ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportQueue manager uses different user ID to connect

Post new topicReply to topic
Queue manager uses different user ID to connect View previous topic :: View next topic
Author Message
vmanel
PostPosted: Thu Mar 12, 2020 4:30 am Post subject: Queue manager uses different user ID to connect Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

Hi,

We are trying to connect to Queue Manager from a .NET application which is present in docker. The application is passing a user id 'abc_def' but since docker is running as root, it is trying to connect to QM as root instead of specified user id. Below is the error we are getting

The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1542 -------------------------------------------------------
03/12/2020 07:37:40 AM - Process(20631.9811) User(mqm) Program(amqrmppa)
Host(abcdef.net) Installation(Installation1)
VRMF(9.0.0.4) QMgr(QM)

AMQ9557: Queue Manager User ID initialization failed for 'root'.

EXPLANATION:
The call to initialize the User ID 'root' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was
'abc_def'.


CHLAUTH of QMGR is disabled and CONNAUTH was set to SYSTEM IDPWOS object. And we made CHKCLNT and CHKLOCL to None. Later we set CONNAUTH to empty, so that queue manager doesn't do any authentication. But still we are getting the same error.

There is no CHLUAUTH defined for the channel, and we used same channel in RFHUTILC to connect by passing same user id, even in that case we are getting the above error but with user id under which RFHUTILC is running instead of 'root'.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Mar 12, 2020 10:05 pm Post subject: Re: Queue manager uses different user ID to connect Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1347
Location: Bay of Plenty, New Zealand

vmanel wrote:
Hi,

We are trying to connect to Queue Manager from a .NET application which is present in docker. The application is passing a user id 'abc_def' but since docker is running as root, it is trying to connect to QM as root instead of specified user id.

Code:
AMQ9557: Queue Manager User ID initialization failed for 'root'.

EXPLANATION:
The call to initialize the User ID 'root' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was
'abc_def'.


I was going to ask how the application was passing in user ID 'abc_def', but I can see the answer from this error message. You are passing it using the MQCSP block. That's good.

vmanel wrote:
CONNAUTH was set to SYSTEM IDPWOS object. And we made CHKCLNT and CHKLOCL to None. Later we set CONNAUTH to empty, so that queue manager doesn't do any authentication. But still we are getting the same error.


So what you have told us here is that you have turned off the function in the queue manager that will look for a user id (and password) in the MQCSP block.

In order to have the queue manager use the user id you pass in on the connection call, instead of the user ID you are running as (in your case 'root'), you need to re-enable CONNAUTH, and in addition, ensure that you have the ADOPTCTX attribute set to YES. Alternatively, do a run-as for 'abc_def' instead of supplying it in the application.

For CONNAUTH, here are the commands.

Code:
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) TYPE(IDPWOS) CHCKCLNT(REQADMIN) CHCKLOCL(OPTIONAL) ADOPTCTX(YES)
ALTER QMGR CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
REFRESH SECURITY TYPE(CONNAUTH)


N.B. You cannot use CONNAUTH to set a user id without also having the correct password supplied.

If all you want to do is set the user id, go with the run-as method.

Cheers,
Morag

P.S. I know run-as doesn't have a hyphen, but if I remove the hyphen, it replaces the text with 'contact admin'.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
vmanel
PostPosted: Fri Mar 13, 2020 9:58 am Post subject: Re: Queue manager uses different user ID to connect Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

hughson wrote:


So what you have told us here is that you have turned off the function in the queue manager that will look for a user id (and password) in the MQCSP block.


Authentication was not working that is why we disabled, if CONNAUTH itself is empty or CHKCLNT is None then it should ignore the user name that is passed, correct?

hughson wrote:
In order to have the queue manager use the user id you pass in on the connection call, instead of the user ID you are running as (in your case 'root'), you need to re-enable CONNAUTH, and in addition, ensure that you have the ADOPTCTX attribute set to YES.


Tried this option still it is considering 'root' as user. One question here is any changes to CONNAUTH object or enabling or disabling of CONNAUTH requires QM restart or Refresh security is sufficient?

hughson wrote:
Alternatively, do a run-as for 'abc_def' instead of supplying it in the application.


Do you mean to run the application as the user instead of 'root'? We don't have acess to change anything at application

hughson wrote:
N.B. You cannot use CONNAUTH to set a user id without also having the correct password supplied.


Application is passing only the user id without any password. And it was working fine before the application was moved to docker
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Mar 13, 2020 11:44 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20221
Location: LI,NY

So your question should be: Why is root running the application under Docker? And fix that (use sudo or su in the app start script to switch the user running the app)
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
vmanel
PostPosted: Fri Mar 13, 2020 8:04 pm Post subject: Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

fjb_saper wrote:
So your question should be: Why is root running the application under Docker? And fix that (use sudo or su in the app start script to switch the user running the app)


We don't have access to do anything at application side.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Mar 13, 2020 8:29 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20221
Location: LI,NY

vmanel wrote:
fjb_saper wrote:
So your question should be: Why is root running the application under Docker? And fix that (use sudo or su in the app start script to switch the user running the app)


We don't have access to do anything at application side.

