| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Again: Username Pwd authentication |
« View previous topic :: View next topic » |
| Author |
Message
|
| briconaut |
 Posted: Thu Mar 01, 2007 8:34 am Post subject: Again: Username Pwd authentication |
 |
|
Newbie
Joined: 24 May 2006
Posts: 8
Location: Germany - Frankfurt am Main
|
Hello,
please help me understand how Mq client authentication works.
I'm writing a small Mq 6.0 client application to browse a queue on a Mq Server.
- The application is a small C-Application on a HP-UX machine.
- It uses the MQCONNX call to connect to the server.
- It provides the username 'mqm' in MQCD.UserIdentifier, MQCD.MCAUserIdentifier, LongMCAUserIdPtr and MQCSP.CSPUserIdPtr
- It provides the password 'mqm' in MQCD.Password and MQCSP.CSPPasswordPtr.
- The ...Length fields for the ...Ptr fields are set to the actual length of the password/username.
- MQCSP.AuthenticationType is set to MQCSP_AUTH_USER_ID_AND_PWD.
Now to the problem: If the client is run as user 'mqm' everything works fine but any other user gets an MQRC_NOT_AUTHORIZED(2035) error from MQCONNX. According to the admin of the Mq server, access as user 'mqm' with passwd 'mqm' should work for any user running the Mq client. Has someone any idea what I'm doing wrong?
Regards,
Thomas. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Mar 01, 2007 8:43 am Post subject: Re: Again: Username Pwd authentication |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| briconaut wrote: |
Now to the problem: If the client is run as user 'mqm' everything works fine but any other user gets an MQRC_NOT_AUTHORIZED(2035) error from MQCONNX. According to the admin of the Mq server, access as user 'mqm' with passwd 'mqm' should work for any user running the Mq client. Has someone any idea what I'm doing wrong?
|
As a general point, no application should be coded to use the mqm user id.
So in the failure situation:
1) The application is run under a non-authorised id
2) The application codes "mqm" in user id & password as detailed above
3) The connect fails with a 2035
Yes?
Also, can you explain the design rational behind coding the user id in the connection code rather than using channel security or similar?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| briconaut |
| Posted: Thu Mar 01, 2007 9:08 am Post subject: |
|
|
Newbie
Joined: 24 May 2006
Posts: 8
Location: Germany - Frankfurt am Main
|
re 1) Yes.
re 2) No. User and password are actually read from a configuration file. Much safer this way  . Just for debugging purposes I've hardcoded both username and password into the app.
re 3) Yes.
Our Mq client will be part of a bigger application. All executables belonging to this application must be run as a specific user (i.e. user 'service') because other parts of the app rely on it (e.g. start/stop procedures). Furthermore we're required to make client connections to the Mq-Sever, so we cannot use channels between two servers.
Does that answer your questions? |
|
| Back to top |
|
|
| Nigelg |
| Posted: Thu Mar 01, 2007 11:30 pm Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
Please read the APG section on MQCSP again.
The User Identifier is only used on an LU62 connection
The MQCSP structure exists only to be passed to a user defined security exit.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 02, 2007 1:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| briconaut wrote: |
| re 2) No. User and password are actually read from a configuration file. Much safer this way |
By safer, I hope you mean "read from a scrambled configuration file". User id and passwords stored in plaintext in a file is not exactly "safer"
| briconaut wrote: |
Furthermore we're required to make client connections to the Mq-Sever, so we cannot use channels between two servers.
|
Granted. So why not use the client channel security? At the moment your problem is that the application is using the non-authorised user id it's running under (see the post of Nigelg for why you're not getting mqm user passed across). If the intention is for the client to run under a user of "service" then why not specify it as an MCAUser, and be certain that this user only has the authorities needed to run the application.
A search of this forum on MCAUser will reveal a raft of discussions on the use, abuse and potention dangers of MCAUser (dangerous if used improperly, hence my comment about setting authorities).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Mar 02, 2007 10:18 am Post subject: Re: Again: Username Pwd authentication |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| briconaut wrote: |
- The application is a small C-Application on a HP-UX machine.
- It uses the MQCONNX call to connect to the server.
- It provides the username 'mqm' in MQCD.UserIdentifier, MQCD.MCAUserIdentifier, LongMCAUserIdPtr and MQCSP.CSPUserIdPtr
- It provides the password 'mqm' in MQCD.Password and MQCSP.CSPPasswordPtr.
- The ...Length fields for the ...Ptr fields are set to the actual length of the password/username.
- MQCSP.AuthenticationType is set to MQCSP_AUTH_USER_ID_AND_PWD.
|
Yes, you can use MQCSP structure.
Are you expecting the remote queue manager to authenticate your incoming MQCSP structure? The queue manager does not do that. You have to write your own server-side security exit that will accept the incoming MQCSP and your security will call the necessary OS level authentication routines.
Also, you are sending the UserId and password in plain text to the remote queue manager, what about encryption?
There are 3 vendor products that do what you want:
1. Capitalware's MQ Authenticate User Security Exit
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
Hope that helps.
Regards,
Rooger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
