCAUSER(mqm)
USERSRC(MAP) CHCKCLNT(ASQMGR)
AMQ8878: Display channel authentication record details.
CHLAUTH(ONLINE.SECURE.MQADMIN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(SYSTEM) WARN(NO)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*MQADMIN)
WARN(NO)
The settings of the rule records are exactly same on both 2 Qmgrs....
The way of client application works is: each user login client application with his/her id, and client application will connect to qmgr with id 'system' because client application is installed and setup with 'system'.....
The most tricky part of the story is, user can ONLY connect to one qmgr, but NOT the other, though settings are the same, OS and MQ version are the same..... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 15, 2017 11:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
is the user 'system' (different from SYSTEM) defined on both servers and do they have the same uid? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Feb 16, 2017 12:24 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
| is the user 'system' (different from SYSTEM) defined on both servers and do they have the same uid? |
On Unix/Linux you can make that happen. On Windows? Fat chance.
If you are using the user 'system' and your OS is Windows then stop right now. This username has special meanings that are reserved for MS use only.
I can (and we are seeing that here perhaps) lead to all sorts of problems.
Why use a username like System? Do you not think that anyone trying to hack your system will not try the windows internal accounts first.
IMHO, this ranks up there with using usernames for bog standard users that contain MQ, MQSI, WMB, IIB , WAS, DB2 etc
Don't do it.
and many places won't let you use those names in a domain for very good security reasons.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 16, 2017 4:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can get the same user on two Windows boxes to have the same UUID...
If you're using active directory.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Feb 16, 2017 5:27 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
You can get the same user on two Windows boxes to have the same UUID...
If you're using active directory. |
Should have mentioned that. It was early in the day, well that's my excuse.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| EricL |
| Posted: Tue Feb 21, 2017 5:36 pm Post subject: |
|
|
Centurion
Joined: 10 Oct 2014
Posts: 102
|
Thanks everyone.
As said, 'system' is a client id from windows box to qmgr (on aix box), 'system' is NOT created on both aix boxes.
A lot of info pointed out that 'system' is a special account on windows, not sure why the client application was setup using this special id, and the app has been running there for several years....
Going to scratch head again..... |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 22, 2017 12:18 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| EricL wrote: |
| ...not sure why the client application was setup using this special id, and the app has been running there for several years... |
Been there, got that t-shirt. Generally it's because the applications people either don't know, or find/say it's too complicated to set up under an identifiable user, or that to do so would give that user too much privilege.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| EricL |
| Posted: Tue Mar 14, 2017 11:29 am Post subject: |
|
|
Centurion
Joined: 10 Oct 2014
Posts: 102
|
Hi there,
Just fyi, the issue has been solved by granting permissions to queue 'SYSTEM.MQEXPLORER.REPLY.MODEL' for specific user:
setmqaut -m QM-Name -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p whateverId +all
After this, everything is fine, though not understand it 100%..... |
|
| Back to top |
|
|
|
|
