| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| MQ Server 8.0 Client Channel Security |
« View previous topic :: View next topic » |
| Author |
Message
|
| LouML |
 Posted: Wed Jul 30, 2014 6:44 am Post subject: MQ Server 8.0 Client Channel Security |
 |
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
We recently installed MQ Server 8.0 on a Red Hat 6 server in development. We created a queue manager called QMDEV which will be a clone of an existing MQ 7.5 queue manager of the same name on a Solaris 10 server. We also copied the queue managers’ key.* files from the SSL directory.
We have a channel specifically for MQ Admins called ADMIN.QMDEV. This channel uses SSL to connect and works fine on MQ 7.5.
We do not have direct login access our MQ servers. We login with our AD userid and sudo to mqm. We did, however, setup a dummy userid called mqadm1 which we use to set MQ permissions. This userid is not setup for login access and does not have a password.
When we tried to add QMDEV as a remote queue manager in MQ Explorer using the ADMIN.QMDEV MQ Admin channel, we get 2035.
I understand, for MQ 8.0, the CONNAUTH CHCKCLNT(REQDADM) requires a password be sent for this mqadm1 userid.
Am I correct in saying that I now need to give mqadm1 a password and use this userid/password combo ?
| Code: |
[mqm@mqm3d ssl]$ echo "dis chl(ADMIN.QMDEV) all" | runmqsc QMDEV
5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager QMDEV.
1 : dis chl(ADMIN.QMDEV) all
AMQ8414: Display Channel details.
CHANNEL(ADMIN.QMDEV) CHLTYPE(SVRCONN)
ALTDATE(2014-07-29) ALTTIME(08.57.26)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR(Secure MQ administrator)
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER(*NOACCESS) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA)
SSLPEER(<ssl peer data>)
TRPTYPE(TCP)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@mqm3d ssl]$ echo "dis chlauth(ADMIN.QMDEV) all" | runmqsc QMDEV
5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager QMDEV.
1 : dis chlauth(ADMIN.QMDEV) all
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.QMDEV) TYPE(SSLPEERMAP)
DESCR(Full MQ admin user) CUSTOM( )
SSLPEER(CN=mqadm1,<ssl peer data>)
SSLCERTI( ) ADDRESS(10.123.*)
MCAUSER(mqadm1) USERSRC(MAP)
CHCKCLNT(ASQMGR) ALTDATE(2014-07-29)
ALTTIME(08.57.26)
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.QMDEV) TYPE(BLOCKUSER)
DESCR(Rule to allow MQ admin userids on this channel)
CUSTOM( ) USERLIST(nobody)
WARN(NO) ALTDATE(2014-07-29)
ALTTIME(08.57.26)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@mqm3d ssl]$
07/29/2014 09:02:19 AM - Process(5266.17) User(mqm) Program(amqzlaa0)
Host(mqm3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ5540: Application 'MQ Explorer 8.0.0' did not supply a user ID and password
EXPLANATION:
The queue manager is configured to require a user ID and password, but none was
supplied.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager configuration to OPTIONAL to allow applications to connect
which have not supplied a user ID and password.
----- amqzfuca.c : 4107 -------------------------------------------------------
07/29/2014 09:02:19 AM - Process(5266.17) User(mqm) Program(amqzlaa0)
Host(mqm3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'mqadm1' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named
'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
07/29/2014 09:02:19 AM - Process(5110.4) User(mqm) Program(amqrmppa)
Host(mqm3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ9557: Queue Manager User ID initialization failed for 'mqadm1'.
EXPLANATION:
The call to initialize the User ID 'mqadm1' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
|
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Jul 30, 2014 6:53 am Post subject: Re: MQ Server 8.0 Client Channel Security |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| LouML wrote: |
I understand, for MQ 8.0, the CONNAUTH CHCKCLNT(REQDADM) requires a password be sent for this mqadm1 userid.
Am I correct in saying that I now need to give mqadm1 a password and use this userid/password combo ? |
That *should* be sufficient.
