ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportUnable to configure user for testing only

Post new topicReply to topic
Unable to configure user for testing only View previous topic :: View next topic
Author Message
derrickatdecdev
PostPosted: Wed Mar 11, 2020 10:27 am Post subject: Unable to configure user for testing only Reply with quote

Newbie

Joined: 11 Mar 2020
Posts: 3

Hello all! I am new to this, and while I've read a lot of text about IBM MQ, I have yet to figure out a working configuration for testing.

Let me stress that this is for testing only, not production. I just want to be able to show that the client can connect.

I'm using 'IBM MQ Explorer' and creating a client in C# using amqmdnet.dll. When I leave the MCA User ID blank, I am able to connect, put, & get messages, while running the client code as my normal Windows user.

But, when I try to call the client code from a Windows service using the same configuration, I always get MQRC_NOT_AUTHORIZED. I've tried username, with and without AD domain, both in the MCA user ID and sent from the client. Nothing works.

I would love a bit of guidance so that I can:
- run the client code from a Windows service account
- WITHOUT connecting IBM MQ to my active directory in ANY way

Any suggestions? Thank you.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Mar 11, 2020 1:30 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1429
Location: Bay of Plenty, New Zealand

Could you show an example of the error message that is in your AMQERR01.LOG when you get the failure? Also, to help us, when user ids are mentioned in said error message, tell us what they are.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
derrickatdecdev
PostPosted: Wed Mar 11, 2020 1:54 pm Post subject: Reply with quote

Newbie

Joined: 11 Mar 2020
Posts: 3

Sure - this is everything that gets logged for a single try. Windows user id is 'derrick' (it sometimes appears with an AD domain prefix that doesn't appear here)...machine name is probably 'DERRICK'.

Code:
----- cmqxrsrv.c : 2406 -------------------------------------------------------
3/11/2020 17:44:05 - Process(39408.43309) User(derrick) Program(amqrmppa.exe)
                      Host(DERRICK) Installation(Installation2)
                      VRMF(9.1.0.0) QMgr(qm2)
                      Time(2020-03-11T21:44:05.618Z)
                      RemoteHost(127.0.0.1)
                      CommentInsert1(channel2)
                      CommentInsert2(127.0.0.1)
                      CommentInsert3(MCAUSER(SYSTEM) CLNTUSER(SYSTEM) ADDRESS(Derrick))
                     
AMQ9776E: Channel was blocked by userid

EXPLANATION:
The inbound channel 'channel2' was blocked from address '127.0.0.1' because the
active values of the channel were mapped to a userid which should be blocked.
The active values of the channel were 'MCAUSER(SYSTEM) CLNTUSER(SYSTEM)
ADDRESS(Derrick)'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.
----- cmqxrmsa.c : 1363 -------------------------------------------------------
3/11/2020 17:44:05 - Process(39408.43309) User(derrick) Program(amqrmppa.exe)
                      Host(DERRICK) Installation(Installation2)
                      VRMF(9.1.0.0) QMgr(qm2)
                      Time(2020-03-11T21:44:05.619Z)
                      CommentInsert1(channel2)
                      CommentInsert2(39408(51840))
                      CommentInsert3(127.0.0.1)
                     
AMQ9999E: Channel 'channel2' to host '127.0.0.1' ended abnormally.

EXPLANATION:
The channel program running under process ID 39408(51840) for channel
'channel2' ended abnormally. The host name is '127.0.0.1'; in some cases the
host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 945 --------------------------------------------------------
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Mar 11, 2020 8:00 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1429
Location: Bay of Plenty, New Zealand

So when you run the client application from your Windows user ID 'derrick', either 'derrick' isn't a privileged user ID, or you have added CHLAUTH rule to allow that particular privileged user ID to connect to your queue manager.

What the error message you have provided in your reply shows, is that when you run the application as a Windows service, it runs as the user id 'SERVICE'. This user ID is considered to be privileged (just like an mqm group member would be) and so is being blocked by the CHLAUTH rule that is in place by default:-

Code:
CHLAUTH(*) TYPE(BLOCKUSER) DESCR(Default rule to disallow privileged users) USERLIST(*MQADMIN)


So, since you only want this for testing, here is how you could configure your queue manager to bypass this protection from privileged users.

Code:
SET CHLAUTH('channel2') TYPE(BLOCKUSER) USERLIST('nobody')


This removes the ban on privileged user ids on channel 'channel2' only.

This means that anyone who can connect in remotely to this machine need only know the channel to use and they can do ANYTHING to your queue manager. Since it is only for testing, then this is OK. But remember that this is no way to run a production queue manager.

If you want further information about what the above command did, read CHLAUTH - Allow some privileged admins

Alternatively you could map this connection to use a non-privileged user ID, and grant it only the permissions it needed. Read A non-privileged MQ administrator for more information about how to do that.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Mar 11, 2020 8:07 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20298
Location: LI,NY

Two things to prepare for production:
  1. Make sure the MQ Service runs under an AD account.
    It will need special privileges at the domain level and on the server.
    Those privileges are described in the documentation. (Infocenter)
  2. Make sure you authorize the correct group. Make sure the user running the application service is not SYSTEM but an AD user that is a member of the authorized group.
    And as you change group membership remember to refresh the queue manager's security service.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
derrickatdecdev
PostPosted: Thu Mar 12, 2020 8:55 am Post subject: Reply with quote

Newbie

Joined: 11 Mar 2020
Posts: 3

You won't be surprised to hear that that fixed it immediately! Thanks so much!
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportUnable to configure user for testing only
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.