| Author |
Message
|
| jagte_raho |
 Posted: Wed Jun 23, 2021 11:55 am Post subject: mqm user not able to connect to MQ |
 |
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
Hi All, I am new to MQ and i am having this issue for few days now which i am trying to fix. This a newly built mq environment and I am not able to connect to queue manager internally or externally when providing password.
QM is on a linux machine
CHLAUTH is disabled - DISPLAY QMGR CHLAUTH
3 : DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(QUEUE.MANAGER) CHLAUTH(DISABLED)
OS authentication is being used for connauth
3 : DISPLAY QMGR connauth
AMQ8408: Display Queue Manager details.
QMNAME(QUEUE.MANAGER)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
display authinfo CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
4 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS) ALTDATE(2021-06-23)
ALTTIME(14.41.14)
I am trying to connect to MQ with mqm from explorer ruuning on my pc, but getting error. Same when trying to connect internally by providing password. Any help will be appreciated. I have verified mqm password by doing a ssh to the box. I have correct password for mqm user
runmqsc -u mqm QUEUE.MANAGER
5724-H72 (C) Copyright IBM Corp. 1994, 2016.
Enter password:
******
Starting MQSC for queue manager QUEUE.MANAGER.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
ERROR in logs
The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
Last edited by jagte_raho on Mon Jun 28, 2021 9:10 am; edited 1 time in total |
|
| Back to top |
|
 |
| markt |
| Posted: Wed Jun 23, 2021 11:04 pm Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
Where is the mqm userid defined and its password set? Is it outside the local OS or have special validation methods?
I suspect you might need to change the authinfo object to use AUTHENMD(PAM) |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jun 24, 2021 1:29 am Post subject: Re: mqm user not able to connect to MQ |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| jagte_raho wrote: |
ERROR in logs
The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information. |
What did the previous error messages say?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| jagte_raho |
| Posted: Thu Jun 24, 2021 5:33 am Post subject: |
|
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
I have already played with different combination of settings. changed the AUTHENMD to (PAM) and ADOPTCTX(YES) without any success. Here is the full error messages , this is when I am executing below command from the machine running queue manager
runmqsc -u mqm QUEUE.MANAGER
5724-H72 (C) Copyright IBM Corp. 1994, 2016.
Enter password:
******
Starting MQSC for queue manager QUEUE.MANAGER.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
[AMQ5534: User ID 'mqm' authentication failed
EXPLANATION:
The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.]
[AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKLOCL(OPTIONAL) configuration.
EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKLOCL(OPTIONAL).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.
To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.][/quote] |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 24, 2021 5:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
When you made the changes did you refresh the queue manager's security?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jagte_raho |
| Posted: Thu Jun 24, 2021 5:46 am Post subject: |
|
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
| Yes, i did security resets |
|
| Back to top |
|
|
| jagte_raho |
| Posted: Thu Jun 24, 2021 9:48 am Post subject: Re: mqm user not able to connect to MQ |
|
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
| hughson wrote: |
| jagte_raho wrote: |
ERROR in logs
The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information. |
What did the previous error messages say? |
Error messages in log when connecting through explorer, i can get it working by switching CHCKCLNT to NONE but i want password authentication when connecting from external systems
06/24/2021 01:38:48 PM - Process(16341.115) User(mqm) Program(amqzlaa0)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)
AMQ5534: User ID 'mqm' authentication failed
EXPLANATION:
The user ID and password supplied by the 'MQ Explorer 9.1.0' program could not
be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4488 -------------------------------------------------------
06/24/2021 01:38:48 PM - Process(16341.115) User(mqm) Program(amqzlaa0)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.
To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
06/24/2021 01:38:49 PM - Process(21868.5 User(mqm) Program(amqrmppa)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)
AMQ9557: Queue Manager User ID initialization failed for 'mqm'.
EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035. If an MQCSP block was users, the User ID in the MQCSP block was 'mqm'.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2363 -------------------------------------------------------
[mqm@mqserver errors]$ |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 25, 2021 10:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried what Markt suggested ? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jagte_raho |
| Posted: Fri Jun 25, 2021 12:37 pm Post subject: |
|
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
i observed all the files under /opt/mqm is owned by mqm user. I guess someone went in there and executed chown mqm:mqm *
Could this be the reason for my issue ? |
|
| Back to top |
|
|
| jagte_raho |
| Posted: Mon Jun 28, 2021 9:06 am Post subject: |
|
|
Newbie
Joined: 23 Jun 2021
Posts: 6
|
 issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 28, 2021 10:58 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jagte_raho wrote: |
| issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing |
Find the person that altered the permissions and re-educate them - with a baseball bat! People that do that are usually the same people that think it's a good idea to delete queue manager log files because they're "big, and doing nothing..."
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jun 28, 2021 1:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| exerk wrote: |
| jagte_raho wrote: |
| issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing |
Find the person that altered the permissions and re-educate them - with a baseball bat! People that do that are usually the same people that think it's a good idea to delete queue manager log files because they're "big, and doing nothing..." |
Permission bits are set by the installation process, and should not be modified unless directed by IBM support.
More than a few MQ newbies have granted Read and Write permission to the file system queue path in a pointless and dangerous attempt to “get around” application RC 2035.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