And, of course, add the password to the MQExplorer configuration. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 30, 2014 2:36 pm Post subject: Re: MQ Server 8.0 Client Channel Security |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
| LouML wrote: |
I understand, for MQ 8.0, the CONNAUTH CHCKCLNT(REQDADM) requires a password be sent for this mqadm1 userid.
Am I correct in saying that I now need to give mqadm1 a password and use this userid/password combo ? |
That *should* be sufficient.
And, of course, add the password to the MQExplorer configuration. |
And make sure that for the MQExplorer the password is not over 12 bytes long.
Had the problem... works fine in JMS with the right MQCSP parm but not in MQExplorer... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| LouML |
| Posted: Mon Aug 11, 2014 2:44 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Still having the same issue. As mentioned previously, we do not have direct login access our MQ servers. We login with our AD userid and sudo to mqm. We did, however, setup a dummy userid called mqadm1 which we use to set MQ permissions. This userid was not setup for login access and did not have a password.
I asked the Unix admin to create a password for the mqadm1 userid (less than 12 characters). It still fails:
| Code: |
08/11/2014 06:40:51 AM - Process(4637.17) User(mqm) Program(amqzlaa0)
Host(mqmgw3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ5534: User ID 'mqadm1' authentication failed
EXPLANATION:
The user ID and password supplied by 'MQ Explorer 8.0.0' could not be
authenticated.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4242 -------------------------------------------------------
08/11/2014 06:40:51 AM - Process(4637.17) User(mqm) Program(amqzlaa0)
Host(mqmgw3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'mqadm1' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named 'USE.OS' with
CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
08/11/2014 06:40:52 AM - Process(9314.4) User(mqm) Program(amqrmppa)
Host(mqmgw3d) Installation(Installation1)
VRMF(8.0.0.0) QMgr(QMDEV)
AMQ9557: Queue Manager User ID initialization failed for 'mqadm1'.
EXPLANATION:
The call to initialize the User ID 'mqadm1' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2199 -------------------------------------------------------
|
The Unix admin mentioned that IBM sometimes has issues with VAS.
Can anyone confirm if this might be a possible issue?
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 11, 2014 5:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If using WAS did you set up userid and pw in JAAS?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Aug 12, 2014 3:11 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
<Vendor_Hat_On>
MQAUSX on Linux/Unix works extremely well authenticating UserID & Password with both VAS and Active Directory. I have already begun testing MQAUSX with MQ v8.0 and it is working very well.
As always, Capitalware offers free trials of its products with free support.
</Vendor_Hat_Off>
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| LouML |
| Posted: Wed Aug 13, 2014 1:53 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Looks great, Roger. However, this company does NOT like to spend a dime, I don't know that I can get them to pull the trigger on this.
As for my issue, I tested that the userid/password works as I am able to ssh to the server with those values.
Spoke with the Unix admin yesterday. He said they had similar issues with IBM's TWS and ITM. With TWS, they went with LDAP. With ITM, they used PAM.
I found this: http://www-01.ibm.com/support/docview.wss?uid=swg21194750
Will discuss this further with him today.
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 13, 2014 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You should double-check as well that the mqm user (or otherwise the user running mq) has the necessary permissions against VAS to authenticate users.
This is less typical in a Unix world, but it's one of the gotchas of using MQ on Windows, where the MQ service user needs specific permissions in ActiveDirectory in order to verify group membership and etc.
Just because the mqm user is in the local admin group, VAS may not think that's the case. |
|
| Back to top |
|
|
| LouML |
| Posted: Wed Aug 13, 2014 5:07 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Will do.
As I think about this further, I wonder if this is the same issue I'm having trying to use the Administrated Servers feature of MS0P
| Code: |
07:30:35 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
Jul 16 07:30:35 mqm3d sshd[13482]: pam_vas: Authentication <failed> for <Active Directory> user: <mqm> account: <mqm3d_mqm_svc@AD.COMPANY.COM> service: <sshd> reason: <Invalid password.> Access Control Identifier(NT Name):<COMPANY\mqm3d_mqm_svc>
Jul 16 07:30:35 mqm3d sshd[13482]: Failed password for mqm from 10.123.149.129 port 63039 ssh2
Jul 16 07:30:35 mqm3d sshd[13483]: Received disconnect from 10.123.149.129: 10: General disconnection
07:30:36 [main] admin AccessMethod (tryToStartSession)
java.net.ConnectException: CTGRI0001E The application could not establish a connection to mqm3d.
using Windows/SMB/TCP
09:42:11 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
|
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 13, 2014 5:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| LouML wrote: |
Will do.
