ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ71 Login Id not Correctly Shown Up on MQ Server

Post new topicReply to topic Goto page 1, 2  Next
MQ71 Login Id not Correctly Shown Up on MQ Server View previous topic :: View next topic
Author Message
EricL
PostPosted: Wed Sep 13, 2017 11:04 am Post subject: MQ71 Login Id not Correctly Shown Up on MQ Server Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

Hi,

Got confused about Login Id from MO71.
When login in MO71, I used id name "mqm", as mqm is granted all access to all objects, but strangely I can not browse objects, with below message:

====
AMQ8077: Entity 'user1' has insufficient authority to access object
'ABCDEF'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: browse
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
=====

As said when login MO71, user "mqm" was actually used, why 'user1' was shown in the error log, led to object not able to show?

Thanks...
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Sep 13, 2017 11:16 am Post subject: Re: MQ71 Login Id not Correctly Shown Up on MQ Server Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24534
Location: Ohio, USA

EricL wrote:
As said when login MO71, user "mqm" was actually used, why 'user1' was shown in the error log, led to object not able to show?


MCAUser set on the channel?

Channel authority record with a mapping?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Wed Sep 13, 2017 1:39 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

Channel's MCA User ID is empty.

Strangely, I just tried login through a different channel, MCA is empty as well, I got same thing, e.g. login as 'mqm' to MO71, but MO71 UI showed "User1 is not authorized" to access objects....Qmgr errors showed I logged in as 'user1', no idea when user id got converted.....
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Wed Sep 13, 2017 2:14 pm Post subject: Reply with quote

Sentinel

Joined: 17 Nov 2005
Posts: 860
Location: New Zealand

What do you mean by 'login as 'mqm' to MO71' ? You don't login to MO71. You just run the program and MQ will pick up the 'normal' authorities based on the running user. Are you actually logged on to your Windows/Linux box under user 'mqm' ?

Cheers,
Paul.

ps. I believe you have a typo in the title of this post.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Thu Sep 14, 2017 5:08 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24534
Location: Ohio, USA

EricL wrote:
Channel's MCA User ID is empty.

Strangely, I just tried login through a different channel, MCA is empty as well, I got same thing, e.g. login as 'mqm' to MO71, but MO71 UI showed "User1 is not authorized" to access objects....Qmgr errors showed I logged in as 'user1', no idea when user id got converted.....


Then I stand by my second suggestion, as channel authority records can be applied to multiple or indeed all channels.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Thu Sep 14, 2017 5:29 am Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

1. MO71 login id:

When right click any Qmgr/Location in MO71, choose "Open Location", you see "Location Settings" window, you'll find "Userid" check box which is not checked by default, if you checked that box, it will prompt username/password when you open location next time....

2. Channel's definition and authorization setting:

Channel authority records


AMQ8878: Display channel authentication record details.
CHLAUTH(AAAAA.SVRCONN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(nobody) WARN(NO)

AMQ8414: Display Channel details.
CHANNEL(AAAAA.SVRCONN) CHLTYPE(SVRCONN)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 14, 2017 5:42 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24534
Location: Ohio, USA

EricL wrote:
2. Channel's definition and authorization setting:

Channel authority records


AMQ8878: Display channel authentication record details.
CHLAUTH(AAAAA.SVRCONN) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(nobody) WARN(NO)

AMQ8414: Display Channel details.
CHANNEL(AAAAA.SVRCONN) CHLTYPE(SVRCONN)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)


And that's the only channel authority record which could possibly be applied to that channel?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
EricL
PostPosted: Thu Sep 14, 2017 7:22 am Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

More info here:

1. MCA user id is empty
2. Default Security Settings:

AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(*MQADMIN) WARN(NO)
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Thu Sep 14, 2017 9:22 am Post subject: Reply with quote

Sentinel

Joined: 17 Nov 2005
Posts: 860
Location: New Zealand

Ok, so by "login to MO71" what you really mean in "login to your Queue Manager". You are passing in a Userid and Password to your Queue Manager.

I think my first question would be what are your CONNAUTH settings? What are the results of.....

DIS QMGR CONNAUTH

and

DIS AUTHINFO(<what ever you got back from previous command>)

Cheers,

Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
EricL
PostPosted: Fri Sep 15, 2017 12:28 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

Now I understood you.

I login my laptop - windows with my domain user id - 'user1', then try to connect to Qmgr through MO71 with id 'mqm'.

1. DIS QMGR CONNAUTH:

CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2. DIS AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


AMQ8566: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)


Thanks....
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 15, 2017 12:51 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19305
Location: LI,NY

EricL wrote:
Now I understood you.

I login my laptop - windows with my domain user id - 'user1', then try to connect to Qmgr through MO71 with id 'mqm'.

Code:
1. DIS QMGR CONNAUTH:

CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2. DIS AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


AMQ8566: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(YES)
   DESCR( )                                CHCKCLNT(OPTIONAL)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)



Thanks....

