| Author |
Message
|
| dakoroni |
 Posted: Tue May 05, 2020 3:41 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
 |
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Hello MQ community users,
When I am trying to access from my machine –via MQ Explorer- a target Queue Manager by using a Channel Authentication Record (enabled), I receive the following errors in Queue Manager's log:
FYI, I have created a channel authentication record using MQ explorer GUI -> General -> Channel SYSTEM.AUTO.SVRCONN / Address Map – Address -> IP : xx.x.xxx.xxx (my machine) –
Extended: User Source Map: MCA UserID: (my domain account / member of mqm group of system hosting target Queue Manager).
Target System is accessible from my machine's IP on ports 3389 (RDP), 1414(MQ Explorer)
----- amqrmrsa.c : 898 --------------------------------------------------------
5/5/2020 13:02:04 - Process(2296.271) User(MQTestUser) Program(amqrmppa.exe)
Host(V000010733) Installation(TEST)
VRMF(7.5.0.2) QMgr(MQTPRIV)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 1975 -------------------------------------------------------
5/5/2020 13:02:04 - Process(2296.271) User(MQTestUser) Program(amqrmppa.exe)
Host(V000010733) Installation(TEST)
VRMF(7.5.0.2) QMgr(MQTPRIV)
AMQ9999: Channel 'SYSTEM.AUTO.SVRCONN' to host 'w003500595 (xx.x.xxx.xxxx)' ended abnormally.
EXPLANATION:
The channel program running under process ID 2296(14768) for channel 'SYSTEM.AUTO.SVRCONN' ended abnormally. The host name is 'w003500595
(xx.x.xxx.xxx)'; in some cases the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to determine the cause of the failure. Note that this message can be excluded completely
or suppressed by tuning the "ExcludeMessage" or "SuppressMessage" attributes under the "QMErrorLog" stanza in qm.ini. Further information can be found
in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------
Any advise on the above will be much appreciated.
------------------------------
NICK DAKORONIAS
------------------------------ |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue May 05, 2020 3:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Don't use SYSTEM channels for communication/access to a queue manager, especially in the case of MQ Client connections; use a defined channel, e.g. MQE.MQTESTUSER (camel case is really not a good idea with MQ).
If CHLAUTH is blocking I would expect to see related prints in the log, but your extract below doesn't show any, so have a look at this Knowledge Centre article specific to your version; specifically, take note of WARN(YES).
Also, make sure that CHLAUTH is actually enabled on your queue manager.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 05, 2020 5:16 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Multiple problems assuming chlauth is enabled
- SYSTEM channels are usually under a connection refusal rule.
- SVRCONN channels usually restrict access to non privileged users, but by your own admission you are using a privileged user..., so you're running afoul another chlauth rule...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 05, 2020 5:57 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
...by your own admission you are using a privileged user..., so you're running afoul another chlauth rule...[/list]
Enjoy |
In which case I would expect to see that in the log, hence my query as to whether CHLAUTH is actually enabled.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Tue May 05, 2020 6:47 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
[quote="fjb_saper"]Multiple problems assuming chlauth is enabled
- SYSTEM channels are usually under a connection refusal rule.
- SVRCONN channels usually restrict access to non privileged users, but by your own admission you are using a privileged user..., so you're running afoul another chlauth rule...
After running the command dis chlauth(*) to display all channel authentication records on specific Queue Manager there are only 4 channel rules listed:
The first system rule (address map) refers on SYSTEM.ADMIN.SVRCONN channel and allows MQ explorer access from all IP addresses (*).
The second rule is mine (IP:xx.x.xxx.xxx) = my machine , e63254@CENTRAL = my domain profile / member of local mqm group in target machine hosting the target queue manager).
The other two rules (SENDER*) are custom created allowing access to sender channels from Profile Application Server and Private Banking Batch Scheduler respectively.
----------------------------
display CHLAUTH(*)
    3 : display CHLAUTH(*)
AMQ8878: Display channel authentication record details.
  CHLAUTH(SYSTEM.ADMIN.SVRCONN)          TYPE(ADDRESSMAP)
   ADDRESS(*)                             USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
  CHLAUTH(SYSTEM.AUTO.SVRCONN)           TYPE(ADDRESSMAP)
  ADDRESS(xx.x.xxxx.xxx)                  MCAUSER(e63254@CENTRAL)
AMQ8878: Display channel authentication record details.
  CHLAUTH(SENDER*)                       TYPE(ADDRESSMAP)
  ADDRESS(xx.xx.xxx.xx)                  USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
  CHLAUTH(SENDER*)                       TYPE(ADDRESSMAP)
  ADDRESS(xx.xx.xxx.xx)                  USERSRC(CHANNEL) |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 05, 2020 1:39 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Are you sure that CHLAUTH is enabled?
I do not have a V7.5 installation to test against but my V9.1.2 test installation gives me this when I try to connect:
| Code: |
AMQ9776E: Channel was blocked by userid
EXPLANATION:
The inbound channel 'SYSTEM.ADMIN.SVRCONN' was blocked from address '127.0.0.1' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were MCAUSER(xxxxxxxx) CLNTUSER(xxxxxxxx) ADDRESS(XXX-XXX-XXX)'.
