| Author |
Message
|
| dhireng |
 Posted: Thu Feb 12, 2015 4:13 pm Post subject: MQv8 Authentication |
 |
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
Hi,
I have a MQ 8.0.0.1 on Linux. The Q manager is set to CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) with CHCKCLNT(OPTIONAL)
I created a local user of 8 chars with a password of 9 chars.
The user is not a member of any group.
I use amqsputc without user ID and I'm able to connect to my queues. However, if I use a user id, amqsputc and provide the correct password, my connection fails with 2035.
MQ logs show that my password could not be authenticated.
AMQ5534: User ID 'dghelani' authentication failed
EXPLANATION:
The user ID and password supplied by 'amqsputc' could not be authenticated.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
Where is it going wrong for me? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Feb 13, 2015 6:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What happens if your max length for the password is 8?
If the authentication fails because of password length you may need to open a PMR. If your password contains some "weird" characters, or spaces, you may need to pass it encased in quotes... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Feb 13, 2015 7:01 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Password length shouldn't be an issue with the 'C' samples as they use MQCSP directly and don't have any of the complications that the Java client introduces.
The next thing I would try is to rule out the client side of things where there is the feature that ensures your password is not sent in the clear. I would try it again, just exactly as you did, but with the amqsput sample (i.e. the locally bound version). Does it succeed or fail?
P.S. We have to also ask, are you 100% sure you typed in the correct password?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| dhireng |
| Posted: Fri Feb 13, 2015 8:39 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
Thanks fjb_saper and hughson for replying.
In terms of special characters, my password has # in it. The rest of the string is comprised of standard ANSI chars.
I'm sure the password is correct. 
As is said, if I use amqsputc without the userid environment variable, it all works.
Do you think I should try amqsput (server binding) anyways ? |
|
| Back to top |
|
|
| tczielke |
| Posted: Fri Feb 13, 2015 9:35 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
You could do the following, to validate what string amqsputc is reading in for your password.
strace -f amqsputc 2>strace.out
When your amqsputc ends, look inside the strace.out output for your entered password. There should be a read syscall that contains it. If you don't find it, look for the text "Enter password:" and then look for a following read syscall. It should have what was amqsputc read in for the password. |
|
| Back to top |
|
|
| dhireng |
| Posted: Fri Feb 13, 2015 10:14 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
| Thanks tczielke. I ran the trace and found my password in the trace file. |
|
| Back to top |
|
|
| dhireng |
| Posted: Fri Feb 13, 2015 10:20 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
| Hi hughson. I tried amqsput with the password and it works. I'll read up further to understand what other settings I have to make.. Thanks for pointing me towards the right direction. |
|
| Back to top |
|
|
| tczielke |
| Posted: Fri Feb 13, 2015 11:02 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| dhireng wrote: |
| Thanks tczielke. I ran the trace and found my password in the trace file. |
I figured you would get that behavior, but thought it might be worth checking (if for nothing but validating your password was entered correctly ).
If I understood Morag's post, it sounds like you may have uncovered a bug with how the MQ Client/Server is masking/unmasking your password when it is sent from the MQ Client -> MQ Server, if the amqsput sample worked. But I could be inferring too much on my end. |
|
| Back to top |
|
|
| dhireng |
| Posted: Fri Feb 13, 2015 11:40 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
|
| Back to top |
|
|
| hughson |
| Posted: Mon Feb 16, 2015 2:28 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| dhireng wrote: |
| In terms of special characters, my password has # in it. The rest of the string is comprised of standard ANSI chars. |
I am suspicious that the # character may be your issue. Regardless of the password protection feature in the client, which we could turn off to rule it out, there is also of course data conversion between client and server. The # character is variant, so that may well be part of the issue. The password (which would be converted into the queue manager's code page by the SVRCONN) needs to be in the code page that the OS understands. Are these two things the same?
Suggest you first rule out any other issues, by trying a password without # in it. Then disable password protection, to rule that out (or run with a pre-V8 client and an App like MA01 which can supply password at earlier releases), then check what codepage the OS wants passwords to be in and make your queue manager CCSID match that.
Or, stick to invariant ASCII characters 
Curious to know how you get on as I'm sure this won't be the only time, such questions come up.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| dhireng |
| Posted: Mon Feb 16, 2015 7:18 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
| replaced my password with a 10 char ANSI password and I still get a failure. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Feb 16, 2015 7:59 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| dhireng wrote: |
| replaced my password with a 10 char ANSI password and I still get a failure. |
Still fails with amqsputc?
Did you try using a pre-V8 client to avoid Password Protection? What was the result there?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| dhireng |
| Posted: Mon Feb 16, 2015 9:55 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
I did not. Here's what I tested:
1. amqsputc without user id -> PASS
2. amqsput without user id -> PASS
3. amqsput with userid -> PASS
4. amqsputc with userid -> FAIL
If there is still any benefit testing with pre-V8 amqsputc? |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Feb 17, 2015 2:00 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| dhireng wrote: |
| If there is still any benefit testing with pre-V8 amqsputc? |
The request to test with a pre-V8 client and an application which can supply a user ID and password was simply a way to test without the password protection algorithm being there - i.e. in order to rule it out. N.B. It wouldn't be using amqsputc though as it only takes user ID and password in the V8 version. Try MA01 if you want to do this, or use V8 and turn off password protection to do the equivalent test.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 17, 2015 8:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I tested in a windows 8.1 locally.
Both amqsput and amqsputc, with and without user_id. Both configurations ran fine... and showed no problems.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
