| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Unable to configure user for testing only |
« View previous topic :: View next topic » |
| Author |
Message
|
| derrickatdecdev |
 Posted: Wed Mar 11, 2020 10:27 am Post subject: Unable to configure user for testing only |
 |
|
Newbie
Joined: 11 Mar 2020
Posts: 9
|
Hello all! I am new to this, and while I've read a lot of text about IBM MQ, I have yet to figure out a working configuration for testing.
Let me stress that this is for testing only, not production. I just want to be able to show that the client can connect.
I'm using 'IBM MQ Explorer' and creating a client in C# using amqmdnet.dll. When I leave the MCA User ID blank, I am able to connect, put, & get messages, while running the client code as my normal Windows user.
But, when I try to call the client code from a Windows service using the same configuration, I always get MQRC_NOT_AUTHORIZED. I've tried username, with and without AD domain, both in the MCA user ID and sent from the client. Nothing works.
I would love a bit of guidance so that I can:
- run the client code from a Windows service account
- WITHOUT connecting IBM MQ to my active directory in ANY way
Any suggestions? Thank you. |
|
| Back to top |
|
 |
| hughson |
| Posted: Wed Mar 11, 2020 1:30 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Could you show an example of the error message that is in your AMQERR01.LOG when you get the failure? Also, to help us, when user ids are mentioned in said error message, tell us what they are.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| derrickatdecdev |
| Posted: Wed Mar 11, 2020 1:54 pm Post subject: |
|
|
Newbie
Joined: 11 Mar 2020
Posts: 9
|
Sure - this is everything that gets logged for a single try. Windows user id is 'derrick' (it sometimes appears with an AD domain prefix that doesn't appear here)...machine name is probably 'DERRICK'.
| Code: |
----- cmqxrsrv.c : 2406 -------------------------------------------------------
3/11/2020 17:44:05 - Process(39408.43309) User(derrick) Program(amqrmppa.exe)
Host(DERRICK) Installation(Installation2)
VRMF(9.1.0.0) QMgr(qm2)
Time(2020-03-11T21:44:05.618Z)
RemoteHost(127.0.0.1)
CommentInsert1(channel2)
CommentInsert2(127.0.0.1)
CommentInsert3(MCAUSER(SYSTEM) CLNTUSER(SYSTEM) ADDRESS(Derrick))
AMQ9776E: Channel was blocked by userid
EXPLANATION:
The inbound channel 'channel2' was blocked from address '127.0.0.1' because the
active values of the channel were mapped to a userid which should be blocked.
The active values of the channel were 'MCAUSER(SYSTEM) CLNTUSER(SYSTEM)
ADDRESS(Derrick)'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1363 -------------------------------------------------------
3/11/2020 17:44:05 - Process(39408.43309) User(derrick) Program(amqrmppa.exe)
Host(DERRICK) Installation(Installation2)
VRMF(9.1.0.0) QMgr(qm2)
Time(2020-03-11T21:44:05.619Z)
CommentInsert1(channel2)
CommentInsert2(39408(51840))
CommentInsert3(127.0.0.1)
AMQ9999E: Channel 'channel2' to host '127.0.0.1' ended abnormally.
EXPLANATION:
The channel program running under process ID 39408(51840) for channel
'channel2' ended abnormally. The host name is '127.0.0.1'; in some cases the
host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 945 --------------------------------------------------------
|
|
|
| Back to top |
|
|
| hughson |
| Posted: Wed Mar 11, 2020 8:00 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
So when you run the client application from your Windows user ID 'derrick', either 'derrick' isn't a privileged user ID, or you have added CHLAUTH rule to allow that particular privileged user ID to connect to your queue manager.
What the error message you have provided in your reply shows, is that when you run the application as a Windows service, it runs as the user id 'SERVICE'. This user ID is considered to be privileged (just like an mqm group member would be) and so is being blocked by the CHLAUTH rule that is in place by default:-
| Code: |
| CHLAUTH(*) TYPE(BLOCKUSER) DESCR(Default rule to disallow privileged users) USERLIST(*MQADMIN) |
So, since you only want this for testing, here is how you could configure your queue manager to bypass this protection from privileged users.
| Code: |
| SET CHLAUTH('channel2') TYPE(BLOCKUSER) USERLIST('nobody') |
This removes the ban on privileged user ids on channel 'channel2' only.
This means that anyone who can connect in remotely to this machine need only know the channel to use and they can do ANYTHING to your queue manager. Since it is only for testing, then this is OK. But remember that this is no way to run a production queue manager.
If you want further information about what the above command did, read CHLAUTH - Allow some privileged admins
Alternatively you could map this connection to use a non-privileged user ID, and grant it only the permissions it needed. Read A non-privileged MQ administrator for more information about how to do that.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 11, 2020 8:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Two things to prepare for production:
- Make sure the MQ Service runs under an AD account.
It will need special privileges at the domain level and on the server.
Those privileges are described in the documentation. (Infocenter)
- Make sure you authorize the correct group. Make sure the user running the application service is not SYSTEM but an AD user that is a member of the authorized group.
And as you change group membership remember to refresh the queue manager's security service.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| derrickatdecdev |
| Posted: Thu Mar 12, 2020 8:55 am Post subject: |
|
|
Newbie
Joined: 11 Mar 2020
Posts: 9
|
| You won't be surprised to hear that that fixed it immediately! Thanks so much! |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
