ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ Supportmqm user not able to connect to MQ

Post new topicReply to topic
mqm user not able to connect to MQ View previous topic :: View next topic
Author Message
jagte_raho
PostPosted: Wed Jun 23, 2021 11:55 am Post subject: mqm user not able to connect to MQ Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

Hi All, I am new to MQ and i am having this issue for few days now which i am trying to fix. This a newly built mq environment and I am not able to connect to queue manager internally or externally when providing password.

QM is on a linux machine

CHLAUTH is disabled - DISPLAY QMGR CHLAUTH
3 : DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(QUEUE.MANAGER) CHLAUTH(DISABLED)


OS authentication is being used for connauth

3 : DISPLAY QMGR connauth
AMQ8408: Display Queue Manager details.
QMNAME(QUEUE.MANAGER)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
display authinfo CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

4 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(NO)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS) ALTDATE(2021-06-23)
ALTTIME(14.41.14)


I am trying to connect to MQ with mqm from explorer ruuning on my pc, but getting error. Same when trying to connect internally by providing password. Any help will be appreciated. I have verified mqm password by doing a ssh to the box. I have correct password for mqm user



runmqsc -u mqm QUEUE.MANAGER
5724-H72 (C) Copyright IBM Corp. 1994, 2016.
Enter password:
******
Starting MQSC for queue manager QUEUE.MANAGER.
AMQ8135: Not authorized.

No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.



ERROR in logs

The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.


Last edited by jagte_raho on Mon Jun 28, 2021 9:10 am; edited 1 time in total
Back to top
View user's profile Send private message
markt
PostPosted: Wed Jun 23, 2021 11:04 pm Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 502

Where is the mqm userid defined and its password set? Is it outside the local OS or have special validation methods?

I suspect you might need to change the authinfo object to use AUTHENMD(PAM)
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jun 24, 2021 1:29 am Post subject: Re: mqm user not able to connect to MQ Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

jagte_raho wrote:
ERROR in logs

The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.


What did the previous error messages say?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
jagte_raho
PostPosted: Thu Jun 24, 2021 5:33 am Post subject: Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

I have already played with different combination of settings. changed the AUTHENMD to (PAM) and ADOPTCTX(YES) without any success. Here is the full error messages , this is when I am executing below command from the machine running queue manager


runmqsc -u mqm QUEUE.MANAGER
5724-H72 (C) Copyright IBM Corp. 1994, 2016.
Enter password:
******
Starting MQSC for queue manager QUEUE.MANAGER.
AMQ8135: Not authorized.

No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.



[AMQ5534: User ID 'mqm' authentication failed

EXPLANATION:
The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.]

[AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKLOCL(OPTIONAL) configuration.

EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKLOCL(OPTIONAL).

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.

To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.][/quote]
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jun 24, 2021 5:36 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

When you made the changes did you refresh the queue manager's security?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
jagte_raho
PostPosted: Thu Jun 24, 2021 5:46 am Post subject: Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

Yes, i did security resets
Back to top
View user's profile Send private message
jagte_raho
PostPosted: Thu Jun 24, 2021 9:48 am Post subject: Re: mqm user not able to connect to MQ Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

hughson wrote:
jagte_raho wrote:
ERROR in logs

The user ID and password supplied by the 'runmqsc' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.


What did the previous error messages say?


Error messages in log when connecting through explorer, i can get it working by switching CHCKCLNT to NONE but i want password authentication when connecting from external systems

06/24/2021 01:38:48 PM - Process(16341.115) User(mqm) Program(amqzlaa0)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)

AMQ5534: User ID 'mqm' authentication failed

EXPLANATION:
The user ID and password supplied by the 'MQ Explorer 9.1.0' program could not
be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4488 -------------------------------------------------------
06/24/2021 01:38:48 PM - Process(16341.115) User(mqm) Program(amqzlaa0)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)

AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.

EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(REQDADM).

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.

To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
06/24/2021 01:38:49 PM - Process(21868.5 User(mqm) Program(amqrmppa)
Host(mqserver) Installation(Installation1)
VRMF(9.0.2.0) QMgr(QUEUE.MANAGER)

AMQ9557: Queue Manager User ID initialization failed for 'mqm'.

EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035. If an MQCSP block was users, the User ID in the MQCSP block was 'mqm'.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2363 -------------------------------------------------------
[mqm@mqserver errors]$
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jun 25, 2021 10:50 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Have you tried what Markt suggested ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
jagte_raho
PostPosted: Fri Jun 25, 2021 12:37 pm Post subject: Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

i observed all the files under /opt/mqm is owned by mqm user. I guess someone went in there and executed chown mqm:mqm *

Could this be the reason for my issue ?
Back to top
View user's profile Send private message
jagte_raho
PostPosted: Mon Jun 28, 2021 9:06 am Post subject: Reply with quote

Newbie

Joined: 23 Jun 2021
Posts: 6

issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Jun 28, 2021 10:58 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

jagte_raho wrote:
issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing

Find the person that altered the permissions and re-educate them - with a baseball bat! People that do that are usually the same people that think it's a good idea to delete queue manager log files because they're "big, and doing nothing..."
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Jun 28, 2021 1:15 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

exerk wrote:
jagte_raho wrote:
issue is fixed. The issue was with the permission and ownership of files under /opt/mqm. Sticky bits were missing

Find the person that altered the permissions and re-educate them - with a baseball bat! People that do that are usually the same people that think it's a good idea to delete queue manager log files because they're "big, and doing nothing..."

Permission bits are set by the installation process, and should not be modified unless directed by IBM support.

More than a few MQ newbies have granted Read and Write permission to the file system queue path in a pointless and dangerous attempt to “get around” application RC 2035.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ Supportmqm user not able to connect to MQ
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.