ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ API SupportMQCONNX and 2035

Post new topicReply to topic Goto page Previous  1, 2
MQCONNX and 2035 View previous topic :: View next topic
Author Message
Shytiy.Andrew
PostPosted: Fri Oct 23, 2015 2:39 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Vitor wrote:
I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.

I connect to the MQ Server from workstation. I understand that I must use MQCHT_CLNTCONN in MQCD.
I initialized СlientСonnPtr (MQCD) and SecurityParmsPtr (MQCSP). Correct errors 2077 and still received an error 2035.
Although I pass MQCSP login that is allowed access to MQ.
Code:

ASSIGN QMgrName = "UNIQM"
                AlternateUserId = "extmqusr"
                ChannelName = "EXTMQUSER.SVRCONN.CH"
                ConnectionName = "vprwmq(1422)".
..
/*initialize MQCSP structure - Security parameters*/
SET-SIZE(CSPUserIdPtr) = 20.
SET-SIZE(CSPPasswordPtr) = 20.

PUT-STRING(CSPUserIdPtr,1) = AlternateUserId.
ASSIGN CharString = "".
PUT-STRING(CSPPasswordPtr,1) = CharString.
..
ASSIGN CharString = "CSP "
                  StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(SecurityParmsPtr,1) = CharString.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 1. /*Version (MQLONG), 4-byte: MQCSP_VERSION_1*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 1. /*AuthenticationType (MQLONG), 4-byte: MQCSP_AUTH_USER_ID_AND_PWD*/
ASSIGN StrLength = StrLength + 4
                  CharString = "".
PUT-STRING(SecurityParmsPtr,StrLength + 1) = CharString. /*Reserved1 (MQBYTE4), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = GET-POINTER-VALUE(CSPUserIdPtr). /*CSPUserIdPtr (MQPTR), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 0. /*CSPUserIdOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 20. /*CSPUserIdLength (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4
                  CharString = "".
PUT-STRING(SecurityParmsPtr,StrLength + 1) = CharString. /*Reserved2 (MQBYTE8), 8-byte*/
ASSIGN StrLength = StrLength + 8.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = GET-POINTER-VALUE(CSPPasswordPtr). /*CSPPasswordPtr (MQPTR), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 0. /*CSPPasswordOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(SecurityParmsPtr,StrLength + 1) = 20. /*CSPPasswordLength (MQLONG), 4-byte*/
..
/*initialize MQCNO structure - Connect options*/
ASSIGN CharString = "CNO "
                  StrLength = LENGTH(CharString). /*StrucId (MQCHAR4), 4-byte: MQCNO_STRUC_ID*/
PUT-STRING(ConnectOpts,1) = CharString.
PUT-LONG(ConnectOpts,StrLength + 1) = 3. /*Version (MQLONG), 4-byte: MQCNO_VERSION_3*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*Options (MQLONG), 4-byte: MQCNO_NONE*/
ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*ClientConnOffset (MQLONG), 4-byte*/
ASSIGN StrLength = StrLength + 4.

PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(ClientConnPtr). /*ClientConnPtr (MQPTR), 1200-byte*/
ASSIGN StrLength = StrLength + 4
                    CharString = "".
PUT-STRING(ConnectOpts,StrLength + 1) = CharString. /*ConnTag (MQBYTE128), 128-byte: MQCT_NONE*/

ASSIGN StrLength = StrLength + 128.

PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(SSLConfigPtr). /*SSLConfigPtr (MQPTR), 4-byte*/

ASSIGN StrLength = StrLength + 4.
PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*SSLConfigOffset (MQLONG), 4-byte*/

ASSIGN StrLength = StrLength + 4
                 ConnectionId = GET-STRING(ConnectOpts,StrLength + 1, 24).

ASSIGN StrLength = StrLength + 24. /*output field ConnectionId (MQBYTE24)*/

PUT-LONG(ConnectOpts,StrLength + 1) = 0. /*SecurityParmsOffset (MQLONG), 4-byte*/

ASSIGN StrLength = StrLength + 4.

PUT-LONG(ConnectOpts,StrLength + 1) = GET-POINTER-VALUE(SecurityParmsPtr). /*SecurityParmsPtr (MQPTR), 4-byte*/

/*Connect to certain queue manager with connect options*/
RUN MQCONNX (QMgrName,
                  INPUT-OUTPUT ConnectOpts,
                  OUTPUT Hconn,
                  OUTPUT CompCode,
                  OUTPUT Reason).

Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Fri Oct 23, 2015 3:50 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

And again, I asked whether the administrator is allowed altusr. He said that is not allowed. Can I get 2035 error because of this?
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Oct 23, 2015 4:13 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24328
Location: Ohio, USA

Shytiy.Andrew wrote:
Can I get 2035 error because of this?


