ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Application getting 2035 not authorized

Post new topic  Reply to topic
 Application getting 2035 not authorized « View previous topic :: View next topic » 
Author Message
nrameshmq
PostPosted: Fri Oct 13, 2017 1:52 am    Post subject: Application getting 2035 not authorized Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Hi,

We installed MQ 8.0.0.7 on AIX7.1 Power HA. Application is getting 2035 when tring to connect to MQ server. I have created user and provided required permissions on user. When i am trying to display channel authentication records it is showing disabled.

DISPLAY CHLAUTH('TEST') MATCH(RUNCHECK) ADDRESS(10.59.120.61) CLNTUSER('finadm')
2 : DISPLAY CHLAUTH('TEST') MATCH(RUNCHECK) ADDRESS(10.59.120.61) CLNTUSER('finadm')
AMQ8898: Display channel authentication record details - currently disabled.
CHLAUTH(TEST) TYPE(USERMAP)
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL)



these are error logs

10/13/17 13:50:21 - Process(15532148.10912) User(mqm) Program(amqrmppa)
Host(TESTQM) Installation(Installation1)
VRMF(8.0.0.7) QMgr(TESTQM)

AMQ9776: Channel was blocked by userid

EXPLANATION:
The inbound channel 'TEST' was blocked from address '10.59.120.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1566 -------------------------------------------------------
10/13/17 13:50:23 - Process(15532148.10914) User(mqm) Program(amqrmppa)
Host(TESTQM) Installation(Installation1)
VRMF(8.0.0.7) QMgr(TESTQM)

AMQ9776: Channel was blocked by userid

EXPLANATION:
The inbound channel 'TEST' was blocked from address '10.59.120.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.



how to enable Please help me.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Oct 13, 2017 5:03 am    Post subject: Re: Application getting 2035 not authorized Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

nrameshmq wrote:
how to enable


Don't do this:

nrameshmq wrote:
The active values of the channel were 'MCAUSER(mqm)


No channel should ever have a user of mqm (even in versions earlier than v, and client admin access is blocked by a backstop rule.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
nrameshmq
PostPosted: Sat Oct 14, 2017 2:55 am    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Hi

I am experiencing 2035 when application trying to connect to MQ Server.

I have provided below permissions.

dis qmgr chlauth
1 : dis qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM_UAT) CHLAUTH(ENABLED)


dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
4 : dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2017-09-12) ALTTIME(14.32.00)


dis chlauth(*) all
1 : dis chlauth(*) all
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)

dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_SBIUAT:
inq
connect
dsp
setid
setall

I have user called finadm at MQ side and it is not in mqm group. Rest of all application connecting with the same permissions.

Please help me where i am missing.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sat Oct 14, 2017 5:25 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

nrameshmq wrote:


Please help me where i am missing.

Is this the same 2035 from Oct 13? Or is this Oct 14th post a new 2035 after you have made some changes?

Please post the error message written to the error log details the nature (cause) of the 2035 r/c.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
nrameshmq
PostPosted: Sat Oct 14, 2017 9:18 pm    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Hi bruce,

Previously there is no channel authentication for finadm user. Still i am getting same errors. Rest of all users working fine the "finadm" user only getting i am getting 2035 error.

These recorded in error logs

10/15/17 10:44:14 - Process(15532148.239297) User(mqm) Program(amqrmppa)
Host(MQA) Installation(Installation1)
VRMF(8.0.0.7) QMgr(QM_UAT)

AMQ9776: Channel was blocked by userid

EXPLANATION:
The inbound channel 'CH_SVRCONN' was blocked from address '10.66.121.61'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(mqm) CLNTUSER()'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1566 -------------------------------------------------------
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Oct 15, 2017 4:47 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

nrameshmq wrote:
Hi

I am experiencing 2035 when application trying to connect to MQ Server.

I have provided below permissions.

dis qmgr chlauth
1 : dis qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM_UAT) CHLAUTH(ENABLED)


dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
4 : dis authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
ALTDATE(2017-09-12) ALTTIME(14.32.00)


dis chlauth(*) all
1 : dis chlauth(*) all
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)

dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_SBIUAT:
inq
connect
dsp
setid
setall

I have user called finadm at MQ side and it is not in mqm group. Rest of all application connecting with the same permissions.

Please help me where i am missing.

Well you do have set connauth to optional, as you are providing an id you better provide the matching password. Else set chckclnt on connauth to none...

