| Author |
Message
|
| hughson |
 Posted: Wed Sep 18, 2024 4:45 pm Post subject: |
 |
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
| hughson wrote: |
| sachinramesh wrote: |
| I have tried to browse the message on the TEST.Q ,the user is not the one specified in the .ini file.its taking the user with which the mq service is running. |
I suspect this is because you have not yet set up user ID and password authentication, and so the connection does not adopt the user id because it has not been password validated. |
Can i know what is missed from my end .i have set the uid and pwd in the mqccred.ini file
the ini file is set in the env variables .
the uid set in the ini file is the one which is used to login to the server both client and server machines.
The password for this is unknown as we connect to the servers using cyber ark.
i have given a generic password in the ini file like 'Passw0rd'.
my ini file looks like below.
QueueManager:
OPW=fjfoeiofhrwefo328f
Name=TEST
user=m12345 |
There is no mention of your queue manager side configuration in what you have done. Like I said, I suspect at least one of your issues is coming about because the queue manager is not yet set up to CHECK the password.
| sachinramesh wrote: |
| I was assuming that the qmgr will authenticate the uid/pwd specified in the mqccred.ini and the uid should be present on the qmgr server and pwd can be any random pwd. |
It will only check the uid/pwd if you configure to do so. Don't assume. Check. Have you enabled the password checking on the queue manager?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
 |
| sachinramesh |
| Posted: Sun Sep 22, 2024 12:38 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| Quote: |
There is no mention of your queue manager side configuration in what you have done. Like I said, I suspect at least one of your issues is coming about because the queue manager is not yet set up to CHECK the password.
|
On the queue manager side i have created the clnt conn channel and added the scydata and scyexit details as below.
SCYEXIT(E:\MQ\Exits\Installation1\mqccred(ChlExit))
SCYDATA(Debug)
also configured the connauth property to default 'system.default.authinfo.idpwos' with chckclnt as 'optional'
now its referring to the mqccred.ini file ,when i run the amqsputc TEST TESTQM.
but giving 2035 error .
in the qmgr logs i see.
AMQ5534E: User ID 'xyz' authentication failed.
i have given our service account user id and pwd in the ini file.
my service account has all the authorization on the server to connect to the qmgr.
What should be the uid and pwd in the ini file ,is it the server Login uid and pwd of the user ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Sep 22, 2024 12:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sachinramesh wrote: |
i have given our service account user id and pwd in the ini file.
my service account has all the authorization on the server to connect to the qmgr.
What should be the uid and pwd in the ini file ,is it the server Login uid and pwd of the user ? |
What you need in the ini file is the userid that has been authorized on MQ and its password. If you are using chlauth to substitute a different userid, it should be one that does not require a password (i.e. no privileged user).
In that case (chlauth substitution) you should not use mqccred because, if you do, the user (provided by mqccred) MUST be able to authenticate on the MQ server.
Hope it helsp 
_________________
MQ & Broker admin
Last edited by fjb_saper on Sun Oct 20, 2024 5:52 am; edited 1 time in total |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Mon Sep 23, 2024 1:24 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
Thanks fjb_saper and Hugson.
I had made some progress.. I am able to connect now using our mq service id. 2035 error is for the wrong password.
Now that i have tested in my test qmgr, it's fine.
But I have to implement the same setup for my app qmgrs.
As I have configured connauth on the qmgr level. Will it also affect the app channels. Or will it only affect the channels where the Security exit is defined.
Note:My app channels use blockip exit to connect to qmgr. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 23, 2024 3:05 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
As I have configured connauth on the qmgr level. Will it also affect the app channels. Or will it only affect the channels where the Security exit is defined.
Note:My app channels use blockip exit to connect to qmgr. |
The password check will be done on all client channels but since you have set CHCKCLNT(OPTIONAL) client applications will allowed to not provide a password. If they provide a password and it is not correct, then they will see the same error you saw.
The MQCCRED exit is not the only way to supply the user id and password as I'm sure you know.
If you decide to change to make passwords REQUIRED, you might want to read page 6 in this presentation to understand how to only make it REQUIRED on some channels and not on others.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Wed Sep 25, 2024 3:23 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
Thanks Morag for the presentation.
After going through the presentation I have tested these 2 scenarios.
They both work similar.
1.
configured sec exit mqccred on the channel
Qmgr connauth with default IDPWOS, and chckclnt as optional.
Chlauth record for admin channel with chkclnt as Required.
2.
