| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Connection User |
« View previous topic :: View next topic » |
| Author |
Message
|
| nisharg |
 Posted: Mon Jun 19, 2017 8:34 pm Post subject: MQ Connection User |
 |
|
Novice
Joined: 18 Mar 2015
Posts: 11
|
Hi
We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.
Any points will help. Thanks,
JDP |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Jun 20, 2017 1:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
How do you know it's 'defaulted' to mqm ? Just because no MCAUSER value is set does not mean an exit, CHLAUTH record, is setting that user; or simply that the userid being flowed is mqm.
What method of authentication are you using? What version of MQ are you using?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 20, 2017 3:15 am Post subject: Re: MQ Connection User |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| nisharg wrote: |
Hi
We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.
Any points will help. Thanks,
JDP |
If you have a blank MCAUSER, and the client either flows no user ID or flows mqm, and nothing else sets a user ID for the connection to use, then it will default to mqm.
You can see the user ID in use for a SVRCONN in the DISPLAY CHSTATUS command.
If you don't want the user ID you see to be used, put something in place to set the MCAUSER to something. For example some CHLAUTH rules. Lots of material to read up about that.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| nisharg |
| Posted: Tue Jun 20, 2017 4:01 pm Post subject: |
|
|
Novice
Joined: 18 Mar 2015
Posts: 11
|
I am using MQ 9.0.0.1
Here is output from conn
| Code: |
dis CONN(5940C13E20EFAE38)
2 : dis CONN(5940C13E20EFAE38)
AMQ8276: Display Connection details.
CONN(5940C13E20EFAE38)
EXTCONN(414D5143494D4B4D4D4D435031202020)
TYPE(CONN)
PID(22151370) TID(3204383)
APPLDESC(IBM MQ Channel)
APPLTAG(WebSphere MQ Client for Java)
APPLTYPE(USER) ASTATE(STARTED)
CHANNEL(SYSTEM.DEF.SVRCONN) CLIENTID( )
CONNAME(10.101.65.217)
CONNOPTS(MQCNO_HANDLE_SHARE_BLOCK,MQCNO_SHARED_BINDING,MQCNO_RECONNECT)
USERID(mqm) UOWLOG( )
UOWSTDA(2017-06-19) UOWSTTI(16.13.41)
UOWLOGDA( ) UOWLOGTI( )
URTYPE(QMGR)
EXTURID(XA_FORMATID[] XA_GTRID[] XA_BQUAL[])
QMURID(0.3174017) UOWSTATE(ACTIVE)
|
But initiating application is run by tomcatsoe user. So am expecting tomcatsoe to initiate the connection and fail because there is no user on MQ server with this id.
| exerk wrote: |
How do you know it's 'defaulted' to mqm ? Just because no MCAUSER value is set does not mean an exit, CHLAUTH record, is setting that user; or simply that the userid being flowed is mqm.
What method of authentication are you using? What version of MQ are you using? |
|
|
| Back to top |
|
|
| nisharg |
| Posted: Tue Jun 20, 2017 4:03 pm Post subject: Re: MQ Connection User |
|
|
Novice
Joined: 18 Mar 2015
Posts: 11
|
My understanding is if no userid is specified for connecting to MQ then user running the client application will be used as connection user. We are using java client jar provided by IBM.
Do you think my understanding is wrong?
| hughson wrote: |
| nisharg wrote: |
Hi
We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.
Any points will help. Thanks,
JDP |
If you have a blank MCAUSER, and the client either flows no user ID or flows mqm, and nothing else sets a user ID for the connection to use, then it will default to mqm.
You can see the user ID in use for a SVRCONN in the DISPLAY CHSTATUS command.
If you don't want the user ID you see to be used, put something in place to set the MCAUSER to something. For example some CHLAUTH rules. Lots of material to read up about that.
Cheers
Morag |
|
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 20, 2017 11:23 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
The Java client is the one client where it used to not flow a user ID, but I thought modern versions of it always did.
It is easy to determine what the client flowed as it's user ID with the following trick.
Create a CHLAUTH rule (temporarily if you are not intending to go the CHLAUTH route) and then review the error message when it is blocked.
Since you are using the SVRCONN channel SYSTEM.DEF.SVRCONN there is in fact already a rule on the queue manager which would block it. Therefore I assume you have disabled CHLAUTH. Re-enable CHLAUTH briefly while you run your application once more. It should fail to connect with a 2035 return code.
| Code: |
| ALTER QMGR CHLAUTH(ENABLED) |
Review the queue manager error log for message number AMQ9777
| Code: |
AMQ9777: Channel was blocked
EXPLANATION:
The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address 'localhost (127.0.0.1)' because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqgemusr) ADDRESS(localhost)'. |
The message shows you the flowed client side user ID in the CLNTUSER attribute in the error message, 'mqgemusr' in my above example.
Perhaps you can post the results here for us to comment further.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
