| Author |
Message
|
| nrameshmq |
 Posted: Fri Oct 13, 2017 1:52 am Post subject: Application getting 2035 not authorized |
 |
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Hi,
We installed MQ 8.0.0.7 on AIX7.1 Power HA. Application is getting 2035 when tring to connect to MQ server. I have created user and provided required permissions on user. When i am trying to display channel authentication records it is showing disabled.
DISPLAY CHLAUTH('TEST') MATCH(RUNCHECK) ADDRESS(10.59.120.61) CLNTUSER('finadm')
2 : DISPLAY CHLAUTH('TEST') MATCH(RUNCHECK) ADDRESS(10.59.120.61) CLNTUSER('finadm')
AMQ8898: Display channel authentication record details - currently disabled.
CHLAUTH(TEST) TYPE(USERMAP)
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL)
these are error logs
10/13/17 13:50:21 - Process(15532148.10912) User(mqm) Program(amqrmppa)
Host(TESTQM) Installation(Installation1)
VRMF(8.0.0.7) QMgr(TESTQM)
AMQ9776: Channel was blocked by userid
EXPLANATION:
The inbound channel 'TEST' was blocked from address '10.59.120.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1566 -------------------------------------------------------
10/13/17 13:50:23 - Process(15532148.10914) User(mqm) Program(amqrmppa)
Host(TESTQM) Installation(Installation1)
VRMF(8.0.0.7) QMgr(TESTQM)
AMQ9776: Channel was blocked by userid
EXPLANATION:
The inbound channel 'TEST' was blocked from address '10.59.120.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
how to enable Please help me.
_________________
Ramesh
------------- |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Oct 13, 2017 5:03 am Post subject: Re: Application getting 2035 not authorized |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nrameshmq wrote: |
| how to enable |
Don't do this:
| nrameshmq wrote: |
| The active values of the channel were 'MCAUSER(mqm) |
No channel should ever have a user of mqm (even in versions earlier than v , and client admin access is blocked by a backstop rule.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Sat Oct 14, 2017 2:55 am Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Hi
I am experiencing 2035 when application trying to connect to MQ Server.
I have provided below permissions.
dis qmgr chlauth
1 : dis qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM_UAT) CHLAUTH(ENABLED)
dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
4 : dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
dis chlauth(*) all
1 : dis chlauth(*) all
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)
dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_SBIUAT:
inq
connect
dsp
setid
setall
I have user called finadm at MQ side and it is not in mqm group. Rest of all application connecting with the same permissions.
Please help me where i am missing.
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 14, 2017 5:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| nrameshmq wrote: |
Please help me where i am missing. |
Is this the same 2035 from Oct 13? Or is this Oct 14th post a new 2035 after you have made some changes?
Please post the error message written to the error log details the nature (cause) of the 2035 r/c.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Sat Oct 14, 2017 9:18 pm Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Hi bruce,
Previously there is no channel authentication for finadm user. Still i am getting same errors. Rest of all users working fine the "finadm" user only getting i am getting 2035 error.
These recorded in error logs
10/15/17 10:44:14 - Process(15532148.239297) User(mqm) Program(amqrmppa)
Host(MQA) Installation(Installation1)
VRMF(8.0.0.7) QMgr(QM_UAT)
AMQ9776: Channel was blocked by userid
EXPLANATION:
The inbound channel 'CH_SVRCONN' was blocked from address '10.66.121.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1566 -------------------------------------------------------
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Oct 15, 2017 4:47 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| nrameshmq wrote: |
Hi
I am experiencing 2035 when application trying to connect to MQ Server.
I have provided below permissions.
dis qmgr chlauth
1 : dis qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM_UAT) CHLAUTH(ENABLED)
dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
4 : dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
dis chlauth(*) all
1 : dis chlauth(*) all
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)
dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_SBIUAT:
inq
connect
dsp
setid
setall
I have user called finadm at MQ side and it is not in mqm group. Rest of all application connecting with the same permissions.
Please help me where i am missing. |
Well you do have set connauth to optional, as you are providing an id you better provide the matching password. Else set chckclnt on connauth to none...
But seriously what are you trying to do? Chlauth will stop the enduser from being mqm... See how to fix that In the links portrayed here
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Mon Oct 16, 2017 3:46 am Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Hi fjb_saper,
If connauth to optional, Password is not mandatory for users. The rest of user connecting with same channel without password. The user named finadm only getting this error.
Do i need to check anything from client side.
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Oct 16, 2017 3:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You don't need to check anything client side.
Your CHLAUTH USERMAP rule says that every user coming into this channel - after it's passed all of the previous rules - will be treated as finadm.
So you need to look on the serverside for rules that apply to finadm - start, as mentioned, with making sure that finadm is not in the mqm group.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Mon Oct 16, 2017 4:00 am Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Dear mqjeff,
This is output of group
cat /etc/group
mqm:!:15:mqm,raadmin
As observed finadm not in mqm group.
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Oct 16, 2017 4:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Ok.
Then you need to find what ever other chlauth rules might be blocking this user.
And also see if it makes a difference to disable chlauth, rather than make it optional.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Mon Oct 16, 2017 4:27 am Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
When disable chlauth it connecting with out any issues. If it is enabled we are getting 2035.
DIS CHLAUTH(*) ALL
6 : DIS CHLAUTH(*) ALL
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362047)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362802)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362896)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(WASADMIN)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(wasadmin)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(12.34.1
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR) ALTDATE(2017-09-12)
ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(NOACCESS)
WARN(NO) ALTDATE(2017-09-12)
ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*.MQADMIN)
WARN(NO) ALTDATE(2017-10-16)
ALTTIME(17.42.12)
These are the complete channel authentication records.
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 16, 2017 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
But does the finadmin group have any rights to the qmgr or the objects (queues, topics, etc ...)?
What permissions (if any) did you set using either setmqaut (os scripting) or set authrec (mqsc scripting)?
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Mon Oct 16, 2017 5:06 am Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
The following permissions we have provided.
dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_UAT :
inq
connect
dsp
setid
setall
dspmqaut -m QM_UAT -n CH_SBIUAT_SVRCONN -t chl -p finadm
Entity finadm has the following authorizations for object CH_SBIUAT_SVRCONN:
crt
dlt
chg
dsp
ctrl
ctrlx
dspmqaut -m QM_UAT -n LS_SBIUAT -t listener -p finadm
Entity finadm has the following authorizations for object LS_SBIUAT:
crt
dlt
chg
dsp
ctrl
dspmqaut -m QM_UAT -n SBOIGB_SWIFTCONN_OUT -t q -p finadm
Entity finadm has the following authorizations for object SBOIGB_SWIFTCONN_OUT:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(CHANNEL)
AUTHLIST(CHG,DLT,DSP,CTRL,CTRLX)
AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(LISTENER)
AUTHLIST(CHG,DLT,DSP,CTRL)
Above staff is group and finadm is the member of the group staff.
_________________
Ramesh
------------- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 16, 2017 8:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So you noticed that one of the down side in Unix is that when granting permission to the user you're in fact granting permission to it's primary group.
Not something that is desirable when this group is staff.
You might want to issue a refresh security type(all) against the queue manager.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nrameshmq |
| Posted: Mon Oct 16, 2017 9:16 pm Post subject: |
|
|
Apprentice
Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai
|
Thank you all guys
now issue resolved after executing the command
REFRESH SECURITY TYPE(CONNAUTH)
REFRESH SECURITY TYPE(AUTHSERV)
AND
REFRESH SECURITY(*)
Thanks for your help
_________________
Ramesh
------------- |
|
| Back to top |
|
|
|
|
