ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Same CHLAUTH Settings Got Diff Response from 2 Qmgrs

Post new topic  Reply to topic
 Same CHLAUTH Settings Got Diff Response from 2 Qmgrs « View previous topic :: View next topic » 
Author Message
EricL
PostPosted: Tue Feb 14, 2017 1:29 pm    Post subject: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs Reply with quote

Centurion

Joined: 10 Oct 2014
Posts: 100

Hi there,

I'm stuck with an issue for several days....I have 2 Qmgrs setup with exactly same CHLAUTH settings, when make connection test from a client application, it connects to 1st Qmgr perfectly while couldn't connect to the 2nd one, got error messages:

AMQ9557: Queue Manager User ID initialization failed for 'system'.

EXPLANATION:
The call to initialize the User ID 'system' failed with CompCode 2 and Reason
2035.
ACTION: Correct the error and try again.

After double checking, it is confirmed that CHLAUTH settings are the same on both Qmgrs, really not sure what happened, any suggestion is welcomed !

Thanks...
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Feb 14, 2017 6:46 pm    Post subject: Re: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9392
Location: US: west coast, almost. Otherwise, enroute.

EricL wrote:
I have 2 Qmgrs setup with exactly same CHLAUTH settings ...

Are the two o/s's the same? Are the versions of MQ the same? Same fixpack level? Same security domain?

Any additional information you care to provide?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Feb 15, 2017 12:09 am    Post subject: Re: Same CHLAUTH Settings Got Diff Response from 2 Qmgrs Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

EricL wrote:
AMQ9557: Queue Manager User ID initialization failed for 'system'.

And the userid 'system' is definitely defined on the server with the failing connection?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
EricL
PostPosted: Wed Feb 15, 2017 3:45 pm    Post subject: Reply with quote

Centurion

Joined: 10 Oct 2014
Posts: 100

Thanks for your quick response.

Yes, both qmgrs are setup on same version AIX boxes with same version MQ installations...

The connection channel is "ONLINE.SECURE.MQADMIN", and relevant rule records are as:

AMQ8878: Display channel authentication record details.
CHLAUTH(ONLINE.SECURE.MQADMIN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(110.221.170.165) MCAUSER(mqm)
USERSRC(MAP) CHCKCLNT(ASQMGR)

AMQ8878: Display channel authentication record details.
CHLAUTH(ONLINE.SECURE.MQADMIN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(SYSTEM) WARN(NO)

AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)

AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*MQADMIN)
WARN(NO)

The settings of the rule records are exactly same on both 2 Qmgrs....

The way of client application works is: each user login client application with his/her id, and client application will connect to qmgr with id 'system' because client application is installed and setup with 'system'.....

The most tricky part of the story is, user can ONLY connect to one qmgr, but NOT the other, though settings are the same, OS and MQ version are the same.....
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Feb 15, 2017 11:58 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

is the user 'system' (different from SYSTEM) defined on both servers and do they have the same uid?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
smdavies99
PostPosted: Thu Feb 16, 2017 12:24 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

fjb_saper wrote:
is the user 'system' (different from SYSTEM) defined on both servers and do they have the same uid?


On Unix/Linux you can make that happen. On Windows? Fat chance.

If you are using the user 'system' and your OS is Windows then stop right now. This username has special meanings that are reserved for MS use only.
I can (and we are seeing that here perhaps) lead to all sorts of problems.

Why use a username like System? Do you not think that anyone trying to hack your system will not try the windows internal accounts first.

IMHO, this ranks up there with using usernames for bog standard users that contain MQ, MQSI, WMB, IIB , WAS, DB2 etc
Don't do it.

and many places won't let you use those names in a domain for very good security reasons.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Feb 16, 2017 4:57 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You can get the same user on two Windows boxes to have the same UUID...

If you're using active directory.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
smdavies99
PostPosted: Thu Feb 16, 2017 5:27 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

mqjeff wrote:
You can get the same user on two Windows boxes to have the same UUID...

If you're using active directory.


Should have mentioned that. It was early in the day, well that's my excuse.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
EricL
PostPosted: Tue Feb 21, 2017 5:36 pm    Post subject: Reply with quote

Centurion

Joined: 10 Oct 2014
Posts: 100

Thanks everyone.

As said, 'system' is a client id from windows box to qmgr (on aix box), 'system' is NOT created on both aix boxes.

A lot of info pointed out that 'system' is a special account on windows, not sure why the client application was setup using this special id, and the app has been running there for several years....

Going to scratch head again.....
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Feb 22, 2017 12:18 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

EricL wrote:
...not sure why the client application was setup using this special id, and the app has been running there for several years...

Been there, got that t-shirt. Generally it's because the applications people either don't know, or find/say it's too complicated to set up under an identifiable user, or that to do so would give that user too much privilege.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
EricL
PostPosted: Tue Mar 14, 2017 11:29 am    Post subject: Reply with quote

Centurion

Joined: 10 Oct 2014
Posts: 100

Hi there,

Just fyi, the issue has been solved by granting permissions to queue 'SYSTEM.MQEXPLORER.REPLY.MODEL' for specific user:

setmqaut -m QM-Name -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p whateverId +all

After this, everything is fine, though not understand it 100%.....
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Same CHLAUTH Settings Got Diff Response from 2 Qmgrs
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.