| Author |
Message
|
| sachinramesh |
 Posted: Sat Aug 24, 2024 10:56 pm Post subject: MQRC 2058 with MQCCRED configuration |
 |
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
HI , I am trying to configure MQCCRED exit for one of my queue manager.
My client and server are both windows machines.
on the queue manager, i have created the svrconn and client Conn channels with same names.
Client conn channel has the SCYEXIT(mqccred(ChlExit)) and SCYDATA(DEBUG) and the QMNAME
copied the TAB file to CLIENT MACHINE
on Client machine , i have copied the mqccred.dll file to exists folder.
configured the .ini file with queuemanager name ,user and pwd details.
Ran the runmqccred.exe file against the ini file .
All the env variables MQCHLLIB,MQCHLTAB,MQCCRED are set .
MQSERVER is unset.
when i try to do an amqsputc , i am getting the 2058 error.
am i missing anything here ? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sun Aug 25, 2024 9:09 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Please post your channel definitions and environment variable values in the shell where you executed the sample program.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Aug 25, 2024 3:54 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Is there anything in the MQ error logs on the client side and the queue manager side?
2058 is usually an issue with queue manager name validation.
Does it work without SCYEXIT specified on the SVRCONN and CLNTCONN channels?
_________________
Glenn |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Mon Aug 26, 2024 1:13 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
unfortunately i cannot open mqseries on my client machine.i cannot copy the chl definitions here.
The env variables are set as below.
SET MQCCRED=E:\MQCCRED\mqccred.ini
SET MQCHLLIB=E:\MQCCRED
SET MQCHLTAB=E:\MQCCRED\AMQCLCHL.TAB
SET MQSERVER=
The client conn channel looks like this.
CHANNEL(TEST.CHL) CHLTYPE(CLNTCONN)
CONNAME(HOSTNAME(9999))
QMNAME(TEST1)
SCYEXIT(mqccred(ChlExit)) SCYdata(DEBUG)
However i see the below error in the logs on client machine.
AMQ9516E:FIle error occurred for file 'E:\MQCCRED\E:\MQCCRED\AMQCLCHL.TAB'
EXPLANATION:
The file system Returned error 1001 for file
'E:\MQCCRED\E:\MQCCRED\AMQCLCHL.TAB'
The file is present and have read/write access for the user. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 26, 2024 7:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| markt |
| Posted: Mon Aug 26, 2024 9:06 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
| Quote: |
SET MQCHLLIB=E:\MQCCRED
SET MQCHLTAB=E:\MQCCRED\AMQCLCHL.TAB
|
The MQCHLTAB should just be the filename - it is added onto the directory in MQCHLLIB. As you ought to be able to deduce from the error message. |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Tue Aug 27, 2024 4:32 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
HI ,
Thanks for the Reply.
i have modified my MQCHLTAB env variables and am able to connect now.
But when i do amqsputc it does not refer to mqccred.ini file.
amqsputc TEST.Q TEST
Sample AMQSPUT0 start
Target queue is TEST.Q
this is a test msg
Sample AMQSPUT0 end
it does not show anything related to mqccred.ini file , neither its asking for any password.how can i know if its referring to the security exit.
Note: my chlauth and connauth properties on the qmgr are disabled. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Aug 27, 2024 4:11 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Browse the message on TEST.Q. The MQMD UserIdentifier should be the user that you specified.
You can also test connection via the default MQ Client config using
amqscnxc TEST
Try setting the password to an incorrect value. This should cause the connection to fail.
_________________
Glenn |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Aug 28, 2024 2:32 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
| Note: my chlauth and connauth properties on the qmgr are disabled. |
If this is true then nothing will be checking the password that the mqccred client side exit is filling in for you.
Suggest you enable CONNAUTH and then, as suggested, supply a bad password via mqccred and you will then be able to tell that it is sending what you put in there.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Tue Sep 03, 2024 3:07 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
HI ,Sorry for the delayed response.
I have tried to browse the message on the TEST.Q ,the user is not the one specified in the .ini file.its taking the user with which the mq service is running.
Also when tried to enable connauth on the qmgr to the default SYSTEM.DEFAULT.AUTHINFO.IDPWOS) and modified the chckclnt parameter to OPTIONAL..I am getting 2035 Error.
It also says that there is no client connection information specified , while i see all the env variables are set to correct values.
amqscnxc TEST
Sample AMQSPUT0 start
Connecting to queue manager TEST
with no client connection information specified
MQCONNX ended with reason code 2035
In the qmgr logs i see that it failed to authenticate as the chckclnt used is optional.
AMQ5534E: User Id 'uid in the .ini file' authentication failed.
AMQ55421: The failed authentication check was caused by the queue manager connauth chckclnt(OPTIONAL) |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 03, 2024 2:27 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| sachinramesh wrote: |
| I have tried to browse the message on the TEST.Q ,the user is not the one specified in the .ini file.its taking the user with which the mq service is running. |
I suspect this is because you have not yet set up user ID and password authentication, and so the connection does not adopt the user id because it has not been password validated.
| sachinramesh wrote: |
| Also when tried to enable connauth on the qmgr to the default SYSTEM.DEFAULT.AUTHINFO.IDPWOS) and modified the chckclnt parameter to OPTIONAL..I am getting 2035 Error. |
OK now we're getting somewhere. This reason code (2035) accompanied by the error message AMQ5534E strongly suggests that the password you supplied is not the correct one.
| sachinramesh wrote: |
In the qmgr logs i see that it failed to authenticate as the chckclnt used is optional.
