| Author |
Message
|
| Shytiy.Andrew |
 Posted: Tue Oct 20, 2015 4:58 am Post subject: MQCONNX and 2035 |
 |
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
Hello, everyone! Firstly I must say: MQ API is a black box for me. I have no experience with MQ.
My task - to learn how to use a queue for communication one system with other banking systems.
I call MQ API functions (MQ 7.5) from Progress OpenEdge (running on Windows 7) and trying to connect to the queue manager running on the other UNIX machine. Is it possible to pass the username and password for authentication MQ programmatically?
If I run a program under a local user, which is member of mqm group - it works normally. If I run my program under my domain user - error 2035.
I looked description MQCONNX and decided to pass the required username and password with connection options programmatically.
I described all the necessary structures and initialized MCAUserId and MCAPassword and call MQCONNX. I still get the error 2035.
I read some similar topics and came to the conclusion that such authentication can be implemented by writing your own security exit handler.
I can not write own security exit code, because I do not MQ administrator.
Can I log in using MQCONNX? The system what I supported is used by about 50 users and there is no possibility to add all of them to MQ ACL. Thanks! |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Oct 20, 2015 5:01 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
How will you convince the Unix server to know about the ActiveDirectory?
NEVER run any applications as MQM.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 20, 2015 5:08 am Post subject: Re: MQCONNX and 2035 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Shytiy.Andrew wrote: |
| I call MQ API functions (MQ 7.5) from Progress OpenEdge (running on Windows 7) and trying to connect to the queue manager running on the other UNIX machine. Is it possible to pass the username and password for authentication MQ programmatically? |
In your version, only the username. The ability to pass username and password was added in version 8.
| Shytiy.Andrew wrote: |
| If I run a program under a local user, which is member of mqm group - it works normally. If I run my program under my domain user - error 2035. |
Functioning as designed. The mqm group is implicitly authorized for all MQ actions. It sounds like your domain user (and none of the groups of which it is a member) are.
| Shytiy.Andrew wrote: |
I looked description MQCONNX and decided to pass the required username and password with connection options programmatically.
I described all the necessary structures and initialized MCAUserId and MCAPassword and call MQCONNX. I still get the error 2035. |
Because even with the right password, that user id is still not authorized via the id or group membership.
| Shytiy.Andrew wrote: |
| I read some similar topics and came to the conclusion that such authentication can be implemented by writing your own security exit handler. |
Or by purchasing one, or by upgrading to MQv8 and getting it out of the box.
| Shytiy.Andrew wrote: |
| I can not write own security exit code, because I do not MQ administrator. |
And you wouldn't want to anyway. Exits are an advanced topic.
| Shytiy.Andrew wrote: |
| Can I log in using MQCONNX? |
Of course.
| Shytiy.Andrew wrote: |
| The system what I supported is used by about 50 users and there is no possibility to add all of them to MQ ACL. |
Why not? Put them in a group (or groups) and authorize that. Or connect via a channel that has an MCAUser set. Or have a channel authority rule map your user (users) onto a valid user.
The bottom line is that the UNIX queue manager doesn't know or care that you're connecting with a valid domain user on Windows. It checks against user ids that are valid on UNIX, and gets the allowed functions from the ACL it holds. However you connect, you need to end up with credentials that the queue manager will allow to perform the functions you need.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Tue Oct 20, 2015 6:08 am Post subject: Re: MQCONNX and 2035 |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| Vitor wrote: |
In your version, only the username. The ability to pass username and password was added in version 8. |
The administrator gave me to connect to a test queue, among other parameters, and user name. I pass it to the field MCAUserIdentifier in Channel data structure (MQCD). But stuck with 2035 error.
| Vitor wrote: |
Functioning as designed. The mqm group is implicitly authorized for all MQ actions. It sounds like your domain user (and none of the groups of which it is a member) are. |
Yes, I understand the reason for the error. My login does not have access to the MQ.
| Vitor wrote: |
Because even with the right password, that user id is still not authorized via the id or group membership. |
How should I pass login? In what field of MQCD I must write user name that has right to MQ?
How?
| Code: |
DEFINE VARIABLE ClientConnPtr AS MEMPTR NO-UNDO.
...
SET-SIZE(ClientConnPtr) = 1200.
ASSIGN QMgrName = "UNIQM"
AlternateUserId = "extmqusr"
ChannelName = "EXTMQUSER.SVRCONN.CH"
ConnectionName = "vprwmq(1422)".
