| Author |
Message
|
| JBrew |
 Posted: Tue Jan 20, 2015 12:00 pm Post subject: JNDI equivalent of mqcf.createConnection(user, pass); |
 |
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
When I hard code the username password in code it appears to work. The message is sent as serverbob.
connection = mqcf.createConnection("serverbob", null);
But for the life of me I can't seem to abstract that client connection information out of my code into the JNDI configuration in WAS. I've tried everything.
*Tried setting the Client ID
*Tried various forms of setting the DefaultPrincipalMapping using an authentication alias.
Furthermore since I was getting tired of banging my head on the wall with WAS I tried doing it in BizTalk with their MQSC adapter. msdn.microsoft com/en-us/library/aa770469%28v=bts.10%29.aspx
It has a User ID property which I would assume would do what I want. "MCA user identifier that is used by MQSeries MCA for authorization to access MQSeries resources.
The initial value is null. This is an optional property. When this attribute is blank, the MCA uses its default user identifier."
But setting that has no effect. The messages try to run as the service id of either WAS or BizTalk respectively.
Help! What am I missing here? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jan 20, 2015 12:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Which version of WMQ?
Which OS?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 12:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Nice try...
What you are missing is that user password information should be stored In JAAS (Java application authentication services iirc). You then apply the JAAS alias to the CF in JNDI...
Hope these aren't too many acronyms for you...
Have fun 
[edit replaced correct acronym JAAS]
_________________
MQ & Broker admin
Last edited by fjb_saper on Tue Jan 20, 2015 12:11 pm; edited 2 times in total |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 12:05 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| Vitor wrote: |
Which version of WMQ?
Which OS? |
WMQ 7.5 on CentOS 6.5,
And client connections from various platforms. WAS 8.5 and BizTalk 2010. |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 12:06 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| fjb_saper wrote: |
Nice try...
What you are missing is that user password information should be stored In JASS (Java application security services iirc). You then apply the JASS alias to the CF in JNDI...
Hope these aren't too many acronyms for you...
Have fun |
I tried that, see "Tried various forms of setting the DefaultPrincipalMapping using an authentication alias." Which was using the "JAAS - J2C authentication data" |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 12:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| JBrew wrote: |
| fjb_saper wrote: |
Nice try...
What you are missing is that user password information should be stored In JAAS (Java application authentication services iirc). You then apply the JAAS alias to the CF in JNDI...
Hope these aren't too many acronyms for you...
Have fun |
I tried that, see "Tried various forms of setting the DefaultPrincipalMapping using an authentication alias." Which was using the "JAAS - J2C authentication data" |
So what went wrong when using JAAS alias?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 12:13 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| fjb_saper wrote: |
| JBrew wrote: |
| fjb_saper wrote: |
Nice try...
What you are missing is that user password information should be stored In JAAS (Java application authentication services iirc). You then apply the JAAS alias to the CF in JNDI...
Hope these aren't too many acronyms for you...
Have fun |
I tried that, see "Tried various forms of setting the DefaultPrincipalMapping using an authentication alias." Which was using the "JAAS - J2C authentication data" |
So what went wrong when using JAAS alias? |
The message still came in as the user id my WAS is running under. Which seems very similar to the issue I am facing in BizTalk (the message comes in as the BizTalk service id). Which fails because I don't have the WAS ID or BizTalk ID defined in MQ. Which I don't want to do. I want to be able to set what ID to run as. Which is weird that it works when I do it explicitly with: connection = mqcf.createConnection("serverbob", null);
More Info: I get this error in the logs.
AMQ5653: The user '{my was id}' is not defined.
Last edited by JBrew on Tue Jan 20, 2015 12:18 pm; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 12:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Which userid did you have in the JAAS alias? Was the JAAS password valid? ( I know below V8 MQ does not care about the password. JAAS however does....
As for biztalk you need to specify the userid/password on the setup of the connection in biztalk...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 12:22 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| fjb_saper wrote: |
Which userid did you have in the JAAS alias?
As for biztalk you need to specify the userid/password on the setup of the connection in biztalk... |
Connection factories > jmsTest > JAAS - J2C authentication data > PP71CXDM12Node02/alice
Specifies a list of user identities and passwords for Java(TM) 2 connector security to use.
