| Author |
Message
|
| mangeshp16 |
 Posted: Sat Sep 14, 2024 12:47 pm Post subject: C# Client error on message put - MQRC_NOT_AUTHORIZED |
 |
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
I am trying to create a POC for basic validations like connect, put, get. MQ server is hosted on mainframe and my client is c# console app. I am using IBM.WMP package. I have also configured kdb field with all the certificates I received from admin for sending queue and receiving queue.
Initially I was facing issues with the user id being passed to server as my logon user even though I am setting user is using MQEnvironment.
My server admin then allowed my logon user to connect to queue manager just for testing.
After that I am able to connect to queue manager and access sending queue but when I try to put message I am getting MQRC_NOT_AUTHORIZED error on this like -> sendingQueue.Put(message, new MQPutMessageOptions());
Any idea what could be missing. here is my code below. most of the code taken from sample project from IBM.
static Hashtable init(String connectionType)
{
Hashtable connectionProperties new Hashtable();
connectionProperties.Add(MQC.TRANSPORT_PROPERTY, connectionType);
switch (connectionType)
{
case MQC.TRANSPORT_MQSERIES_BINDINGS:
break;
case MQC. TRANSPORT_MQSERIES_CLIENT:
case MQC.TRANSPORT_MOSERIES_XACLIENT:
case MQC. TRANSPORT_MQSERIES_MANAGED:
connectionProperties.Add(MQC.HOST_NAME_PROPERTY, hostName);
connectionProperties.Add(MQC.CHANNEL_PROPERTY, channel);
connectionProperties.Add(MQC.PORT_PROPERTY, port);
connectionProperties.Add(MQC.USER_ID_PROPERTY, userId);
connectionProperties.Add(MQC.PASSWORD_PROPERTY, null);
connectionProperties.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, keystorePath);
connectionProperties.Add(MQC.SSL_CERT_STORE_PASSWORD_PROPERTY, keyStorePassword);
break;
return connectionProperties;
}
static int Main(){
MQEnvironment.SSLKeyRepository = keystorePath;
MQEnvironment.SSLKeyRepositoryPassword = keyStorePassword;
MQEnvironment.UserId = userId;
Hashtable connectionProperties init(MQC.TRANSPORT_MQSERIES_MANAGED);
MQueueManager qMgr = new(qManager, connectionProperties);
//sending queue
var sampleRequest = "hello"
// Set up the options on the queue we want to open
int openOptions = MỌC.MQOO_INPUT_AS_Q_DEF | MQC.MQOO_OUTPUT;
MQQueue sendingQueue qMgr.AccessQueue(sendingQueueName, openOptions);
MQMessage message = new Message();
message.Format MQC.MQFMT_NONE;
message.WriteBytes(sampleRequest);
sendingQueue.Put(message, new MQPutMessageOptions());
//close queues
sendingQueue.Close();
// Disconnect from the queue manager
qMgr.Close();
qMgr.Disconnect();
} |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sat Sep 14, 2024 4:33 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Gather from what you wrote that the z/OS security admins granted your Userid privilege to connect and open the queue, but not to put. Ask them to grant put, get, and any other privileges you require for your POC. This is no different from Windows or UNIX.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Mon Sep 16, 2024 7:04 am Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
| Thanks for your reply but the user id has put permissions. forgot to mention that there is a AMS policy on the queue and I have imported required certificates in kdb file. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Sep 16, 2024 9:50 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Ask the z/OS folks what error is logged there. MQRC_NOT_AUTHORIZED is the catch-all for any/every MQ-related failed authorization.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Mon Sep 16, 2024 3:29 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
I asked and they don't see any error logged. I started tracing on client side but I don't see any errors just a long trace but that does not provide me error details.
Where will error be logged on server? do they need to also start tracing to catch errors? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Sep 16, 2024 4:50 pm Post subject: Re: C# Client error on message put - MQRC_NOT_AUTHORIZED |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| mangeshp16 wrote: |
| ... and access sending queue ... |
Please be precise when you post, and use MQ terminology. What does this mean? What is a sending queue?
| mangeshp16 wrote: |
| ... most of the code taken from sample project from IBM. |
What sample project from IBM? Did the sample work as-provided by IBM before you extracted code from it?
| mangeshp16 wrote: |
| I started tracing on client side ... |
What trace did you start on the client side? Please post the relevant portion (where you receive the _NOT_AUTHORIZED message).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Wed Sep 18, 2024 4:43 am Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
I am using the MQC.TRANSPORT_MQSERIES_MANAGED as the TRANSPORT_MQSERIES_CLIENT is not supported (MQRC_FUNCTION_NOT_SUPPORTED) in IBM MQ dotnet standard library and Also found a documentation where they mentioned that
Applications using IBM MQ classes for .NET in a managed mode (client connections) are not supported for AMS. I guess this could be the reason for exception.
