| Author |
Message
|
| mgrx |
 Posted: Sun Feb 07, 2016 2:51 am Post subject: Biztalk MQSC authentication |
 |
|
Novice
Joined: 01 Oct 2015
Posts: 20
|
I am migrating our MQ Gateway QM from version 7.0 to version 8 and in the process I would like to add some much needed security in terms of authentication.
One testcase im having problems with is Biztalk 2013 with MQSC-Adapter.
When i configure the MQSC adapter to use userid and password, for some reason it doesnt use the settings I configure and fallbacks to the Service account used by the Biztalk installation. Its displayed clearly in the log on the QM.
Client is Biztalk 2013 R2 with MQSC Adapter (MQ Client 7.5)
Server is on Linux with MQ 8.0.0.2 installed
Does anyone have any experience with similar biztalk/windows problems? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sun Feb 07, 2016 5:13 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
What is displayed clearly in the MQ error log?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mgrx |
| Posted: Sun Feb 07, 2016 6:30 am Post subject: |
|
|
Novice
Joined: 01 Oct 2015
Posts: 20
|
| bruce2359 wrote: |
| What is displayed clearly in the MQ error log? |
Sorry, that the CHCKCLNT user is the window service user, and not the user id configured in the MQSC adapter in biztalk. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Feb 07, 2016 7:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Please post the complete error message.
also, please post your CHKAUTH rules.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mgrx |
| Posted: Sun Feb 07, 2016 1:55 pm Post subject: |
|
|
Novice
Joined: 01 Oct 2015
Posts: 20
|
| Quote: |
AMQ9777: Channel was blocked
.
EXPLANATION:
The inbound channel QM.CUSTOMER.CONN' was blocked from address
'hostname1 (10.0.0.5)' because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of
the channel were 'CLNTUSER(biztalkadmin) ADDRESS(hostname1)'.
|
In my Biztalk MQSC adapter the userid is set to a userid that exists on the QM, but it seems like the client does not send that userid and sends biztalkadmin instead. I don't have that much experience with biztalk, and maybe its not even possible? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Feb 07, 2016 2:10 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Read the error carefully. Notice the NOACCESS.
Create a CHLAUTH rule that grants USERSRC(CHANNEL).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mgrx |
| Posted: Sun Feb 07, 2016 2:19 pm Post subject: |
|
|
Novice
Joined: 01 Oct 2015
Posts: 20
|
| bruce2359 wrote: |
Read the error carefully. Notice the NOACCESS.
Create a CHLAUTH rule that grants USERSRC(CHANNEL). |
Yes of course it works when I do that, but the problem still applies. The Client does not send the correct userid, I have CHCKCLNT(OPTIONAL) on QMGR and as I recall the clients gets through because it actually send a blank username and password.
I want the client to send the userid and password that I specifiy  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Feb 08, 2016 6:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The biztalk adapter code would have had to be modified to supply the right userid/password in the right part of the MQ connection objects.
It's normal for a C-based client that doesn't do that to only authenticate as the user the client is running under.
So the adapter doesn't do what the configuration suggests it should. Perhaps a newer version of the adapter.
Or an MQV8 client.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| mgrx |
| Posted: Mon Feb 08, 2016 6:13 am Post subject: |
|
|
Novice
Joined: 01 Oct 2015
Posts: 20
|
| mqjeff wrote: |
The biztalk adapter code would have had to be modified to supply the right userid/password in the right part of the MQ connection objects.
It's normal for a C-based client that doesn't do that to only authenticate as the user the client is running under.
So the adapter doesn't do what the configuration suggests it should. Perhaps a newer version of the adapter.
Or an MQV8 client. |
Yeah, ill make a service request about this. Ill share the soulution here aswell when I get the response. Last time I checked MQ8 client was not supported by the lastest Biztalk =/ |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Feb 08, 2016 6:29 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mgrx wrote: |
| . Last time I checked MQ8 client was not supported by the lastest Biztalk =/ |
MS are always rather laggard about supporting anything but MSMQ which is really a toy when it comes to proper Queing Systems (IMHO)
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Feb 08, 2016 6:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mgrx wrote: |
| I want the client to send the userid and password that I specifiy |
You might (if you've not already) try cross-posting in a BizTalk forum.
This sounds more like a problem with BizTalk than MQ.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Feb 08, 2016 6:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| This sounds more like a problem with BizTalk than MQ. |
Heaven forfend that Mightysoft are behind the drag curve... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 08, 2016 7:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Has anybody thought about implementing the standard MQ8 security exit (mqccred) for this scenario? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Feb 09, 2016 6:23 pm Post subject: Re: Biztalk MQSC authentication |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mgrx wrote: |
I am migrating our MQ Gateway QM from version 7.0 to version 8 and in the process I would like to add some much needed security in terms of authentication.
One testcase im having problems with is Biztalk 2013 with MQSC-Adapter.
When i configure the MQSC adapter to use userid and password, for some reason it doesnt use the settings I configure and fallbacks to the Service account used by the Biztalk installation. Its displayed clearly in the log on the QM. |
I am reading your question to mean that you are trying to use the new MQ V8 feature of user ID and password checking. You have upgraded your queue manager from V7.0 to V8.0 so this setup will not be enabled by default. Please check what is in your QMGR CONNAUTH field. If it is blank you need to enable the feature.
Secondly, you report being caught out by the CHLAUTH rule that reports the client side user ID as being the one that isn't the user ID and password provided one you hoped for.
Please ensure that your CONNAUTH settings are changed to ADOPTCTX(YES) to ensure that the user ID flowed with the password is adopted as the client's user ID. ADOPTCTX(NO) means that it would continue to use the client user ID and not the one sent with the password.
Since I don't know anything about BizSpark, all this assumes that BizSpark MQSC adapter is using the MQCSP as it's method to send the user ID and password.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 10, 2016 6:20 am Post subject: Re: Biztalk MQSC authentication |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hughson wrote: |
| Since I don't know anything about BizSpark, all this assumes that BizSpark MQSC adapter is using the MQCSP as it's method to send the user ID and password. |
We were told that the userid being presetend was the userid running the windows process.
This strongly suggests to me that the adapter is not using the MQCSP structure.
Since, as you very well know, the default behavior of a C client is to do exactly that.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
