ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportSecurity disabled... Why I am getting 2035...what to do

Post new topicReply to topic
Security disabled... Why I am getting 2035...what to do View previous topic :: View next topic
Author Message
Heba_MQ
PostPosted: Mon Jun 29, 2020 3:39 pm Post subject: Security disabled... Why I am getting 2035...what to do Reply with quote

Novice

Joined: 19 Apr 2020
Posts: 20

Dears,

Qmgr is running as windows service with cdev\svc_MQM active directory account...it was before running with MUSR_MQADMIN

I have a client application that must use MQSERVER env var to connect to queue manager... It can not supply user name and password for now

Therefore I have disabled authorization as below:

ALTER QMGR CHLAUTH(DISABLED)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) +
AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP) +
AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
REFRESH SECURITY

The client is using the srvcon channel app.client to connect

Now the client application is not able to connect any more...it is giving the below error

----- cmqxrsrv.c : 2575 -------------------------------------------------------
6/30/2020 03:36:44 - Process(70540.403) User(svc_MQM) Program(amqzlaa0.exe)
Host(D1WVDESTMQS01) Installation(Installation1)
VRMF(9.1.5.0) QMgr(QMAMFD01)
Time(2020-06-29T23:36:44.514Z)
CommentInsert1(S-1-5-21-3143757116-208881770-900181659-2865)
CommentInsert2(cdev\svc_mqm)

AMQ8074W: Authorization failed as the SID
'S-1-5-21-3143757116-208881770-900181659-2865' does not match the entity
'cdev\svc_mqm'.

EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does
not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
----- amqzfubn.c : 2293 -------------------------------------------------------
6/30/2020 03:36:44 - Process(13388.15988) User(svc_MQM) Program(amqrmppa.exe)
Host(D1WVDESTMQS01) Installation(Installation1)
VRMF(9.1.5.0) QMgr(QMAMFD01)
Time(2020-06-29T23:36:44.514Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1(cdev\svc_MQM)

AMQ9557E: Queue Manager User ID initialization failed for 'cdev\svc_MQM'.

EXPLANATION:
The call to initialize the User ID 'cdev\svc_MQM' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
If a userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2575 -------------------------------------------------------

Please help me

Thanks
Heba
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Jun 29, 2020 9:49 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1433
Location: Bay of Plenty, New Zealand

Has the user ID cdev\svc_MQM been deleted and redefined recently?

Is the client application running on Windows? If yes, what is the user ID it is running with - as it will send that and the SID to the queue manager as part of the connection internal flows.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Heba_MQ
PostPosted: Tue Jun 30, 2020 4:34 am Post subject: Reply with quote

Novice

Joined: 19 Apr 2020
Posts: 20

Dear Morag,

I am using my own userid to login to a windows server to run the rfhutilc.exe to query the Queues on the queue manager...

Every thing was working fine with MUSR_MQADMIN untill we ran the prepare wizard and used the AD account svc_MQM

Thanks
Heba
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jul 01, 2020 1:11 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1433
Location: Bay of Plenty, New Zealand

hughson wrote:
Has the user ID cdev\svc_MQM been deleted and redefined recently?

And what about this question?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Heba_MQ
PostPosted: Wed Jul 01, 2020 1:57 am Post subject: Reply with quote

Novice

Joined: 19 Apr 2020
Posts: 20

Dear Morag

cdev\svc_MQM was not deleted...

It is an active directory user and it should be the service account that we use to run the MQ on windows (same as mqm in linux)

What happened is that the prepare wizard was giving me issues to complete "was giving that the user svc_MQM is not able to query group memberships of other users" and I had to keep service running with MUSR_MQADMIN...

We checked with AD team and the svc_MQM has all the needed Authorizations/permissions required by IBM.

after sometime, AD team allows this policy "remote RPC access to SAM
for the CDEV\svc_MQM and asked me to try"


When I tried the prepare wizard works fine... and service started with svc_MQM and Queue Manager started fine
- I was happy....But after that remote connections from client did not work... [/b]

Thanks
Heba
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jul 01, 2020 2:11 am Post subject: Re: Security disabled... Why I am getting 2035...what to do Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1433
Location: Bay of Plenty, New Zealand

Heba_MQ wrote:
AMQ8074W: Authorization failed as the SID
'S-1-5-21-3143757116-208881770-900181659-2865' does not match the entity
'cdev\svc_mqm'.


OK - so is this error telling the truth or not? What is the SID for user id 'cdev\svc_mqm' on the queue manager machine, and just for interests sake, check the same thing on the client machine, perhaps the SID is from there.

I found this command lists all the SIDs on a machine, but perhaps there are other ways too.

Code:
wmic useraccount get name,sid


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Jul 01, 2020 4:28 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20305
Location: LI,NY

also you need to do a refresh security type(connauth).
The refresh security you did will not do.

run
Code:
amqmdain reg qmname -c display -s security -v *

and let us know the results...

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportSecurity disabled... Why I am getting 2035...what to do
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.