ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ71 Login Id not Correctly Shown Up on MQ Server

Post new topicReply to topic
MQ71 Login Id not Correctly Shown Up on MQ Server View previous topic :: View next topic
Author Message
EricL
PostPosted: Wed Sep 13, 2017 11:04 am Post subject: MQ71 Login Id not Correctly Shown Up on MQ Server Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 42

Hi,

Got confused about Login Id from MO71.
When login in MO71, I used id name "mqm", as mqm is granted all access to all objects, but strangely I can not browse objects, with below message:

====
AMQ8077: Entity 'user1' has insufficient authority to access object
'ABCDEF'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: browse
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
=====

As said when login MO71, user "mqm" was actually used, why 'user1' was shown in the error log, led to object not able to show?

Thanks...
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Sep 13, 2017 11:16 am Post subject: Re: MQ71 Login Id not Correctly Shown Up on MQ Server Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

EricL wrote:
As said when login MO71, user "mqm" was actually used, why 'user1' was shown in the error log, led to object not able to show?


MCAUser set on the channel?

Channel authority record with a mapping?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Wed Sep 13, 2017 1:39 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 42

Channel's MCA User ID is empty.

Strangely, I just tried login through a different channel, MCA is empty as well, I got same thing, e.g. login as 'mqm' to MO71, but MO71 UI showed "User1 is not authorized" to access objects....Qmgr errors showed I logged in as 'user1', no idea when user id got converted.....
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Wed Sep 13, 2017 2:14 pm Post subject: Reply with quote

Sentinel

Joined: 17 Nov 2005
Posts: 848
Location: New Zealand

What do you mean by 'login as 'mqm' to MO71' ? You don't login to MO71. You just run the program and MQ will pick up the 'normal' authorities based on the running user. Are you actually logged on to your Windows/Linux box under user 'mqm' ?

Cheers,
Paul.

ps. I believe you have a typo in the title of this post.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Thu Sep 14, 2017 5:08 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

EricL wrote:
Channel's MCA User ID is empty.

Strangely, I just tried login through a different channel, MCA is empty as well, I got same thing, e.g. login as 'mqm' to MO71, but MO71 UI showed "User1 is not authorized" to access objects....Qmgr errors showed I logged in as 'user1', no idea when user id got converted.....


Then I stand by my second suggestion, as channel authority records can be applied to multiple or indeed all channels.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Thu Sep 14, 2017 5:29 am Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 42

1. MO71 login id:

When right click any Qmgr/Location in MO71, choose "Open Location", you see "Location Settings" window, you'll find "Userid" check box which is not checked by default, if you checked that box, it will prompt username/password when you open location next time....

2. Channel's definition and authorization setting:

Channel authority records


AMQ8878: Display channel authentication record details.
CHLAUTH(AAAAA.SVRCONN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(nobody) WARN(NO)

AMQ8414: Display Channel details.
CHANNEL(AAAAA.SVRCONN) CHLTYPE(SVRCONN)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 14, 2017 5:42 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

EricL wrote:
2. Channel's definition and authorization setting:

Channel authority records


AMQ8878: Display channel authentication record details.
CHLAUTH(AAAAA.SVRCONN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(nobody) WARN(NO)

AMQ8414: Display Channel details.
CHANNEL(AAAAA.SVRCONN) CHLTYPE(SVRCONN)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)


And that's the only channel authority record which could possibly be applied to that channel?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Thu Sep 14, 2017 7:22 am Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 42

More info here:

1. MCA user id is empty
2. Default Security Settings:

AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(*MQADMIN) WARN(NO)
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Thu Sep 14, 2017 9:22 am Post subject: Reply with quote

Sentinel

Joined: 17 Nov 2005
Posts: 848
Location: New Zealand

Ok, so by "login to MO71" what you really mean in "login to your Queue Manager". You are passing in a Userid and Password to your Queue Manager.

I think my first question would be what are your CONNAUTH settings? What are the results of.....

DIS QMGR CONNAUTH

and

DIS AUTHINFO(<what ever you got back from previous command>)

Cheers,

Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
EricL
PostPosted: Fri Sep 15, 2017 12:28 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 42

Now I understood you.

I login my laptop - windows with my domain user id - 'user1', then try to connect to Qmgr through MO71 with id 'mqm'.

1. DIS QMGR CONNAUTH:

CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2. DIS AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)


Thanks....
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 15, 2017 12:51 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19246
Location: LI,NY

EricL wrote:
Now I understood you.

I login my laptop - windows with my domain user id - 'user1', then try to connect to Qmgr through MO71 with id 'mqm'.

Code:
1. DIS QMGR CONNAUTH:

CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2. DIS AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


AMQ8566: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(YES)
   DESCR( )                                CHCKCLNT(OPTIONAL)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)



Thanks....

So you have ADOPTCTX(YES).
If you are not on 9.0.0.1 and above and have not set the relevant channel stanza, your userid will be that under which your program is running hence user1.
Working as designed.
As user1 is probably not in the mqm group you would need to map it to a user in the mqm group. However then you would most probably run afoul a user rule that would say chckclnt(reqadmin) or something like it (best practice).

My advice, authorize a specific group with the same permissions as mqm, map user1 to a user in that group and see if it will work for you....

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Fri Sep 15, 2017 2:51 pm Post subject: Reply with quote

Shaman

Joined: 09 May 2013
Posts: 726
Location: Bay of Plenty, New Zealand

In order to use a user and password in a 'C' application (like MO71) to assert as privileged user as your MCA User on a SVRCONN you must do the following.
  • Define a SVRCONN with a blank MCAUSER - DONE
  • Override CHLAUTH's ban on privileged users on your SVRCONN - DONE
  • Have CONNAUTH set up with ADOPTCTX(YES) - DONE
  • Remember to REFRESH SECURITY TYPE(CONNAUTH) if you made a change since the last queue manager restart.
  • Supply the user id and password using an MQCSP structure - in MO71 this means providing it in the location dialog and ensuring the check box "Security exit only" is NOT checked
Can you confirm you did the refresh command, and also confirm you don't have that check box checked please?

I have tested the above om Windows on V8 GA FP2/3/4 and V9.0.0 GA and V9.0.1 - works on all. You don't say what version/platform you are using, might help to know.

I see in your defintions that CHCKCLNT is set to OPTIONAL. This means we can't tell whether the password is definitely being checked, because it is allowed not to be sent. Two ways you could test this:-
  • Change to CHCKCLNT(REQUIRED) - and remember REFRESH, OR
  • Send a bad password, should be rejected
Can you try one of these and report back the result?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ71 Login Id not Correctly Shown Up on MQ Server
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.