ACTION:
Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records. |
I would expect to see the same type of error showing up in your logs, but it's been so long since I 'played' with that version I can't be sure.
Please check, explicitly, that you have enabled CHLAUTH, thank you.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Tue May 05, 2020 11:13 pm Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Yes, CHLAUTH is enabled (Queue Manager -> Communication Properties -> Channel Authnetication records = enabled).
There is also an AMQ9776 error msg before the AMQ9557, AMQ9999:
---
4/5/2020 12:32:04 - Process(2296.244) User(MQTestUser) Program(amqrmppa.exe)
Host(V000010733) Installation(TEST)
VRMF(7.5.0.2) QMgr(MQTPRIV)
AMQ9776: Channel was blocked by userid
EXPLANATION:
The inbound channel 'SYSTEM.ADMIN.SVRCONN' was blocked from address '10.1.100.155' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(e63254@central.nbg.gr) CLNTUSER(e63254)'.
ACTION:
Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured.
The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records
---
The strange thing, is that I have applied the exact same access rule on SYSTEM.AUTO.SVRCONN (using my IP address:10.1.100.155 and my MCA userID : e63254@central.nbg.gr) on another Queue Manager hosted on the same machine and i can connect via MQ explorer as expected....
Any advise will be much appreciated. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Wed May 06, 2020 4:36 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
I have executed runcheck by running the command:
DISPLAY CHLAUTH(SYSTEM.AUTO.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('10.1.100.155') CLNTUSER('e63254')
--
10 : DISPLAY CHLAUTH(SYSTEM.AUTO.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('10.1.100.155') CLNTUSER('e63254')
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.AUTO.SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(10.1.100.155) MCAUSER(e63254@CENTRAL)
USERSRC(MAP) ALTDATE(2020-05-06)
ALTTIME(11.13.49)
--
So, I assume i have to remove the custom authentication rule (address map) I have created, in order to gain access, correct? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 06, 2020 5:09 am Post subject: Re: AMQ9557, AMQ9999 Channel access blocking |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dakoroni wrote: |
So, I assume i have to remove the custom authentication rule (address map) I have created, in order to gain access, correct? |
No you should make sure that the user specified has the permissions to do what you want him to do. (Connect to the qmgr and put/get + inq to the relevant queues), and maybe run a refresh security on the queue manager
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dakoroni |
| Posted: Wed May 06, 2020 5:22 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Unfortuntely, it still doesn't work..
The user e63254 is domain account member of the mqm and local admin groups on the local system hosting the MQTRIV queue manager and it has all
the required authorizations...
Keep in mind that for the same user the MQexplorer remote access works for the other two Queue Managers hosted in the same system (MQWINTEST, MQWINT). |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed May 06, 2020 5:49 am Post subject: Re: AMQ9557, AMQ9999 Channel access blocking |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dakoroni wrote: |
| The user e63254 is domain account member of the mqm and local admin groups on the local system hosting the MQTRIV queue manager and it has all the required authorizations... |
Remember that any member of mqm doesn't have permissions, or more accurately any permissions granted to that user are ignored. Likewise any permissions removed from that user are ignored; a member of mqm has all permissions and nothing can change that.
Also remember that a member of mqm is not considered a normal user; one of the default authority rules blocks remote access. It might be an interesting experiment to remove the id from the mqm group and see if there's a change.
| dakoroni wrote: |
| Keep in mind that for the same user the MQexplorer remote access works for the other two Queue Managers hosted in the same system (MQWINTEST, MQWINT). |
Pointing clearly at a configuration error on the aberrant queue manager.
Bear in mind that in your posts you sometimes refer to SYSTEM.AUTO.SVRCONN and sometimes to SYSTEM.ADMIN.SVRCONN. Fiddling with one of these will not help with MQExplorer...
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Wed May 06, 2020 6:12 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
The specific user account has all the required permissions (i.e. Connect, Change, Display, Inquire, Set, etc).
Remember that the same user with the same permissions and the same memberships, works as expected on the other two queue managers reside on the same machine.
I have also removed the user account from the mqm group and the problem remains.. (i put it back to mqm after the test, as it was before)
Also there is no channel authentication rule on this queue manager blocking the access. The list of channel rules available for this "problematic"QueueManager -dis chlauth(*)- are mentioned in previous post on this thread. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed May 06, 2020 12:00 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I suggest you go through Morag Hughson's posts. They will give you all the information you need in regard to CHLAUTH, and help you diagnose and fix the issue.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Thu May 07, 2020 3:04 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Thanks for the tip.
I will try the steps in the article. |
|
| Back to top |
|
|
| dakoroni |
| Posted: Mon May 11, 2020 4:59 am Post subject: AMQ9557, AMQ9999 Channel access blocking |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Following the steps in the post "https://mqgem.wordpress.com/2013/03/21/mq_chlauth_the_back_stop_rule/"I have created a "warning back-stop rule"
My 3 access attempts were recorded in the SYSTEM.ADMIN.CHANNEL.EVENT,
but none MQRC_CHANNEL_BLOCKED_WARNING event listed in that queue and the problem still remains.. |
|
| Back to top |
|
|
|
|