Qmgr connauth with default IDPWOS, and chckclnt as optional.
Chlauth record for admin channel with chkclnt as Required.
No security exit used on chl. No ccdt files used.
When tried to connect to the qmgr on Mqexplorer with uid check enabled.
It works fine and it's same for both the cases.
Can you please let me know is there any added advantage with mqccred used in my case Or is it two different ways of connecting the qmgr with logon credentials. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Sep 25, 2024 10:06 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
1.
configured sec exit mqccred on the channel
Qmgr connauth with default IDPWOS, and chckclnt as optional.
Chlauth record for admin channel with chkclnt as Required. |
In this scenario, it is fairly clear that the mqccred exit is providing the password on behalf of your application.
| sachinramesh wrote: |
2.
Qmgr connauth with default IDPWOS, and chckclnt as optional.
Chlauth record for admin channel with chkclnt as Required.
No security exit used on chl. No ccdt files used. |
I am unclear how the user ID and password is being supplied for the application in this scenario.
| sachinramesh wrote: |
When tried to connect to the qmgr on Mqexplorer with uid check enabled.
It works fine and it's same for both the cases. |
MQ Explorer is an application that has written the necessary code to supply the user ID and password without the need for the mqccred exit. Are you supplying the password through the MQ Explorer here?
| sachinramesh wrote: |
| Can you please let me know is there any added advantage with mqccred used in my case Or is it two different ways of connecting the qmgr with logon credentials. |
It is not clear what "your case" is, nor what the "two different ways" are.
Let me just say this.
If your application has written code to supply the user ID and password to the queue manager on an MQCONNX call, then it doesn't need to use the mqccred exit. The mqccred exit was developed as a stop-gap measure for those applications that wanted to use user id and password authentication but could not be updated to write the code themselves.
There are quite a number of IBM supplied applications and samples that do have the code in them to provide the user id and password without the need to use mqccred. MQ Explorer and runmqsc are some examples, and amqsput[c] and various other samples are other examples.
I assume that you have an application of your own that cannot be updated (at least for the moment) and so instead you are going to use the mqccred exit with that application?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Thu Sep 26, 2024 2:55 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| Quote: |
I am unclear how the user ID and password is being supplied for the application in this scenario.
|
I am using MQ explorer to connect to the qmgr with uid/pwd
| Quote: |
MQ Explorer is an application that has written the necessary code to supply the user ID and password without the need for the mqccred exit. Are you supplying the password through the MQ Explorer here?
|
yes i am using MQ Explorer
| Quote: |
Let me just say this.
If your application has written code to supply the user ID and password to the queue manager on an MQCONNX call, then it doesn't need to use the mqccred exit. The mqccred exit was developed as a stop-gap measure for those applications that wanted to use user id and password authentication but could not be updated to write the code themselves.
There are quite a number of IBM supplied applications and samples that do have the code in them to provide the user id and password without the need to use mqccred. MQ Explorer and runmqsc are some examples, and amqsput[c] and various other samples are other examples.
I assume that you have an application of your own that cannot be updated (at least for the moment) and so instead you are going to use the mqccred exit with that application?
|
We wanted to have our admin channel using uid/pwd to connect to our queue managers without impacting any applications connecting to queue manager.
we use MO71 and MQ explorer to connect to the queue manager.
Based on the presentation that was shared by you .I understand that we need to configure connauth on the queue manager which has a chckclnt as OPTIONAL.
Then a chlauth record for the admin channel with chkclnt as REQUIRED.
Is my understanding correct ? |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Sep 26, 2024 4:19 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
Based on the presentation that was shared by you .I understand that we need to configure connauth on the queue manager which has a chckclnt as OPTIONAL.
Then a chlauth record for the admin channel with chkclnt as REQUIRED.
Is my understanding correct ? |
Your understanding of the configuration is correct.
I will say one thing though - how do you stop your admin tools using a different channel that is not required to use a password? Or perhaps the point is that they are only assigned the admin user ID that they need if they use password authentication, and if they went in via another route they would have a much lower level of access?
Final question - What are you actually using mqccred for? Both MQExplorer and MO71 can supply the password without needing a security exit to do the job for them.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Fri Sep 27, 2024 9:21 pm Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| Quote: |
I will say one thing though - how do you stop your admin tools using a different channel that is not required to use a password? Or perhaps the point is that they are only assigned the admin user ID that they need if they use password authentication, and if they went in via another route they would have a much lower level of access?
|
Our admin tools only use the TOOLS.ADMIN channel to connect. which we are trying to secure with uid/pwd authentication.
yes they will have to use the admin user id once the authentication is setup on the qmgr.