AMQ5534E: User Id 'uid in the .ini file' authentication failed.
AMQ55421: The failed authentication check was caused by the queue manager connauth chckclnt(OPTIONAL) |
| sachinramesh wrote: |
It also says that there is no client connection information specified , while i see all the env variables are set to correct values.
amqscnxc TEST
Sample AMQSPUT0 start
Connecting to queue manager TEST
with no client connection information specified
MQCONNX ended with reason code 2035 |
Don't worry about this, it is just reporting that you did not provide the client connection information as parameters. If you're curious you can view the sample code for amqscnxc.c in the samples directory. It will be making use of the environment variables.
So please can you check that you are using the correct password. Remember that this needs to be the password on the machine where the queue manager is running. If this is a different machine to where the client application is running, then it might be a different password for the same user ID.
Earlier you said:
| sachinramesh wrote: |
| My client and server are both windows machines. |
So I assume they are different machines.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Wed Sep 04, 2024 1:52 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| hughson wrote: |
I suspect this is because you have not yet set up user ID and password authentication, and so the connection does not adopt the user id because it has not been password validated. |
Can i know what is missed from my end .i have set the uid and pwd in the mqccred.ini file
the ini file is set in the env variables .
the uid set in the ini file is the one which is used to login to the server both client and server machines.
The password for this is unknown as we connect to the servers using cyber ark.
i have given a generic password in the ini file like 'Passw0rd'.
my ini file looks like below.
QueueManager:
OPW=fjfoeiofhrwefo328f
Name=TEST
user=m12345
| Quote: |
| So please can you check that you are using the correct password. Remember that this needs to be the password on the machine where the queue manager is running. If this is a different machine to where the client application is running, then it might be a different password for the same user ID. |
The client and server are different machines.The user is same and i login using cyberarc where the pwd is unknown.
when i do an amqsputc its not asking me any passsword.
| Quote: |
| So I assume they are different machines. |
yes they are on different machines.
Cheers,
Morag[/quote] |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 04, 2024 6:11 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sachinramesh wrote: |
The password for this is unknown as we connect to the servers using cyber ark.
The client and server are different machines.The user is same and i login using cyberarc where the pwd is unknown.
|
So you need to have a security exit running that has access to cyberark and can retrieve the password for user xyz on machine (mqserver).
I assume you are using user xyz to access MQ.
Note that you also will need to register your security exit with cyberark so that it is allowed to retrieve the password. Cyberark has some nice APIs for you to achieve your task.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Thu Sep 05, 2024 7:51 am Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
| fjb_saper wrote: |
So you need to have a security exit running that has access to cyberark and can retrieve the password for user xyz on machine (mqserver).
I assume you are using user xyz to access MQ.
Note that you also will need to register your security exit with cyberark so that it is allowed to retrieve the password. Cyberark has some nice APIs for you to achieve your task.
|
This is not possible as per our clients policies ,the password should be unknown.
I was assuming that the qmgr will authenticate the uid/pwd specified in the mqccred.ini and the uid should be present on the qmgr server and pwd can be any random pwd .
i tried to modify the ini file with my service account id and pwd and it connects normally, there is no reference of mqccred ,so i am confused why its not referring to the mqccred.ini and what configurations are missing from my side.
if it refers to the ini file it should display like below as per the document.
$ /opt/mqm80/samp/bin/amqsputc Q1 QM80A
Sample AMQSPUT0 start
mqccred exit: Configuration file is at ./mqccred.ini.
Accessible: Yes
mqccred exit: Searching for queue manager 'QM80A'
mqccred exit: Returning info for user 'mqm', forceOverride=1
mqccred exit: ReadConfigFile rc = 0 target queue is Q1 test123
Sample AMQSPUT0 end
but it says like below .
amqsputc TEST.Q TEST
Sample AMQSPUT0 start
Target queue is TEST.Q
this is a test msg
Sample AMQSPUT0 end
. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 05, 2024 6:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sachinramesh wrote: |
| fjb_saper wrote: |
So you need to have a security exit running that has access to cyberark and can retrieve the password for user xyz on machine (mqserver).
I assume you are using user xyz to access MQ.
Note that you also will need to register your security exit with cyberark so that it is allowed to retrieve the password. Cyberark has some nice APIs for you to achieve your task.
|
This is not possible as per our clients policies ,the password should be unknown. |
The password will remain unknown as only the security exit will have access to it to supply it to the mq connection.
You cannot connect to MQ with an unknown password.
What you can do, is make sure the user is not part of the mqm group, run the application with the user and not supply any user or password. If the user matches and client check is set to required admin with adopt context in the MQ authentication settings, you have a good chance that it will work.
If it fails you can always add a chlauth record to proxy the user shown in the logs.
Hope it helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