But seriously what are you trying to do? Chlauth will stop the enduser from being mqm... See how to fix that In the links portrayed here

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
nrameshmq
PostPosted: Mon Oct 16, 2017 3:46 am    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Hi fjb_saper,

If connauth to optional, Password is not mandatory for users. The rest of user connecting with same channel without password. The user named finadm only getting this error.

Do i need to check anything from client side.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Oct 16, 2017 3:56 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You don't need to check anything client side.

Your CHLAUTH USERMAP rule says that every user coming into this channel - after it's passed all of the previous rules - will be treated as finadm.

So you need to look on the serverside for rules that apply to finadm - start, as mentioned, with making sure that finadm is not in the mqm group.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
nrameshmq
PostPosted: Mon Oct 16, 2017 4:00 am    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Dear mqjeff,

This is output of group

cat /etc/group
mqm:!:15:mqm,raadmin

As observed finadm not in mqm group.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Oct 16, 2017 4:10 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Ok.

Then you need to find what ever other chlauth rules might be blocking this user.

And also see if it makes a difference to disable chlauth, rather than make it optional.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
nrameshmq
PostPosted: Mon Oct 16, 2017 4:27 am    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

When disable chlauth it connecting with out any issues. If it is enabled we are getting 2035.

DIS CHLAUTH(*) ALL
6 : DIS CHLAUTH(*) ALL
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362047)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362802)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(4362896)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(WASADMIN)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(finadm)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(13.56.23)

AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(USERMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) CLNTUSER(wasadmin)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2017-10-13) ALTTIME(12.34.1
AMQ8878: Display channel authentication record details.
CHLAUTH(CH_SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR) ALTDATE(2017-09-12)
ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(NOACCESS)
WARN(NO) ALTDATE(2017-09-12)
ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
ALTDATE(2017-09-12) ALTTIME(14.32.00)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*.MQADMIN)
WARN(NO) ALTDATE(2017-10-16)
ALTTIME(17.42.12)



These are the complete channel authentication records.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 16, 2017 4:42 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

But does the finadmin group have any rights to the qmgr or the objects (queues, topics, etc ...)?

What permissions (if any) did you set using either setmqaut (os scripting) or set authrec (mqsc scripting)?

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
nrameshmq
PostPosted: Mon Oct 16, 2017 5:06 am    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

The following permissions we have provided.

dspmqaut -m QM_UAT -t qmgr -p finadm
Entity finadm has the following authorizations for object QM_UAT :
inq
connect
dsp
setid
setall

dspmqaut -m QM_UAT -n CH_SBIUAT_SVRCONN -t chl -p finadm
Entity finadm has the following authorizations for object CH_SBIUAT_SVRCONN:
crt
dlt
chg
dsp
ctrl
ctrlx
dspmqaut -m QM_UAT -n LS_SBIUAT -t listener -p finadm
Entity finadm has the following authorizations for object LS_SBIUAT:
crt
dlt
chg
dsp
ctrl


dspmqaut -m QM_UAT -n SBOIGB_SWIFTCONN_OUT -t q -p finadm
Entity finadm has the following authorizations for object SBOIGB_SWIFTCONN_OUT:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr


AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)



AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(CHANNEL)
AUTHLIST(CHG,DLT,DSP,CTRL,CTRLX)

AMQ8864: Display authority record details.
PROFILE(**) ENTITY(staff)
ENTTYPE(GROUP) OBJTYPE(LISTENER)
AUTHLIST(CHG,DLT,DSP,CTRL)


Above staff is group and finadm is the member of the group staff.
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 16, 2017 8:27 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

So you noticed that one of the down side in Unix is that when granting permission to the user you're in fact granting permission to it's primary group.

Not something that is desirable when this group is staff.
You might want to issue a refresh security type(all) against the queue manager.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
nrameshmq
PostPosted: Mon Oct 16, 2017 9:16 pm    Post subject: Reply with quote

Apprentice

Joined: 09 Aug 2017
Posts: 35
Location: India, Mumbai

Thank you all guys

now issue resolved after executing the command

REFRESH SECURITY TYPE(CONNAUTH)


REFRESH SECURITY TYPE(AUTHSERV)
AND
REFRESH SECURITY(*)

Thanks for your help
_________________
Ramesh
-------------
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Application getting 2035 not authorized
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.