| Author |
Message
|
| scravr |
 Posted: Fri Dec 02, 2022 8:35 am Post subject: mqccred uid SCYEXIT('mqccred(ChlExit)') |
 |
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
HI Guys,
Created mqccred.ini with uid for AllQMs and generated TAB file with SCYEXIT('mqccred(ChlExit)')
Pointed variables to directory location of files MQSERVER, MQCHLIB, MQCHTAB, MQCCRED.
Chanele has: SCYEXIT(mqccred(ChlExit))
When running this we get 2035 showing old/original unix id.
/opt/mqm/samp/bin/amqsput Q1 QM1
Any ideas what I am missing?
Thanks,
Mo |
|
| Back to top |
|
 |
| scravr |
| Posted: Fri Dec 02, 2022 12:55 pm Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.
That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?
mqccred.ini has comments on top then
#
#
AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
# |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 05, 2022 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| scravr wrote: |
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.
That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?
mqccred.ini has comments on top then
#
#
AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
# |
set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?
enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Dec 05, 2022 7:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| scravr wrote: |
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.
That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?
mqccred.ini has comments on top then
#
#
AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
# |
set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?
enjoy |
Also bear in mind you need to unset MQSERVER as that takes precedence...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| scravr |
| Posted: Mon Dec 05, 2022 8:13 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
| exerk wrote: |
| fjb_saper wrote: |
| scravr wrote: |
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.
That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?
mqccred.ini has comments on top then
#
#
AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
# |
set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?
enjoy |
Also bear in mind you need to unset MQSERVER as that takes precedence... |
Non of comments are relevant. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Dec 05, 2022 9:43 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| scravr wrote: |
| Non of comments are relevant. |
While you may think that none of the comments you have been given are relevant, I believe exerk has likely pointed out your problem exactly.
| exerk wrote: |
| Also bear in mind you need to unset MQSERVER as that takes precedence... |
In your problem description you tell us that, essentially, your exit is not doing what you expected it to do. This is most likely because it is not being run. If you are using the MQSERVER environment variable then the details in there are used INSTEAD of the MQCHLLIB and MQCHLTAB environment variables. MQSERVER cannot specify a channel exit, so a channel exit is not being used.
| scravr wrote: |
HI Guys,
Created mqccred.ini with uid for AllQMs and generated TAB file with SCYEXIT('mqccred(ChlExit)')
Pointed variables to directory location of files MQSERVER, MQCHLIB, MQCHTAB, MQCCRED.
Chanele has: SCYEXIT(mqccred(ChlExit))
When running this we get 2035 showing old/original unix id.
/opt/mqm/samp/bin/amqsput Q1 QM1
Any ideas what I am missing?
Thanks,
Mo |
As exerk said, unset the MQSERVER environment variable, and make sure you correctly spell the MQCHLLIB and MQCHLTAB environment variables - in case you have spelled them the way you did in your question, in which case they won't work either.
Also, please note that your are probably not running a client application either. amqsput without the letter 'c' on the end is a locally bound application (unless you have set the MQ_CONNECT_TYPE environment variable which you haven't mentioned). Please try running amqsputc instead after you have unset MQSERVER and correctly spelled the two CCDT environment variables.
If it still doesn't work, perhaps you can show us *all* the MQ environment variables you have set and we can check for any typos in there to get you going.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| scravr |
| Posted: Tue Dec 06, 2022 5:24 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
Morag,
Thanks for detailed review.
Unfortunately, I can't paste here code since its on my client system. Here I post via my private laptop.
I do not have MQSERVER and all env. var. are set correctly. I fooloed IBM recommendation.
Wonder if mqccred password encrypt/decrypt schema is same as on channel exit?
In what stage channel decrypt PWD and how it passed to LDAP server?
Also when I set MQSAMP_USER_ID and run amqsputc and enter non-crypted PWD all works fine.
But with TAB file its not working. Getting 2058.
TY
MO |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Dec 06, 2022 6:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| scravr wrote: |
| ...But with TAB file its not working. Getting 2058. |
Queue manager name error, so it appears the name are you passing on the command line does not match that, or any, within the CCDT file.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 06, 2022 7:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Setting the SCYDATA to ERROR helps finding out what the error is when running the mqccred security exit. It could be as easy as having the wrong access permissions to the mqccred.ini file...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Dec 06, 2022 10:52 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| scravr wrote: |
| But with TAB file its not working. Getting 2058. |
This suggests that QM1 is not in the QMNAME field of any of the CCDT entries. Either your CCDT was not created with the correct details, or you are not pointing to the CCDT file you think you are, e.g. not spelling the environment variables correctly as earlier noted.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| scravr |
| Posted: Fri Dec 16, 2022 9:51 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
Run all kind of tests, still cannot connect.
1. setting: export MQSAMP_USER_ID=<LDAP-ID>
and running amqsput <Q> <QM>
then enter <LDAP-NON-ENCRYPTED-PASSWORD>
I can put then get messages. ALL WORS FINE !!!
2. When starting my app after encrypting mqccred and chmod to 600
without setting export MQSAMP_USER_ID=<LDAP-ID> )
I am getting MQRC_NOT_AUTHORIZED 2035 X-000007F3
and userID on LDAP locked since too many failed testing.
Any ideas? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 16, 2022 10:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| scravr wrote: |
2. ... after encrypting mqccred and chmod to 600 ...
|
chmod for what file? Where? Please be precise.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| scravr |
| Posted: Fri Dec 16, 2022 11:38 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
|
| Back to top |
|
|
| scravr |
| Posted: Fri Dec 16, 2022 11:39 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
ב''ה
Really need help !!! |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 16, 2022 1:25 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Precisely where in file system? Rwx permission bits generally do not result in 2035 rc.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