All the system channels are blocked in chlauth.
if they want to use the application channels to connect to the admin tool.They will be blocked by Blockip exit on the channel.
| Quote: |
Final question - What are you actually using mqccred for? Both MQExplorer and MO71 can supply the password without needing a security exit to do the job for them.
|
I thought that the mqccred is used to secure only a particular channel with the authorised uid/pwd without enabling the connauth on the qmgr.
Thought of applying it to our admin channels.
Now its clear that we can use the admin tools by just allowing the connauth on the qmgr .
Thank you for helping me to understand the concept of connauth. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Sep 29, 2024 2:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
qmgr wide you should be using REQDADM as the channels will then require a password for privileged users.
This can be done either at the AUTHINFO record or by using a generic CHLAUTH record...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Fri Oct 18, 2024 10:55 pm Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
Hi fjb_saper,
I have tried the below configurations.
Enabled the qmgr connauth with authype(IDPWLDAP) with chckclnt as optional.
created a chlauth entry for TOOLS.ADMIN channel with chkclnt as Required.
When tried to connect to the qmgr with my ldap uid/pwd using TOOLS.ADMIN channel it working fine.
but i see the below errors in the qmgr log for an application user with mca user as 'payapp'.
one of our app channel is using this mca user 'payapp' defined in the blockip file.
Why is this user being looked in LDAP when we have specified the chckclnt as optional.
Error log:
AMQ9557E: Queue Manager User ID initialization failed for 'payapp'
AMQ5531E: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'payapp'. Returned count is 0.
Additional context is '(&(objectClass=USER)(sAMAccountName=payapp))'.
============================================
my authinfo details:
AUTHINFO(TEST) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(xxxxx.local) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(GROUP)
CLASSUSR(USER) FAILDLAY(1)
FINDGRP(member)
BASEDNG(OU=Groups,OU=_CORP,DC=xxxxx,DC=local)
BASEDNU(OU=Accounts,OU=_CORP,DC=xxxxxx,DC=local)
LDAPUSER(CN=SVC1234,OU=Service-Accounts,OU=Accounts,OU=_CORP,DC=xxxxx,DC=local)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) GRPFIELD(sAMAccountName)
USRFIELD(sAMAccountName) AUTHORMD(SEARCHGRP)
NESTGRP(NO) SECCOMM(NO)
ALTDATE(2024-10-19) ALTTIME(07.52.33)
================
chlauth records:
CHLAUTH(PAY.APP) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR)
AMQ8878I: Display channel authentication record details.
CHLAUTH(TOOLS.ADMIN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(REQUIRED)
AMQ8878I: Display channel authentication record details.
CHLAUTH(TOOLS.ADMIN) TYPE(BLOCKUSER)
USERLIST(noaccess)
================================
app channel def:
CHANNEL(PAY.APP) CHLTYPE(SVRCONN)
ALTDATE(2024-10-05) ALTTIME(09.51.20)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE)
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(50)
MAXINSTC(50) MAXMSGL(104857600)
MCAUSER(*NOACCESS) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA(FN=/home/mqm/pay.txt;) SCYEXIT(BlockIP2(BlockExit))
SENDDATA( ) SENDEXIT( )
SHARECNV(1) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
==============================
blockip file:
INCQMGR=Y;
LogPath=/home/mqm/log;
LogFileName=PAY_;
LogSize=4096;
Patterns=10.*;
AllowBlankUserID=Y;
BlockMqmUsers=N;
CON=*;*;MCA=payapp; |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Oct 20, 2024 5:59 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The user you set in the MCAUser still has to exist and be authorized to access MQ...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Sun Oct 20, 2024 10:01 pm Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| fjb_saper wrote: |
| The user you set in the MCAUser still has to exist and be authorized to access MQ... |
I can see the id 'payapp' exists on the server,but the permissions are not there.
However my question is when we set the chckclnt as OPTIONAl on the qmgr.
why is it still checking the user in the LDAP and giving the below errors
AMQ5531E: Error locating user or group in LDAP
AMQ9557E: Queue Manager User ID initialization failed for 'payapp'.
dspmqaut -m PAYMGR -t qmgr -p payapp
AMQ7026E: A principal or group name was invalid.
id payapp
uid=1002(payapp) gid=1002(payapp) groups=1002(payapp |
|
| Back to top |
|
|
|
|