Anyways Please see answer to your questions below:
1. Sorry for the confusion. it is just a queue. we use 2 queues 1 for sending message 2. for receiving message. I am trying to put message on queue.
2. I used Dotnet MQ Sample - simpleput from 9.4.0.0-IBM-MQC-Redist-Win64 and extended it to include keystore (kdb) parameters required for AMS. simple put works for the queue where AMS policies are not applied but does not work for the queue where AMS policies are applied.
3. I started trace using mqtrace.config in my c# console project with following elements
<MQTRACELEVEL>2</MQTRACELEVEL>
<MQTRACEPATH>\trace</MQTRACEPATH>
Here is the relevant portion of trace.
-----} ManagedHconn.LeaveCall(int) rc=OK
00000C0B 11:14:28.253167 33960.1 ----} MQFAP.MQPUT(MQHCONN,MQLONG,ref MQMessageDescriptor,ref MQPutMessageOptions,MQLONG,MQBYTE [ ],out MQLONG,out MQLONG) rc=OK
00000C0C 11:14:28.253191 33960.1 ----{ MQFAP.GetManagedHconn(Hconn) inputs [IBM.WMQ.Nmqi.ParentHconn#0073673B]
00000C0D 11:14:28.253220 33960.1 ----} MQFAP.GetManagedHconn(Hconn) rc=OK
00000C0E 11:14:28.253250 33960.1 ---} MQFAP.MQPUT(Hconn,Hobj,MQMessageDescriptor,MQPutMessageOptions,MQLONG,MQBYTE [ ],out int,out int) rc=OK
00000C0F 11:14:28.253573 33960.1 MQQueueManager.CheckHConnHealth() Reason: 0x0000080F
00000C10 11:14:28.253757 33960.1 IBM.WMQ.MQQueue#01DC1A6B throwing MQException: cc=2 rc=2063
00000C11 11:14:28.254361 33960.1 New MQException CompCode: 2 Reason: 2063
00000C12 11:14:28.299915 33960.1 --}! MQDestination.Put(MQMessage,MQPutMessageOptions) rc=(Unknown(2063))
00000C13 11:14:28.309066 33960.1 MQQueueManager.IsConnected True HConn: 0x00000005
00000C14 11:14:28.309836 33960.1 --{ MQManagedObject.Close() inputs [True] |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 18, 2024 5:17 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mangeshp16 wrote: |
I am using the MQC.TRANSPORT_MQSERIES_MANAGED as the TRANSPORT_MQSERIES_CLIENT is not supported (MQRC_FUNCTION_NOT_SUPPORTED) in IBM MQ dotnet standard library and Also found a documentation where they mentioned that
Applications using IBM MQ classes for .NET in a managed mode (client connections) are not supported for AMS. I guess this could be the reason for exception.
Anyways Please see answer to your questions below:
1. Sorry for the confusion. it is just a queue. we use 2 queues 1 for sending message 2. for receiving message. I am trying to put message on queue.
2. I used Dotnet MQ Sample - simpleput from 9.4.0.0-IBM-MQC-Redist-Win64 and extended it to include keystore (kdb) parameters required for AMS. simple put works for the queue where AMS policies are not applied but does not work for the queue where AMS policies are applied.
3. I started trace using mqtrace.config in my c# console project with following elements
<MQTRACELEVEL>2</MQTRACELEVEL>
<MQTRACEPATH>\trace</MQTRACEPATH>
Here is the relevant portion of trace.
