ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » mqccred uid SCYEXIT('mqccred(ChlExit)')

Post new topic  Reply to topic Goto page 1, 2  Next
 mqccred uid SCYEXIT('mqccred(ChlExit)') « View previous topic :: View next topic » 
Author Message
scravr
PostPosted: Fri Dec 02, 2022 8:35 am    Post subject: mqccred uid SCYEXIT('mqccred(ChlExit)') Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

HI Guys,

Created mqccred.ini with uid for AllQMs and generated TAB file with SCYEXIT('mqccred(ChlExit)')

Pointed variables to directory location of files MQSERVER, MQCHLIB, MQCHTAB, MQCCRED.

Chanele has: SCYEXIT(mqccred(ChlExit))

When running this we get 2035 showing old/original unix id.
/opt/mqm/samp/bin/amqsput Q1 QM1


Any ideas what I am missing?

Thanks,
Mo
Back to top
View user's profile Send private message Send e-mail MSN Messenger
scravr
PostPosted: Fri Dec 02, 2022 12:55 pm    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.

That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?


mqccred.ini has comments on top then
#
#

AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
#
Back to top
View user's profile Send private message Send e-mail MSN Messenger
fjb_saper
PostPosted: Mon Dec 05, 2022 5:38 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

scravr wrote:
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.

That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?


mqccred.ini has comments on top then
#
#

AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
#

set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?

enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Mon Dec 05, 2022 7:45 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

fjb_saper wrote:
scravr wrote:
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.

That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?


mqccred.ini has comments on top then
#
#

AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
#

set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?

enjoy

Also bear in mind you need to unset MQSERVER as that takes precedence...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
scravr
PostPosted: Mon Dec 05, 2022 8:13 am    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

exerk wrote:
fjb_saper wrote:
scravr wrote:
when using export_MQSAMP_USER_ID=xyz before
/opt/mqm/samp/bin/amqsput Q1 QM1
then manually entering non-encrypted password, i am able to connect and put messages.

That means channel cannot validate ud/pwd via SCYEXIT(mqccred(ChlExit))
or encrypt/decrypt schemas are different, or something else...?


mqccred.ini has comments on top then
#
#

AllQueueManagers:
Password=abcde12345 <<<---- encrypted PWD by runmqccred -f mqccred.ini -p
User=s.abcxyz
#
#
#

set the MQCCDTURL environment variable and use amqsputc instead of amqsput
Make sure in your channel tab to set the SCYDATA to ERROR.
And why is the user you set in the environment variable different from the user in the mqccred.ini file?

enjoy

Also bear in mind you need to unset MQSERVER as that takes precedence...


Non of comments are relevant.
Back to top
View user's profile Send private message Send e-mail MSN Messenger
hughson
PostPosted: Mon Dec 05, 2022 9:43 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

scravr wrote:
Non of comments are relevant.


While you may think that none of the comments you have been given are relevant, I believe exerk has likely pointed out your problem exactly.

exerk wrote:
Also bear in mind you need to unset MQSERVER as that takes precedence...


In your problem description you tell us that, essentially, your exit is not doing what you expected it to do. This is most likely because it is not being run. If you are using the MQSERVER environment variable then the details in there are used INSTEAD of the MQCHLLIB and MQCHLTAB environment variables. MQSERVER cannot specify a channel exit, so a channel exit is not being used.

scravr wrote:
HI Guys,

Created mqccred.ini with uid for AllQMs and generated TAB file with SCYEXIT('mqccred(ChlExit)')

Pointed variables to directory location of files MQSERVER, MQCHLIB, MQCHTAB, MQCCRED.

Chanele has: SCYEXIT(mqccred(ChlExit))

When running this we get 2035 showing old/original unix id.
/opt/mqm/samp/bin/amqsput Q1 QM1


Any ideas what I am missing?

Thanks,
Mo


As exerk said, unset the MQSERVER environment variable, and make sure you correctly spell the MQCHLLIB and MQCHLTAB environment variables - in case you have spelled them the way you did in your question, in which case they won't work either.

Also, please note that your are probably not running a client application either. amqsput without the letter 'c' on the end is a locally bound application (unless you have set the MQ_CONNECT_TYPE environment variable which you haven't mentioned). Please try running amqsputc instead after you have unset MQSERVER and correctly spelled the two CCDT environment variables.

If it still doesn't work, perhaps you can show us *all* the MQ environment variables you have set and we can check for any typos in there to get you going.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
scravr
PostPosted: Tue Dec 06, 2022 5:24 am    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

Morag,
Thanks for detailed review.
Unfortunately, I can't paste here code since its on my client system. Here I post via my private laptop.
I do not have MQSERVER and all env. var. are set correctly. I fooloed IBM recommendation.
Wonder if mqccred password encrypt/decrypt schema is same as on channel exit?
In what stage channel decrypt PWD and how it passed to LDAP server?

Also when I set MQSAMP_USER_ID and run amqsputc and enter non-crypted PWD all works fine.
But with TAB file its not working. Getting 2058.


TY
MO
Back to top
View user's profile Send private message Send e-mail MSN Messenger
exerk
PostPosted: Tue Dec 06, 2022 6:12 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

scravr wrote:
...But with TAB file its not working. Getting 2058.

Queue manager name error, so it appears the name are you passing on the command line does not match that, or any, within the CCDT file.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Dec 06, 2022 7:46 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Setting the SCYDATA to ERROR helps finding out what the error is when running the mqccred security exit. It could be as easy as having the wrong access permissions to the mqccred.ini file...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Tue Dec 06, 2022 10:52 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

scravr wrote:
But with TAB file its not working. Getting 2058.


This suggests that QM1 is not in the QMNAME field of any of the CCDT entries. Either your CCDT was not created with the correct details, or you are not pointing to the CCDT file you think you are, e.g. not spelling the environment variables correctly as earlier noted.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
scravr
PostPosted: Fri Dec 16, 2022 9:51 am    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

Run all kind of tests, still cannot connect.

1. setting: export MQSAMP_USER_ID=<LDAP-ID>
and running amqsput <Q> <QM>
then enter <LDAP-NON-ENCRYPTED-PASSWORD>
I can put then get messages. ALL WORS FINE !!!

2. When starting my app after encrypting mqccred and chmod to 600
without setting export MQSAMP_USER_ID=<LDAP-ID> )
I am getting MQRC_NOT_AUTHORIZED 2035 X-000007F3
and userID on LDAP locked since too many failed testing.


Any ideas?
Back to top
View user's profile Send private message Send e-mail MSN Messenger
bruce2359
PostPosted: Fri Dec 16, 2022 10:20 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

scravr wrote:

2. ... after encrypting mqccred and chmod to 600 ...

chmod for what file? Where? Please be precise.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
scravr
PostPosted: Fri Dec 16, 2022 11:38 am    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

mqccred
Back to top
View user's profile Send private message Send e-mail MSN Messenger
scravr
PostPosted: Fri Dec 16, 2022 11:39 am    Post subject: Reply with quote

Partisan

Joined: 03 Apr 2003
Posts: 388
Location: NY NY USA 10021

ב''ה

Really need help !!!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
bruce2359
PostPosted: Fri Dec 16, 2022 1:25 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Precisely where in file system? Rwx permission bits generally do not result in 2035 rc.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » mqccred uid SCYEXIT('mqccred(ChlExit)')
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.