General Properties
Select Alias
PP71CXDM12Node02/alice
User ID : serveralice
Password : "nothing" (wmq should ignore the password)
Description
As for BizTalk==============================
Channel Name: BOBCONN
Connection Name: 10.204.177.57(1414)
Heart Beat: 300
Maximum Message Length: 4
Password:
SSL Cipher Selection:
SSL Key REpository Location:
SSL Peer Name:
Transport Type: TCP
User Id: serveralice |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 12:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 12:38 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
01/20/2015 03:32:28 PM - Process(2592.134) User(mqm) Program(amqzlaa0)
Host(server.localdomain) Installation(Installation1)
VRMF(7.5.0.0) QMgr(CENTOSQM)
AMQ5653: The user 'localbiztalk' is not defined.
EXPLANATION:
The system call getpwnam("localbiztalk") failed with errno -1.
ACTION:
Create the user 'localbiztalk' and retry the operation.
----- amqzfubx.c : 4021 -------------------------------------------------------
01/20/2015 03:32:28 PM - Process(2810.127) User(mqm) Program(amqrmppa)
Host(server.localdomain) Installation(Installation1)
VRMF(7.5.0.0) QMgr(CENTOSQM)
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 1972 -------------------------------------------------------
01/20/2015 03:32:28 PM - Process(2810.127) User(mqm) Program(amqrmppa)
Host(server.localdomain) Installation(Installation1)
VRMF(7.5.0.0) QMgr(CENTOSQM)
AMQ9999: Channel 'BOBCONN' to host 'WDESI000A (10.42.97.251)' ended abnormally.
EXPLANATION:
The channel program running under process ID 2810 for channel 'BOBCONN' ended
abnormally. The host name is 'WDESI000A (10.42.97.251)'; in some cases the host
name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------
Same error for WAS just replace localbiztalk with 'wasaccount'.
And I'm not using AMS. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 1:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
As you are using SSL for the svrconn channel you could have set an mcauser... This would force the user to the one on the MCAuser...
| Quote: |
| I am not using AMS |
Whith those references to Bob and Alice you could have fooled me...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 1:26 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| fjb_saper wrote: |
As you are using SSL for the svrconn channel you could have set an mcauser... This would force the user to the one on the MCAuser...
| Quote: |
| I am not using AMS |
Whith those references to Bob and Alice you could have fooled me... |
I'm not using SSL either. And the svrconn channel does not have an mcauser set. Proof again that it is working with connection = mqcf.createConnection("serverbob", null);
You posted this in regards to RFHUtil back in 2006 "MO71,IH03(rfhutil) will only allow you to set the alternate user Id on the message. For connection purposes the id you run the tool under is passed." Could it be a similar case or have you seen my use case work before with jms? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 20, 2015 1:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| JBrew wrote: |
| I'm not using SSL either. And the svrconn channel does not have an mcauser set. Proof again that it is working with connection = mqcf.createConnection("serverbob", null); |
It should work with JAAS. Open a PMR. You do realize that a serverconn channel without SSL, or authentication exit is a security problem waiting to happen? You can narrow it down some with CHLAUH records...
| JBrew wrote: |
| You posted this in regards to RFHUtil back in 2006 "MO71,IH03(rfhutil) will only allow you to set the alternate user Id on the message. For connection purposes the id you run the tool under is passed." Could it be a similar case or have you seen my use case work before with jms? |
JMS is supposed to work with JAAS. Open a PMR...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JBrew |
| Posted: Tue Jan 20, 2015 1:35 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2015
Posts: 9
|
| JBrew wrote: |
| "MO71,IH03(rfhutil) will only allow you to set the alternate user Id on the message. For connection purposes the id you run the tool under is passed." Could it be a similar case or have you seen my use case work before with jms? |
OK, So I tried again playing with RFHUtil and using the Set Conn Id option to set a user and password. No matter what I put there it is still trying to connect AND GET from the queue as my windows id. What am I doing wrong? |
|
| Back to top |
|
|
|
|
