| Author |
Message
|
| cheeyong.teh |
 Posted: Mon Apr 15, 2019 7:45 am Post subject: xcsGetpwuid got password entry with user name too long |
 |
|
Newbie
Joined: 15 Apr 2019
Posts: 4
|
Hi,
I'm have IBM WebSphere MQ 8.0.0.7 Client installed.
Currently I'm connecting to a server using SSL connection.
in the keystore (key.kdb) I have
| Code: |
*- ibmwebspheremqaaa.bbbb.ccccc
|
When I try to establish a SSL connection I'm getting
| Code: |
| Probe Description :- AMQ6125: An internal WebSphere MQ error has occurred. |
| FDCSequenceNumber :- 0 |
| Comment1 :- xcsGetpwuid got password entry with user name too long |
| (more than 13 characters). |
| Comment2 :- Details: getuid() returned 1005; getpwuid_r(1005) |
| found user name "aaa.bbbb.ccccc". |
| Comment3 :- A user name of "UNKNOWN" will be used, which will |
| likely cause later authorisation failures. Note this FFST can be turned |
| off by exporting env var AMQ_NOFFST_PROCESS_UID. |
| |
+-----------------------------------------------------------------------------+
|
I have tried another userid which is 12 characters long and SSL connection works (after renaming the the cert label to new userid).
So my question is why IBM MQ client imposed this restriction? Is there a way around it so I can use "aaa.bbbb.ccccc" user account? Is this restriction exists in newer version (v9)?
Thanks,
Yong |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Apr 15, 2019 7:52 am Post subject: Re: xcsGetpwuid got password entry with user name too long |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cheeyong.teh wrote: |
| So my question is why IBM MQ client imposed this restriction? |
Backwards compatibility; it's been limited to 12 characters since there was a technical reason to limiting it back in v2.
| cheeyong.teh wrote: |
| Is there a way around it so I can use "aaa.bbbb.ccccc" user account? |
Use LDAP not the internal OAM. May not be applicable in your use case; I urge you to search this forum for posts by Morag, the authority on MQ security.
| cheeyong.teh wrote: |
| Is this restriction exists in newer version (v9)? |
Yes.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cheeyong.teh |
| Posted: Mon Apr 15, 2019 8:04 am Post subject: Re: xcsGetpwuid got password entry with user name too long |
|
|
Newbie
Joined: 15 Apr 2019
Posts: 4
|
| Vitor wrote: |
Use LDAP not the internal OAM. May not be applicable in your use case; I urge you to search this forum for posts by Morag, the authority on MQ security.
|
Thanks for the reply.
Not sure if that work for me as aaa.bbbb.ccccc is just a local Linux account that will execute the mq client and connect to a server with SSL connection. I have Googled before I post here and found
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.hpnss.doc/usernamemapping/unm00000.htm
but there isn't altmqusr in the bin folder for the client installation so I guess that only works for server.
I will search Morag posts.
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 15, 2019 8:51 am Post subject: Re: xcsGetpwuid got password entry with user name too long |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cheeyong.teh wrote: |
| but there isn't altmqusr in the bin folder for the client installation so I guess that only works for server. |
Yes, they're server side commands & specific to 1 OS that's not the Linux you're using.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cheeyong.teh |
| Posted: Mon Apr 15, 2019 8:54 am Post subject: Re: xcsGetpwuid got password entry with user name too long |
|
|
Newbie
Joined: 15 Apr 2019
Posts: 4
|
| Vitor wrote: |
Yes, they're server side commands & specific to 1 OS that's not the Linux you're using. |
cool, I guess I just need to have a Linux userid that is max 12 characters. thanks for your help. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 15, 2019 9:08 am Post subject: Re: xcsGetpwuid got password entry with user name too long |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cheeyong.teh wrote: |
| I guess I just need to have a Linux userid that is max 12 characters. |
Sticking to 12 characters or less will also avoid problems with Windows & other OS.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Apr 15, 2019 8:52 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
As answered on your identical question over on IMWUC:-
| Morag Hughson on IMWUC wrote: |
You no longer need to be restricted by the label pattern that was originally required by IBM MQ:
| Code: |
| ibmwebspheremq<userid> |
From V8 and later you are able to use any label you want for your certificate and then tell IBM MQ what label you are using.
| Code: |
| export MQCERTLABL=the-label-of-your-choosing |
If you do this it won't trip over the length of your user id when locating the certificate label. |
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| cheeyong.teh |
| Posted: Tue Apr 16, 2019 1:47 am Post subject: |
|
|
Newbie
Joined: 15 Apr 2019
Posts: 4
|
Thanks Morag, it works.  |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 16, 2019 4:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cheeyong.teh wrote: |
| Thanks Morag, it works. |
| Vitor wrote: |
| I urge you to search this forum for posts by Morag, the authority on MQ security. |
Told you she was the best. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