-----} ManagedHconn.LeaveCall(int) rc=OK
00000C0B 11:14:28.253167 33960.1 ----} MQFAP.MQPUT(MQHCONN,MQLONG,ref MQMessageDescriptor,ref MQPutMessageOptions,MQLONG,MQBYTE [ ],out MQLONG,out MQLONG) rc=OK
00000C0C 11:14:28.253191 33960.1 ----{ MQFAP.GetManagedHconn(Hconn) inputs [IBM.WMQ.Nmqi.ParentHconn#0073673B]
00000C0D 11:14:28.253220 33960.1 ----} MQFAP.GetManagedHconn(Hconn) rc=OK
00000C0E 11:14:28.253250 33960.1 ---} MQFAP.MQPUT(Hconn,Hobj,MQMessageDescriptor,MQPutMessageOptions,MQLONG,MQBYTE [ ],out int,out int) rc=OK
00000C0F 11:14:28.253573 33960.1 MQQueueManager.CheckHConnHealth() Reason: 0x0000080F
00000C10 11:14:28.253757 33960.1 IBM.WMQ.MQQueue#01DC1A6B throwing MQException: cc=2 rc=2063
00000C11 11:14:28.254361 33960.1 New MQException CompCode: 2 Reason: 2063
00000C12 11:14:28.299915 33960.1 --}! MQDestination.Put(MQMessage,MQPutMessageOptions) rc=(Unknown(2063))
00000C13 11:14:28.309066 33960.1 MQQueueManager.IsConnected True HConn: 0x00000005
00000C14 11:14:28.309836 33960.1 --{ MQManagedObject.Close() inputs [True] |
Indeed, what you are getting is a security error.
Can you please show us where you found that the transport TRANSPORT_MQSERIES_CLIENT was not supported?
You will have to make sure the C client is installed as well (should be according to your description) and not use a managed connection but just the client connection. You can report on your success once you tried that.
see: https://www.ibm.com/docs/en/ibm-mq/9.4?topic=security-known-limitations-ams
https://www.ibm.com/docs/en/ibm-mq/9.4?topic=ams-mca-interception-example
and
https://www.ibm.com/docs/en/ibm-mq/9.4?topic=ams-quick-start-guide-windows-platforms
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Sep 18, 2024 7:09 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| mangeshp16 wrote: |
00000C0F 11:14:28.253573 33960.1 MQQueueManager.CheckHConnHealth() Reason: 0x0000080F
00000C10 11:14:28.253757 33960.1 IBM.WMQ.MQQueue#01DC1A6B throwing MQException: cc=2 rc=2063
00000C11 11:14:28.254361 33960.1 New MQException CompCode: 2 Reason: 2063
] |
For each MQ call a CompletionCode and Reason will be returned. You should research (google) for a non-zero for either.
A quick google search for "mqrc 2063" resulted in https://www.ibm.com/docs/en/ibm-mq/9.2?topic=codes-2063-080f-rc2063-mqrc-security-error
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Wed Sep 18, 2024 10:01 am Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
@fjb_saper
Interesting point about c client. where can I find C client?
And for your question -> Can you please show us where you found that the transport TRANSPORT_MQSERIES_CLIENT was not supported?
If I try to use that my program results in exception. here are the exception details. so I am assuming that this amqmdnetstd.dll and amqmxmsstd.dll currently do not support client. not able to find official docs about this.
Exception:
MQRC_FUNCTION_NOT_SUPPORTED - at IBM.WMQ.MQBase.throwNewMQException(Int32 cc, Int32 rc)
at IBM.WMQ.MQQueueManager.Connect(String queueManagerName) |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Wed Sep 18, 2024 10:25 am Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
Here you go: https://www.nuget.org/packages/IBMMQDotnetClient
IBMMQDotnetClient
IBM MQ classes for .NET Standard allow a program written in the .NET programming framework to work with IBM MQ Queue Manager.Standard IBM MQ Interfaces made available in the form of OO Classes.Popularly known as Base .NET Classes.Supports
Point-to-Point messaging
Publish/Subscribe messaging
Client Auto Reconnect
Asynchronous Message Delivery
Interoperability between XMS/JMS and other IBM MQ Applications
IBM MQ classes for .NET Standard supports only Managed client connection i.e Managed Mode. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Sep 18, 2024 9:07 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mangeshp16 wrote: |
| Dotnet MQ Sample - simpleput - works for the queue where AMS policies are not applied but does not work for the queue where AMS policies are applied. |
| mangeshp16 wrote: |
00000C11 11:14:28.254361 33960.1 New MQException CompCode: 2 Reason: 2063
00000C12 11:14:28.299915 33960.1 --}! MQDestination.Put(MQMessage,MQPutMessageOptions) rc=(Unknown(2063)) |
| mangeshp16 wrote: |
| Also found a document where they mentioned that Applications using IBM MQ classes for .NET in a managed mode (client connections) are not supported for AMS. I guess this could be the reason for exception. |
I suspect you are onto something here. IBM Docs details in the latest version of Known limitations of AMS that:
| IBM Docs wrote: |
| Applications using IBM MQ classes for .NET in a managed mode (client connections) are not supported. |
You have been provided suggestions of two ways to solve your issue.
