ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportAMQ9557: Unable to connect to MQ from C# client w/ UserId

Post new topicReply to topic
AMQ9557: Unable to connect to MQ from C# client w/ UserId View previous topic :: View next topic
Author Message
mfiorel1
PostPosted: Fri Aug 18, 2017 11:27 am Post subject: AMQ9557: Unable to connect to MQ from C# client w/ UserId Reply with quote

Newbie

Joined: 18 Aug 2017
Posts: 7

Developing a C# MQ Connection tester app for a customer that has MQ version 8.0.0.6 on a Linux machine. They want a UserId to be passed from the client to the server for authentication. Below is my c# code:

Hashtable hConnectionProperties = new Hashtable();
hConnectionProperties.Add(MQC.HOST_NAME_PROPERTY,
strHostName);
hConnectionProperties.Add(MQC.CHANNEL_PROPERTY,
strChannelName);
hConnectionProperties.Add(MQC.TRANSPORT_PROPERTY,
MQC.TRANSPORT_MQSERIES_MANAGED);

hConnectionProperties.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY,
true);
hConnectionProperties.Add(MQC.USER_ID_PROPERTY,
strUserName);

hConnectionProperties.Add(MQC.PASSWORD_PROPERTY,
strPassword);
hConnectionProperties.Add(MQC.PORT_PROPERTY,
iPort);

MQQueueManager mqm = null;
try
{
mqm = new MQQueueManager(strQueueManager, hConnectionProperties);
}
catch (MQException mqe)
{
// log to console
}


The server returns the below error:

08/18/2017 01:42:52 PM - Process(42492.121) User(mqm) Program(amqrmppa)
Host(vl860rtp2) Installation(Installation1)
VRMF(8.0.0.6) QMgr(CMSR6)

AMQ9557: Queue Manager User ID initialization failed for 'sa233812'.

EXPLANATION:
The call to initialize the User ID 'sa233812' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was 'fidsadm'.
ACTION:
Correct the error and try again.


The customer is certain this is on the client end. How can I be passing the UserId inccorectly with the above code? Has anyone coded a c# application that connects to MQ with credentials?
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Aug 18, 2017 11:39 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5750

What does the application logging show, assuming there is any? Is there an MCAUSER value in the channel? Is there a CHLAUTH rule mapping one user to another?

And why not use something like (Java example):

Code:
URL qCCDT = new URL("file:///" + ccdtFile);
MQEnvironment.ccdtUrlProperty = qCCDT;

To abstract the connection details.

Nor do I see any SSL/TLS related entries, or is that to be a later edition?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
mfiorel1
PostPosted: Fri Aug 18, 2017 11:55 am Post subject: Reply with quote

Newbie

Joined: 18 Aug 2017
Posts: 7

There is logging code but i stripped it from the post for brevity. The user gets MQ code 2035.

We have requested the customer provide us the IBM commands they used to set up authentication, including AUTHINFO object, CHLAUTH records, and MCA user. Nothing yet, but I have also been unable to set these up in my environment.

There is code to connect through SSL but I am currently only trying to connect properly with credentials.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Aug 18, 2017 12:13 pm Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24614
Location: Ohio, USA

mfiorel1 wrote:
There is logging code but i stripped it from the post for brevity. The user gets MQ code 2035.

We have requested the customer provide us the IBM commands they used to set up authentication, including AUTHINFO object, CHLAUTH records, and MCA user. Nothing yet, but I have also been unable to set these up in my environment.


You're on the right track. Your code's good, the queue manager doesn't like your user.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mfiorel1
PostPosted: Fri Aug 18, 2017 12:48 pm Post subject: Reply with quote

Newbie

Joined: 18 Aug 2017
Posts: 7

Thanks! If you see my error log in the original post, the first userID indicated is the UserId running the client application. Why is the log indicating the queue is initializing with that user? It should be the second (passed via the userID property)
Back to top
View user's profile Send private message
hughson
PostPosted: Sat Aug 19, 2017 8:21 pm Post subject: Reply with quote

Shaman

Joined: 09 May 2013
Posts: 728
Location: Bay of Plenty, New Zealand

What value have you set the ADOPTCTX attribute of your CONNAUTH object to? The default is ADOPTCTX(NO) which means that after authenticating your user id and password, it will proceed to ignore it for authorisation.

If you want to adopt the authenticated user id for authorisation as well, you must have ADOPTCTX(YES) as your setting.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
JosephGramig
PostPosted: Mon Aug 21, 2017 7:55 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1180
Location: Derby City, USA

If you are going to use X.509 certificates (please don't say SSL), then you should map some part of the DN to a user ID via a CHLAUTH rule. User ID/password stuff is not as secure IMHO.

I will argue that if you are not using X.509 certificates with meaningful cipher, then you are not secure. I've been doing this for a long time and I see very few Qmgrs secured by anything other than a firewall (as if).
Back to top
View user's profile Send private message AIM Address
mfiorel1
PostPosted: Mon Aug 21, 2017 9:01 am Post subject: Reply with quote

Newbie

Joined: 18 Aug 2017
Posts: 7

Below is the Java Code they are using with successful connection. I cant tell any difference from my code aside from the transport type. I see no equivalent for the property they are passing in.

