ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ API SupportMQCONNX and 2035

Post new topicReply to topic Goto page 1, 2  Next
MQCONNX and 2035 View previous topic :: View next topic
Author Message
Shytiy.Andrew
PostPosted: Tue Oct 20, 2015 4:58 am Post subject: MQCONNX and 2035 Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Hello, everyone! Firstly I must say: MQ API is a black box for me. I have no experience with MQ.
My task - to learn how to use a queue for communication one system with other banking systems.
I call MQ API functions (MQ 7.5) from Progress OpenEdge (running on Windows 7) and trying to connect to the queue manager running on the other UNIX machine. Is it possible to pass the username and password for authentication MQ programmatically?
If I run a program under a local user, which is member of mqm group - it works normally. If I run my program under my domain user - error 2035.
I looked description MQCONNX and decided to pass the required username and password with connection options programmatically.
I described all the necessary structures and initialized MCAUserId and MCAPassword and call MQCONNX. I still get the error 2035.
I read some similar topics and came to the conclusion that such authentication can be implemented by writing your own security exit handler.
I can not write own security exit code, because I do not MQ administrator.
Can I log in using MQCONNX? The system what I supported is used by about 50 users and there is no possibility to add all of them to MQ ACL. Thanks!
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Oct 20, 2015 5:01 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

How will you convince the Unix server to know about the ActiveDirectory?

NEVER run any applications as MQM.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 20, 2015 5:08 am Post subject: Re: MQCONNX and 2035 Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

Shytiy.Andrew wrote:
I call MQ API functions (MQ 7.5) from Progress OpenEdge (running on Windows 7) and trying to connect to the queue manager running on the other UNIX machine. Is it possible to pass the username and password for authentication MQ programmatically?


In your version, only the username. The ability to pass username and password was added in version 8.

Shytiy.Andrew wrote:
If I run a program under a local user, which is member of mqm group - it works normally. If I run my program under my domain user - error 2035.


Functioning as designed. The mqm group is implicitly authorized for all MQ actions. It sounds like your domain user (and none of the groups of which it is a member) are.

Shytiy.Andrew wrote:
I looked description MQCONNX and decided to pass the required username and password with connection options programmatically.
I described all the necessary structures and initialized MCAUserId and MCAPassword and call MQCONNX. I still get the error 2035.


Because even with the right password, that user id is still not authorized via the id or group membership.

Shytiy.Andrew wrote:
I read some similar topics and came to the conclusion that such authentication can be implemented by writing your own security exit handler.


Or by purchasing one, or by upgrading to MQv8 and getting it out of the box.

Shytiy.Andrew wrote:
I can not write own security exit code, because I do not MQ administrator.


And you wouldn't want to anyway. Exits are an advanced topic.

Shytiy.Andrew wrote:
Can I log in using MQCONNX?


Of course.

Shytiy.Andrew wrote:
The system what I supported is used by about 50 users and there is no possibility to add all of them to MQ ACL.


Why not? Put them in a group (or groups) and authorize that. Or connect via a channel that has an MCAUser set. Or have a channel authority rule map your user (users) onto a valid user.

The bottom line is that the UNIX queue manager doesn't know or care that you're connecting with a valid domain user on Windows. It checks against user ids that are valid on UNIX, and gets the allowed functions from the ACL it holds. However you connect, you need to end up with credentials that the queue manager will allow to perform the functions you need.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Tue Oct 20, 2015 6:08 am Post subject: Re: MQCONNX and 2035 Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Vitor wrote:

In your version, only the username. The ability to pass username and password was added in version 8.

The administrator gave me to connect to a test queue, among other parameters, and user name. I pass it to the field MCAUserIdentifier in Channel data structure (MQCD). But stuck with 2035 error.
Vitor wrote:

Functioning as designed. The mqm group is implicitly authorized for all MQ actions. It sounds like your domain user (and none of the groups of which it is a member) are.

Yes, I understand the reason for the error. My login does not have access to the MQ.
Vitor wrote:

Because even with the right password, that user id is still not authorized via the id or group membership.

How should I pass login? In what field of MQCD I must write user name that has right to MQ?
Vitor wrote:

Of course.