...
ASSIGN StrLength = StrLength + 32
CharString = "".
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*UserIdentifier (MQCHAR12), 12-byte*/
ASSIGN StrLength = StrLength + 12
CharString = "".
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*Password (MQCHAR12), 12-byte*/
ASSIGN StrLength = StrLength + 12
CharString = AlternateUserId.
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*MCAUserIdentifier (MQCHAR12), 12-byte*/
ASSIGN StrLength = StrLength + 12.
PUT-LONG(ClientConnPtr,StrLength + 1) = 1. /*MCAType (MQLONG), 4-byte: MQMCAT_PROCESS*/
...
/*initialize MQCNO structure - Connect options*/
ASSIGN CharString = "CNO "
StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(ConnectOpts,1) = CharString.
PUT-LONG(ConnectOpts,StrLength + 1) = 1. /*Version (MQLONG), 4-byte: MQCNO_VERSION_1*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 1. /*Options (MQLONG), 4-byte: MQCNO_NONE*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*ClientConnOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
IF getOSType() = 64
THEN PUT-INT64(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr).
ELSE PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr). /*ClientConnPtr (MQPTR), 1200-byte*/
ASSIGN StrLength = StrLength + 1200
CharString = "".
PUT-STRING(ConnectOpts,StrLength + 1) = CharString. /*ConnTag (MQBYTE128), 128-byte: MQCT_NONE*/
/*Connect to certain queue manager with connect options*/
RUN MQCONNX (QMgrName,
INPUT-OUTPUT ConnectOpts,
OUTPUT Hconn,
OUTPUT CompCode,
OUTPUT Reason).
|
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 20, 2015 6:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Tue Oct 20, 2015 6:21 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| I do not pass the password. Only login. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 20, 2015 6:26 am Post subject: Re: MQCONNX and 2035 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Shytiy.Andrew wrote: |
| Vitor wrote: |
In your version, only the username. The ability to pass username and password was added in version 8. |
The administrator gave me to connect to a test queue, among other parameters, and user name. I pass it to the field MCAUserIdentifier in Channel data structure (MQCD). But stuck with 2035 error. |
You don't connect to a test queue, you connect to a queue manager. Make sure that the administrator granted you the queue manager level authorities as well as the queue level ones.
Also be sure that the relevant permissions are in place to allow you to use an alternative user id.
At the last, ask the administrator exactly what permission is missing that results in the 2035 error, and what user id the queue manager is checking. They may need to enable security event messages to get all of those details.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 20, 2015 6:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Shytiy.Andrew wrote: |
| I do not pass the password. Only login. |
Notice the other fields in the MQCSP.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Tue Oct 20, 2015 6:49 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
Vitor, I'll check. At first sight user extmqusr has all the necessary rights. I created a local user extmqusr in my Windows system and run program (where MQCONNX changed with MQCONN) under him. It works!
In addition, I use amqsputc in console which is runned as extmqusr. I put the message in queue.
mqjeff, I'll explore MQCSP again.
I'll let you know about the results later.Thanks. |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Wed Oct 21, 2015 4:37 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
I found that using the wrong version value equal to 1. I set the version value to 6. I connect to the queue manager on a remote server. So I set ChannelType equal MQCHT_CLNTCONN. Then I read in the manual: "The MCA user identifier is not relevant for channels with a ChannelType of
MQCHT_CLNTCONN". In which field I should write the username "extmqusr", if MCAUserIdentifier not suitable? May be RemoteUserIdentifier? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 21, 2015 5:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The MCAUser is not relevant on a CLNTCONN because it's used on the SVRCONN side.
Again, if you want to do this, you should populate the MQCSP (ignoring the password field).
Then attach the MQCSP to the MQCNO.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Wed Oct 21, 2015 6:21 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
| Sorry, I don't understand. What specific element of the structure MQCNO I must to initialize as MQCSP? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 21, 2015 6:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| Shytiy.Andrew |
| Posted: Wed Oct 21, 2015 6:39 am Post subject: |
|
|
Novice
Joined: 19 Oct 2015
Posts: 13
|
I use in work this link.
In addition, I used manual pdf MQSeries API for version 5.2, and did not know that the description of the MQCNO AND MQCD structure is outdated.
Now I conclude that СlientСonnPtr I must set as null pointer, and the SecurityParmsPtr initialize and pass as MQCSP structure. Right? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 21, 2015 7:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.
I'm also not clear on why the administrator hasn't insisted you do that.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