JAVA: Successful
Code:
targetClient  = Integer.parseInt(
               FcmUtils.initializeAttribute(
                     mqContext, "TargetClient", Integer.toString(JMSC.MQJMS_CLIENT_NONJMS_MQ)));

         factory.setQueueManager(FcmUtils.initializeRequiredAttribute(mqContext, "QueueMgrName"));
         factory.setTransportType (JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
         factory.setHostName(FcmUtils.initializeRequiredAttribute(mqContext, "QueueHostName"));
         factory.setPort(Integer.parseInt(FcmUtils.initializeRequiredAttribute(mqContext, "QueuePort")));
         factory.setChannel(FcmUtils.initializeRequiredAttribute(mqContext, "QueueChannelName"));

         factory.setSSLFipsRequired(false);
         
         
         queueManagerUser = FcmUtils.initializeRequiredAttribute(mqContext,"UserName");
         queueManagerPassword = FcmUtils.initializeAttribute(mqContext,"Password", queueManagerPassword);
         
         cat.info("Username  : " + queueManagerUser + " password : " +  queueManagerPassword);
         
         connection = (MQQueueConnection) factory.createQueueConnection(queueManagerUser, queueManagerPassword);


.NET: Fail

Code:
Hashtable hConnectionProperties = new Hashtable();
                hConnectionProperties.Add(MQC.HOST_NAME_PROPERTY,
                        strHostName);
                hConnectionProperties.Add(MQC.CHANNEL_PROPERTY,
                        strChannelName);
              // Transport
                hConnectionProperties.Add(MQC.TRANSPORT_PROPERTY,
                        MQC.TRANSPORT_MQSERIES_MANAGED);

              // Auth
                hConnectionProperties.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY,
                        true);
                hConnectionProperties.Add(MQC.USER_ID_PROPERTY,
                        strUserName);

                hConnectionProperties.Add(MQC.PASSWORD_PROPERTY,
                        strPassword);   

              // Port
                hConnectionProperties.Add(MQC.PORT_PROPERTY,
                        iPort);
                                // Attempt Connection
                                  MQQueueManager mqm = null;
                try
                {
                    mqm = new MQQueueManager(strQueueManager, hConnectionProperties);
                }
                catch (MQException mqe)
                {       
                                                // Log to console
}


What are the differences from this java code to my .NET that is resulting in a failing connection from the .NET client?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Mon Aug 21, 2017 9:41 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1180
Location: Derby City, USA

I'm sure Morag gave you the answer above. I would have to guess that Java defaults the other way. I've always noticed that in Java if you specify an ID in the connection, it always uses that ID for authentication. That is the #1 reason to never allow the ID being passed to be the ID used for authentication (because mqm is the favorite ID to use). Also the reason for CHLAUTH and CONNAUTH were added.

Unless my memory fails me (and it probably does), OS/2 had an environment variable you could set to pass a user ID. What a blast from the past...
Back to top
View user's profile Send private message AIM Address
mfiorel1
PostPosted: Mon Aug 21, 2017 11:10 am Post subject: Reply with quote

Newbie

Joined: 18 Aug 2017
Posts: 7

Thank you Joseph. Again, I am not in control of the MQ setup (CONNAUTH, CHLAUTH, etc) nor am I (at the moment) aware of these details as they're not being provided. I can deduce most of them given they are setting up User authorization.

If what you and Morag are saying are correct, how does the result differ between the Java and .NET client? Since I'm using a .NET client and the ADOPTCTX attribute of the CONNAUTH object is N, the UserId I'm passing is being ignored for authorization? Regardless of ADOPTCTX Java userid is used for authentication and authorization?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Mon Aug 21, 2017 11:47 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1180
Location: Derby City, USA

The MQ Client works differently for Java than compiled programs. The MQ Client will always pass the ID running the process to the MQ Server for the MQI channel.

Java will pass the ID given in the connection (if one is given). I think this is a JVM thing.

I think I read somewhere that you could write an MQ Client security exit to set that ID to what ever you want (another excellent hacking technique).

Writing MQ exits is best left to product experts and is not meant for application programmers.

I'm sure Morag or others will correct anything I've said that is wrong.
Back to top
View user's profile Send private message AIM Address
hughson
PostPosted: Mon Aug 21, 2017 3:02 pm Post subject: Reply with quote

Shaman

Joined: 09 May 2013
Posts: 728
Location: Bay of Plenty, New Zealand

mfiorel1 wrote:
How does the result differ between the Java and .NET client? Since I'm using a .NET client and the ADOPTCTX attribute of the CONNAUTH object is N, the UserId I'm passing is being ignored for authorization? Regardless of ADOPTCTX Java userid is used for authentication and authorization?
The default for Java is to run in compatibility mode which means it continues to work as it did pre-V8 in case anyone was relying upon it. To make Java run the same way as other languages, i.e. to use MQCSP explicitly and thus show the same behaviour as you are seeing for .NET ('C' Client), see this page:-

Connection authentication with the Java client

Also, you may find this blog post informative:-

Using User ID and Password with a 'C' Application

if you bear in mind that MQ Explorer is a Java Client, and (unless you are using fully managed .NET) .NET uses the 'C' Client.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportAMQ9557: Unable to connect to MQ from C# client w/ UserId
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.