How?
Code:

DEFINE VARIABLE ClientConnPtr AS MEMPTR NO-UNDO.
...
SET-SIZE(ClientConnPtr) = 1200.
ASSIGN QMgrName = "UNIQM"
                AlternateUserId = "extmqusr"
                ChannelName = "EXTMQUSER.SVRCONN.CH"
                ConnectionName = "vprwmq(1422)".
...
ASSIGN StrLength = StrLength + 32
                    CharString = "".
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*UserIdentifier (MQCHAR12), 12-byte*/

ASSIGN StrLength = StrLength + 12
                    CharString = "".
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*Password (MQCHAR12), 12-byte*/

ASSIGN StrLength = StrLength + 12
                    CharString = AlternateUserId.
PUT-STRING(ClientConnPtr,StrLength + 1) = CharString. /*MCAUserIdentifier (MQCHAR12), 12-byte*/

ASSIGN StrLength = StrLength + 12.
PUT-LONG(ClientConnPtr,StrLength + 1) = 1. /*MCAType (MQLONG), 4-byte: MQMCAT_PROCESS*/
...
/*initialize MQCNO structure - Connect options*/
ASSIGN CharString = "CNO "
                  StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(ConnectOpts,1) = CharString.
PUT-LONG(ConnectOpts,StrLength + 1) = 1. /*Version (MQLONG), 4-byte: MQCNO_VERSION_1*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 1. /*Options (MQLONG), 4-byte: MQCNO_NONE*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*ClientConnOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.

IF getOSType() = 64
THEN PUT-INT64(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr).
ELSE PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr). /*ClientConnPtr (MQPTR), 1200-byte*/
ASSIGN StrLength = StrLength + 1200
                    CharString = "".
PUT-STRING(ConnectOpts,StrLength + 1) = CharString. /*ConnTag (MQBYTE128), 128-byte: MQCT_NONE*/

/*Connect to certain queue manager with connect options*/
RUN MQCONNX (QMgrName,
                  INPUT-OUTPUT ConnectOpts,
                  OUTPUT Hconn,
                  OUTPUT CompCode,
                  OUTPUT Reason).

Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Oct 20, 2015 6:09 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.dev.doc/q095610_.htm?lang=en

Note, this includes a password. MQ v75 will ignore it. Unless you have an exit.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Tue Oct 20, 2015 6:21 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

I do not pass the password. Only login.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 20, 2015 6:26 am Post subject: Re: MQCONNX and 2035 Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

Shytiy.Andrew wrote:
Vitor wrote:

In your version, only the username. The ability to pass username and password was added in version 8.

The administrator gave me to connect to a test queue, among other parameters, and user name. I pass it to the field MCAUserIdentifier in Channel data structure (MQCD). But stuck with 2035 error.


You don't connect to a test queue, you connect to a queue manager. Make sure that the administrator granted you the queue manager level authorities as well as the queue level ones.

Also be sure that the relevant permissions are in place to allow you to use an alternative user id.

At the last, ask the administrator exactly what permission is missing that results in the 2035 error, and what user id the queue manager is checking. They may need to enable security event messages to get all of those details.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Oct 20, 2015 6:28 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

Shytiy.Andrew wrote:
I do not pass the password. Only login.


Notice the other fields in the MQCSP.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Tue Oct 20, 2015 6:49 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Vitor, I'll check. At first sight user extmqusr has all the necessary rights. I created a local user extmqusr in my Windows system and run program (where MQCONNX changed with MQCONN) under him. It works!
In addition, I use amqsputc in console which is runned as extmqusr. I put the message in queue.

mqjeff, I'll explore MQCSP again.
I'll let you know about the results later.Thanks.
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Wed Oct 21, 2015 4:37 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

I found that using the wrong version value equal to 1. I set the version value to 6. I connect to the queue manager on a remote server. So I set ChannelType equal MQCHT_CLNTCONN. Then I read in the manual: "The MCA user identifier is not relevant for channels with a ChannelType of
MQCHT_CLNTCONN". In which field I should write the username "extmqusr", if MCAUserIdentifier not suitable? May be RemoteUserIdentifier?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Oct 21, 2015 5:05 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

The MCAUser is not relevant on a CLNTCONN because it's used on the SVRCONN side.

Again, if you want to do this, you should populate the MQCSP (ignoring the password field).

Then attach the MQCSP to the MQCNO.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Wed Oct 21, 2015 6:21 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Sorry, I don't understand. What specific element of the structure MQCNO I must to initialize as MQCSP?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Oct 21, 2015 6:24 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

Shytiy.Andrew wrote:
Sorry, I don't understand. What specific element of the structure MQCNO I must to initialize as MQCSP?


The appropriate one.
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.dev.doc/q095410_.htm?lang=en

It's really really really much faster for you to read the KC directly rather than waiting for, possibly sarcastic or annoyed, responses here.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Wed Oct 21, 2015 6:39 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

I use in work this link.
In addition, I used manual pdf MQSeries API for version 5.2, and did not know that the description of the MQCNO AND MQCD structure is outdated.
Now I conclude that СlientСonnPtr I must set as null pointer, and the SecurityParmsPtr initialize and pass as MQCSP structure. Right?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 21, 2015 7:34 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24452
Location: Ohio, USA

I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.

I'm also not clear on why the administrator hasn't insisted you do that.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexIBM MQ API SupportMQCONNX and 2035
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.