Yes. You're trying to perform an operation which the administrator has not given you permission to do. Most administrators (including me) do not grant altuser because:

Vitor wrote:


I'm still not clear on why you're trying to use the MQCONNX rather than having the administrator set the MCAUser on the SVRCONN.

I'm also not clear on why the administrator hasn't insisted you do that.



This is a much more common (and from the administrator's view, much better) way of controlling access.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Fri Oct 23, 2015 4:28 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Vitor, I am newbie to MQ and I apologize in advance for my persistence. Could you explain in simple words what do you mean under "having the administrator set the MCAUser on the SVRCONN"?
Do I understand correctly that the administrator must create a group in which to add list of users (logins) that connected to MQ manager?
If so, the administrator said that the staff of information security will not allow to do so. I'm confused. The Administrator proposes to me to write the MQ adapter. I do not really imagine what I must do.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Oct 23, 2015 4:44 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24328
Location: Ohio, USA

Shytiy.Andrew wrote:
Do I understand correctly that the administrator must create a group in which to add list of users (logins) that connected to MQ manager?


No. I'm proposing that the administrator set the id for the application to use via the attribute of the channel I mentioned, rather than have you set it via the application in the header.

Shytiy.Andrew wrote:
If so, the administrator said that the staff of information security will not allow to do so.


There's no need for further IS changes. You already seem to have a valid id in place - the one you're trying to set.

Shytiy.Andrew wrote:
The Administrator proposes to me to write the MQ adapter.


Perhaps he intends you to write a common adapter to package the MQI for other users. I certainly don't think I (or anyone here) can comment with authority on what your MQ administrator has in mind.

Shytiy.Andrew wrote:
I do not really imagine what I must do.


Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record).
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Oct 23, 2015 4:51 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19147
Location: LI,NY

Vitor wrote:
Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record).

And if the queue manager is at MQ8 level there is a way to set the MCAuser to the user presented in the MQCSP structure but it is set at the qmgr level.

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Fri Oct 23, 2015 5:08 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17257

fjb_saper wrote:
Vitor wrote:
Well I'd go back to your administrator and tell him you're getting 2035 errors because you don't have all the permissions you need. When he tells you that you can't have altusr (because it's a serious security risk) ask him how you are expected to achieve the required ends. And why he doesn't want to use MCAUser (or a channel authority record).

And if the queue manager is at MQ8 level there is a way to set the MCAuser to the user presented in the MQCSP structure but it is set at the qmgr level.


There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Fri Oct 23, 2015 5:29 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

Vitor, thank you. I got it.
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Fri Oct 23, 2015 5:43 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

mqjeff wrote:

There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5.

I pass UserId (CSPUserIdPtr) in the SecurityParmsPtr (MQCSP). I assign empty string values to the fields: UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier in the ClientConnPtr (MQCD structure). Maybe I have something misunderstood?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Oct 23, 2015 5:51 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17257

You can only do user authentication in v8.

It seems that setting the UserIdPtr in the csp may be trying to use an altuser instead of the regular user. That might be normal behavior in v7.5.

Try the other user fields. I doubt the mcauser will work, since you're setting the clntconn side. But it might.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Oct 23, 2015 5:55 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24328
Location: Ohio, USA

mqjeff wrote:
You can only do user authentication in v8.

It seems that setting the UserIdPtr in the csp may be trying to use an altuser instead of the regular user. That might be normal behavior in v7.5.




_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Oct 23, 2015 5:57 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24328
Location: Ohio, USA

Shytiy.Andrew wrote:
mqjeff wrote:

There's a way to simply authorize the user and password in the MQCSP. But op has stated the qmgr is at 7.5.

I pass UserId (CSPUserIdPtr) in the SecurityParmsPtr (MQCSP). I assign empty string values to the fields: UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier in the ClientConnPtr (MQCD structure). Maybe I have something misunderstood?


I think the key issue with your code is that you're one version too early for it to work.

While you're speaking to your administrator, see what the plan is for upgrading to v8, which will solve many of your issues.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Shytiy.Andrew
PostPosted: Tue Oct 27, 2015 1:31 am Post subject: Reply with quote

Novice

Joined: 19 Oct 2015
Posts: 13

I tried to use field UserIdentifier, MCAUserIdentifier, RemoteUserIdentifier but unsuccessfully - error 2035.
Despite the fact that I could not connect to the queue manager programmatically (mqconnx), I do this running a program as required user (mqconn + system environment variable MQSERVER). Doing the launch of the program under desired user I can put a message in a queue, get a message from the queue, close queue and disconnect from queue manager.
Thanks for your help!
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum IndexIBM MQ API SupportMQCONNX and 2035
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.