As I think about this further, I wonder if this is the same issue I'm having trying to use the Administrated Servers feature of MS0P
| Code: |
07:30:35 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
Jul 16 07:30:35 mqm3d sshd[13482]: pam_vas: Authentication <failed> for <Active Directory> user: <mqm> account: <mqm3d_mqm_svc@AD.COMPANY.COM> service: <sshd> reason: <Invalid password.> Access Control Identifier(NT Name):<COMPANY\mqm3d_mqm_svc>
Jul 16 07:30:35 mqm3d sshd[13482]: Failed password for mqm from 10.123.149.129 port 63039 ssh2
Jul 16 07:30:35 mqm3d sshd[13483]: Received disconnect from 10.123.149.129: 10: General disconnection
07:30:36 [main] admin AccessMethod (tryToStartSession)
java.net.ConnectException: CTGRI0001E The application could not establish a connection to mqm3d.
using Windows/SMB/TCP
09:42:11 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
|
|
Yes. That sounds like the mqm user doesn't have an actual password (having been created by the MQ installer), or simply doesn't exist in the VAS repository.... |
|
| Back to top |
|
|
| LouML |
| Posted: Tue Aug 19, 2014 3:17 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
My Unix admin is asking if I have any instructions on how to implement PAM as mentioned in the link below:
http://www-01.ibm.com/support/docview.wss?uid=swg21194750
From the link...
Problem(Abstract)
You want to use Vintela VAS (a third party software used for authorization services), which uses Pluggable Authentication Module (PAM). You need to know if it is supported for use with WebSphere MQ (WMQ).
Resolving the problem
The authorization service component supplied with the WebSphere MQ products is called the Object Authority Manager (OAM). The authorization service enables you to augment or replace the authority checking provided for queue managers by writing your own authorization service component.
If you choose to use Vintela VAS, which uses PAM, this is supported. However, be aware that it has not been tested with WebSphere MQ.
If you are using a pluggable security module such as PAM , ensure that this does not restrict the number of open files for the 'mqm' user. For a standard WebSphere MQ queue manager, set the 'nofile' value to 10240 or more for the 'mqm' user. You should add this command to a startup script in /etc/rc.d/...
Has anyone written their own authorization service component or implemented PAM and could offer some advice or documentation?
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 19, 2014 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
PAM is entirely a linux/unix systems admin thing. You basically configure the OS to use the LDAP (VAS in your case) as the OS level user repository.
A straight forward "linux set up PAM" google led to https://www.ibm.com/developerworks/linux/library/l-pam/
Some consultation with the system docs for the actual Unix you're using wouldn't hurt, either. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Aug 19, 2014 3:07 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Just an FYI, a PAM module for authorization (i.e. OAM) is not same as a PAM module for authentication. Now, some PAM modules may combine both but I would not bet on it.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| LouML |
| Posted: Tue Sep 02, 2014 6:04 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Spent the past week on vacation, not thinking about this at all.
Now, back to the office... where an email from my Unix Admin is asking me if MQ uses a specific PAM configuration file in /etc/pam.d ? Or could he just create /etc/pam.d/mq ?
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 02, 2014 6:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| LouML wrote: |
Spent the past week on vacation, not thinking about this at all.
Now, back to the office... where an email from my Unix Admin is asking me if MQ uses a specific PAM configuration file in /etc/pam.d ? Or could he just create /etc/pam.d/mq ? |
Don't think so.
MQ doesn't know anything about PAM, afaik. MQ just uses standard os libraries to access "local" users and groups. You configure PAM to make LDAP the source of "local" users and groups. Again, it's not an MQ specific thing, it's an OS specific thing. |
|
| Back to top |
|
|
|
|
|
  |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
