ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ Connection User

Post new topicReply to topic
MQ Connection User View previous topic :: View next topic
Author Message
nisharg
PostPosted: Mon Jun 19, 2017 8:34 pm Post subject: MQ Connection User Reply with quote

Novice

Joined: 18 Mar 2015
Posts: 11

Hi

We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.

Any points will help. Thanks,

JDP
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Jun 20, 2017 1:45 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5717

How do you know it's 'defaulted' to mqm ? Just because no MCAUSER value is set does not mean an exit, CHLAUTH record, is setting that user; or simply that the userid being flowed is mqm.

What method of authentication are you using? What version of MQ are you using?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 20, 2017 3:15 am Post subject: Re: MQ Connection User Reply with quote

Shaman

Joined: 09 May 2013
Posts: 726
Location: Bay of Plenty, New Zealand

nisharg wrote:
Hi

We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.

Any points will help. Thanks,

JDP
If you have a blank MCAUSER, and the client either flows no user ID or flows mqm, and nothing else sets a user ID for the connection to use, then it will default to mqm.

You can see the user ID in use for a SVRCONN in the DISPLAY CHSTATUS command.

If you don't want the user ID you see to be used, put something in place to set the MCAUSER to something. For example some CHLAUTH rules. Lots of material to read up about that.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
nisharg
PostPosted: Tue Jun 20, 2017 4:01 pm Post subject: Reply with quote

Novice

Joined: 18 Mar 2015
Posts: 11

I am using MQ 9.0.0.1

Here is output from conn

Code:

dis CONN(5940C13E20EFAE38)
     2 : dis CONN(5940C13E20EFAE38)
AMQ8276: Display Connection details.
   CONN(5940C13E20EFAE38)
   EXTCONN(414D5143494D4B4D4D4D435031202020)
   TYPE(CONN)
   PID(22151370)                           TID(3204383)
   APPLDESC(IBM MQ Channel)
   APPLTAG(WebSphere MQ Client for Java)
   APPLTYPE(USER)                          ASTATE(STARTED)
   CHANNEL(SYSTEM.DEF.SVRCONN)             CLIENTID( )
   CONNAME(10.101.65.217)
   CONNOPTS(MQCNO_HANDLE_SHARE_BLOCK,MQCNO_SHARED_BINDING,MQCNO_RECONNECT)
   USERID(mqm)                             UOWLOG( )
   UOWSTDA(2017-06-19)                     UOWSTTI(16.13.41)
   UOWLOGDA( )                             UOWLOGTI( )
   URTYPE(QMGR)
   EXTURID(XA_FORMATID[] XA_GTRID[] XA_BQUAL[])
   QMURID(0.3174017)                       UOWSTATE(ACTIVE)


But initiating application is run by tomcatsoe user. So am expecting tomcatsoe to initiate the connection and fail because there is no user on MQ server with this id.


exerk wrote:
How do you know it's 'defaulted' to mqm ? Just because no MCAUSER value is set does not mean an exit, CHLAUTH record, is setting that user; or simply that the userid being flowed is mqm.

What method of authentication are you using? What version of MQ are you using?
Code:
Back to top
View user's profile Send private message
nisharg
PostPosted: Tue Jun 20, 2017 4:03 pm Post subject: Re: MQ Connection User Reply with quote

Novice

Joined: 18 Mar 2015
Posts: 11

My understanding is if no userid is specified for connecting to MQ then user running the client application will be used as connection user. We are using java client jar provided by IBM.

Do you think my understanding is wrong?

hughson wrote:
nisharg wrote:
Hi

We have authentication based on users running the client applications. However for some applications user id is defaulted to mqm. I have checked MCA and it is not set. So not sure why user is default to mqm.

Any points will help. Thanks,

JDP
If you have a blank MCAUSER, and the client either flows no user ID or flows mqm, and nothing else sets a user ID for the connection to use, then it will default to mqm.

You can see the user ID in use for a SVRCONN in the DISPLAY CHSTATUS command.

If you don't want the user ID you see to be used, put something in place to set the MCAUSER to something. For example some CHLAUTH rules. Lots of material to read up about that.

Cheers
Morag
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 20, 2017 11:23 pm Post subject: Reply with quote

Shaman

Joined: 09 May 2013
Posts: 726
Location: Bay of Plenty, New Zealand

The Java client is the one client where it used to not flow a user ID, but I thought modern versions of it always did.

It is easy to determine what the client flowed as it's user ID with the following trick.

Create a CHLAUTH rule (temporarily if you are not intending to go the CHLAUTH route) and then review the error message when it is blocked.

Since you are using the SVRCONN channel SYSTEM.DEF.SVRCONN there is in fact already a rule on the queue manager which would block it. Therefore I assume you have disabled CHLAUTH. Re-enable CHLAUTH briefly while you run your application once more. It should fail to connect with a 2035 return code.

Code:
ALTER QMGR CHLAUTH(ENABLED)

Review the queue manager error log for message number AMQ9777

Code:
AMQ9777: Channel was blocked

EXPLANATION:
The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address 'localhost (127.0.0.1)' because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqgemusr) ADDRESS(localhost)'.

The message shows you the flowed client side user ID in the CLNTUSER attribute in the error message, 'mqgemusr' in my above example.

Perhaps you can post the results here for us to comment further.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ Connection User
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.