Wouldn't the user to run the application under be part of the Helm chart?
Is this not your application? Take control of it...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Sun Mar 15, 2020 2:21 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1347
Location: Bay of Plenty, New Zealand

So, let me see if I have understood all the variables.
  • The application is running as the wrong user id (root)
  • The application passes a user ID 'abc_def' but not password, using MQCSP
  • Nothing can be changed at the application side of things - it cannot be made to run under abc_def instead of root, and it cannot be made to supply the password
  • You need to make it run at the queue manager using user ID 'abc_def' but cannot use CONNAUTH for this purpose because of lack of password
  • You do not care that this is in no way secure, no authentication happening
I think you could probably IP Address map this using CHLAUTH?

Code:
SET CHLAUTH(channel-name) TYPE(ADDRESSMAP) ADDRESS('1.2.3.4') USERSRC(MAP) MCAUSER('abc_def')


I would repeat that this is not secure, there is no authentication happening here, this is simply queue manager side assertion of a user ID instead of a client side assertion of a user ID.

Suggest you look into having some form of authentication, user ID/password would be the simplest to add to what you already have - you're already asserting a user id, just add the password to the client application, and enable CONNAUTH as described earlier.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Sun Mar 15, 2020 2:44 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8620
Location: US: west coast, almost. Otherwise, enroute.

... and disable user ID 'abc_def' from logging on at the o/s.
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
vmanel
PostPosted: Thu Mar 19, 2020 4:50 am Post subject: Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

hughson wrote:
I think you could probably IP Address map this using CHLAUTH?

Code:
SET CHLAUTH(channel-name) TYPE(ADDRESSMAP) ADDRESS('1.2.3.4') USERSRC(MAP) MCAUSER('abc_def')



Even this is not working. Getting same error

Code:

AMQ8077: Entity 'root' has insufficient authority to access object 'QMNAME'.

AMQ9557: Queue Manager User ID initialization failed for 'root'.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Mar 19, 2020 8:07 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7602

Your CHLAUTH rule is not set up correctly if you still see errors for user 'root'.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
vmanel
PostPosted: Thu Mar 19, 2020 9:54 am Post subject: Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

PeterPotkay wrote:
Your CHLAUTH rule is not set up correctly if you still see errors for user 'root'.

As I have mentioned in first post, CHLAUTH property of QMGR is disabled, should that be enabled? If that is enabled it will affect all other applications that are connecting to the QM. But now the question is since both CONNAUTH and CHLAUTH is disabled, why and how is trying to authenticating the user? It should allow access to any user, correct?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Mar 19, 2020 3:16 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1347
Location: Bay of Plenty, New Zealand

vmanel wrote:
PeterPotkay wrote:
Your CHLAUTH rule is not set up correctly if you still see errors for user 'root'.

As I have mentioned in first post, CHLAUTH property of QMGR is disabled, should that be enabled? If that is enabled it will affect all other applications that are connecting to the QM.

If you want to use a CHLAUTH rule, then yes, the CHLAUTH property of the queue manager must be enabled. If you don't want to affect other channels, then delete all the other rules. There are three provided by default.

vmanel wrote:
But now the question is since both CONNAUTH and CHLAUTH is disabled, why and how is trying to authenticating the user? It should allow access to any user, correct?


You are not failing authentication. The root user that your application is using was passed through to the queue manager completely unchecked, and unchanged.

You are failing authorization.

vmanel wrote:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
vmanel
PostPosted: Thu Mar 19, 2020 6:30 pm Post subject: Reply with quote

Apprentice

Joined: 12 Mar 2019
Posts: 46

hughson wrote:


You are not failing authentication. The root user that your application is using was passed through to the queue manager completely unchecked, and unchanged.

You are failing authorization.



How to disable authorization? So the only way apart from setting CHLAUTH is to either set MCAUSER for the channel directly or grant permission for 'root' user?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Mar 19, 2020 7:26 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1347
Location: Bay of Plenty, New Zealand

vmanel wrote:
hughson wrote:


You are not failing authentication. The root user that your application is using was passed through to the queue manager completely unchecked, and unchanged.

You are failing authorization.



How to disable authorization? So the only way apart from setting CHLAUTH is to either set MCAUSER for the channel directly or grant permission for 'root' user?


Disabling authorization is something that you have to do when creating your queue manager. Much easier to simply map the user ID as your original question suggested. You are correct that setting the MCAUSER on the channel would be another route you could take instead of using CHLAUTH.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportQueue manager uses different user ID to connect
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.