So you have ADOPTCTX(YES).
If you are not on 9.0.0.1 and above and have not set the relevant channel stanza, your userid will be that under which your program is running hence user1.
Working as designed.
As user1 is probably not in the mqm group you would need to map it to a user in the mqm group. However then you would most probably run afoul a user rule that would say chckclnt(reqadmin) or something like it (best practice).

My advice, authorize a specific group with the same permissions as mqm, map user1 to a user in that group and see if it will work for you....

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Fri Sep 15, 2017 2:51 pm Post subject: Reply with quote

Shaman

Joined: 09 May 2013
Posts: 728
Location: Bay of Plenty, New Zealand

In order to use a user and password in a 'C' application (like MO71) to assert as privileged user as your MCA User on a SVRCONN you must do the following.
  • Define a SVRCONN with a blank MCAUSER - DONE
  • Override CHLAUTH's ban on privileged users on your SVRCONN - DONE
  • Have CONNAUTH set up with ADOPTCTX(YES) - DONE
  • Remember to REFRESH SECURITY TYPE(CONNAUTH) if you made a change since the last queue manager restart.
  • Supply the user id and password using an MQCSP structure - in MO71 this means providing it in the location dialog and ensuring the check box "Security exit only" is NOT checked
Can you confirm you did the refresh command, and also confirm you don't have that check box checked please?

I have tested the above om Windows on V8 GA FP2/3/4 and V9.0.0 GA and V9.0.1 - works on all. You don't say what version/platform you are using, might help to know.

I see in your defintions that CHCKCLNT is set to OPTIONAL. This means we can't tell whether the password is definitely being checked, because it is allowed not to be sent. Two ways you could test this:-
  • Change to CHCKCLNT(REQUIRED) - and remember REFRESH, OR
  • Send a bad password, should be rejected
Can you try one of these and report back the result?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
EricL
PostPosted: Wed Oct 04, 2017 4:11 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

Sorry for the late reply....

I did some tests with conditions:

Define a SVRCONN with a blank MCAUSER
Override CHLAUTH's ban on privileged users on your SVRCONN
Have CONNAUTH set up with ADOPTCTX(YES)
REFRESH SECURITY TYPE(CONNAUTH)
Supply the user id and password using an MQCSP structure - in MO71 this means providing it in the location dialog and ensuring the check box "Security exit only" is NOT checked

I did not have luck with MO71, the error messages is always:

"AMQ5540: Application 'C:\IBM\MO71\mqmonntp.exe' did not supply a user ID and password", I now suspect my MO version might be too old to support MQCSP, as looks like client's id/passwd not able to be passed from MO71 to MQ server....

Good news is I don't have issue when I made test with "amqsputc\amqsgetc", I can send/receive messages with intended userid.....
Back to top
View user's profile Send private message
PaulClarke
PostPosted: Wed Oct 04, 2017 6:08 pm Post subject: Reply with quote

Sentinel

Joined: 17 Nov 2005
Posts: 860
Location: New Zealand

If you can get amqsputc and amqsgetc to work, then MO71 will work as well.

In order to use MQCSP to pass user id and password, your client installation need only be MQ V6 or above (yes MQCSP has been around that long). Your queue manager of course, needs to be V8 in order to do anything with said password, but we know your queue manager to be at such a version due to you setting CONNAUTH etc.

However, if you are successfully passing a user id and password with amqsputc/amqsgetc then you must be on MQ V8 in order for the samples to pass it.

Please can you describe exactly the settings you have in the MO71 location dialog, security tab. MO71 can supply a user ID and password successfully so long as you configure it correctly. The one thing that catches most people out is the check-box "Security exit only" that was already mentioned. If you have made sure that is NOT checked, then perhaps you are not requesting the user ID and password correctly on that tab. If you described what you have set on that tab, we can help further.

Also, please tell us the version of MO71 you are using.

Cheers,
Paul
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
EricL
PostPosted: Wed Oct 11, 2017 4:45 pm Post subject: Reply with quote

Apprentice

Joined: 10 Oct 2014
Posts: 46

Thanks Paul.

Yes, my MQ server is MQ V8, and I think my MO version is: 7.5.1, I get it from menu File -> Help...

From "Location Settings" window, I have:

Connection tab, Options tab, Monitoring tab, Export tab, Pub/Sub tab, Network Icon tab.

Strangely I don't see "security tab" you all mentioned, but I do see "Security Exit" label with empty value in "Client/Channel Definition" window, which I get when I press "Configured" button from Connection tab (with Client box checked)

BTW, when I open MO71 each time, I got a prompt saying:
"The command level is 800 which is larger than the command level supported by this version which is 750", I'm not sure if this is the root cause of the issue.

Thanks again
EL
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ71 Login Id not Correctly Shown Up on MQ Server
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.