- Switch from using .NET in a managed mode, to using .NET in unmanaged mode. This causes the .NET MQ libraries to use the 'C' client implementation under the covers instead of the .NET implementation. The 'C' client then provides the code for using AMS.
- Use AMS MCA Interception to apply the AMS protections when the message arrives at the MCA. This is not ideal and is not end-to-end protection. Also, I believe you said your queue manager was on z/OS, and so I don't believe SVRCONN AMS interception is available on z/OS.
I think from these comments:-
| mangeshp16 wrote: |
| ...so I am assuming that this amqmdnetstd.dll and amqmxmsstd.dll currently do not support client. |
that you are using .NET standard which is described in the IBM Docs here. I am not an expert in .NET, but I understand the purpose of this package is to allow you to write .NET applications that don't have a reliance on the MQ installation. Unfortunately, you appear to have a feature dependency that means you must have an MQ client installation.
Your comment:-
| mangeshp16 wrote: |
| I used Dotnet MQ Sample - simpleput from 9.4.0.0-IBM-MQC-Redist-Win64... |
does suggest that you might have everything you need to make this changeover though. The description of Redistributable IBM MQ clients says:-
| IBM Docs wrote: |
You can use the files that are contained in the redistributable images to run.... IBM MQ using fully managed and unmanaged .NET classes.
XMS .NET is shipped as part of the redistributable client. XMS .NET requires the IBM MQ .NET client (amqmdnet.dll). If unmanaged mode is to be used, then the IBM MQ C client libraries are also needed along with amqmdnet.dll. |
However, not being an expert in .NET, I am not sure if that is enough information for you.
I hope this helps you in some manner.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Mon Sep 30, 2024 1:54 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
Hello @hughson. Thanks for your reply and Sorry for not replying earlier.
I moved on to c++ libraries as they are easy to use and supports AMS. c++ dll can be imported in .net standard 8.0 so we will use c++ as a wrapper component for communicating with MQ.
With c++ I am facing this issue when AMS interceptor tries to read keystore
Any idea? I have checked the keystore and the certificate is present and the label is correct. cert is not expired. all checks pass but still getting this error below. back to back 2 errors logged. certificate i am using is public certificate as it will only be used for AMS encryption and ssl/tls policy is not enabled on queue manager.
---
----- amqxeida.c : 7104 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9008E: Cannot acquire the certificate for the label: <lable> in the keystore
file <filepath>. GSKit ACME
GSS minor reason is 58.
EXPLANATION:
IBM MQ security policy interceptor was unable to read the certificate for the
given label from keystore.
ACTION:
Make sure the label is correctly set as the cms.certificate entry of the
configuration file. Check if the keystore contains the certificate for the
given label.
----- smqodida.c : 1239 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9012E: The IBM MQ security policy interceptor could not acquire the public
key credential.
EXPLANATION:
The IBM MQ security policy interceptor could not perform a public key
infrastructure (PKI) login.
ACTION:
Check the error messages related to acquiring public key credentials to
determine the cause of the failure. Check whether user has the permission to
read the kdb and stash files and verify whether the kdb file contains a
certificate with the label specified. Finally, check whether the certificate
has not expired. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 30, 2024 5:31 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
You say "certificate i am using is public certificate as it will only be used for AMS encryption", but I'm not quite sure why you believe you only need the public certificate? That might be true for certificates you are encrypting for, i.e those DNs mentioned in policy definitions, but for the application doing the encryption/signing, I think you need to have the key as well.
GSKit ACME GSS minor reason is 58 appears to be GSS_S_MINOR_CERT_HpAS_NO_PRIVATE_KEY which somewhat bears that out. It looks like it is complaining that it cannot find a certificate AND KEY with the label it is complaining about.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Last edited by hughson on Tue Oct 01, 2024 5:41 pm; edited 1 time in total |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Tue Oct 01, 2024 3:33 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
| Thanks for your analysis and finding this page which documents the gakit reason codes. Only reason I thought public certificate is needed for encryption is because other java api is using the same certificate in jks keystore. Frankly I am not sure how AMS works in java world but I have asked team to provide me pfx cert or pk12 with private key. |
|
| Back to top |
|
|
|
|
