| Author |
Message
|
| samsam007 |
 Posted: Wed Nov 26, 2008 2:59 pm Post subject: Blank user ID |
 |
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
Dear MQ Development Gurus,
I have WMQ v6.0 installed in Windows. Created Qmgr, channel and an input/output queue. I downloaded a MQWrite.java file and compiled it in another windows with MQ client installed.
When I executed the java client connect to the Qmgr, the java client program showns the Qmgr is closed the connection. Then I looked thru the log file produced by the channel exits code for this Qmgr, it said that the user ID is blank, therefore refused the connection from the java client.
Here is the java client code I refered to:
import com.ibm.mq.*;
import java.io.IOException;
import java.util.Hashtable;
import java.io.*;
public class MQWrite {
private MQQueueManager _queueManager = null;
private Hashtable params = null;
public int port = 1414;
public String hostname = "127.0.0.1";
public String channel = "CLIENT.TO.MQA1";
public String qManager = "MQA1";
public String outputQName = "SYSTEM.DEFAULT.LOCAL.QUEUE";
public MQWrite()
{
super();
}
private boolean allParamsPresent()
{
boolean b = params.containsKey("-h") &&
params.containsKey("-p") &&
params.containsKey("-c") &&
params.containsKey("-m") &&
params.containsKey("-q");
if (b)
{
try
{
port = Integer.parseInt((String) params.get("-p"));
}
catch (NumberFormatException e)
{
b = false;
}
// Set up MQ environment
hostname = (String) params.get("-h");
channel = (String) params.get("-c");
qManager = (String) params.get("-m");
outputQName = (String) params.get("-q");
}
return b;
}
private void init(String[] args) throws IllegalArgumentException
{
params = new Hashtable(5);
if (args.length > 0 && (args.length % 2) == 0)
{
for (int i = 0; i < args.length; i+=2)
{
params.put(args[i], args[i+1]);
}
}
else
{
throw new IllegalArgumentException();
}
if (allParamsPresent())
{
// Set up MQ environment
MQEnvironment.hostname = hostname;
MQEnvironment.channel = channel;
MQEnvironment.port = port;
}
else
{
throw new IllegalArgumentException();
}
}
public static void main(String[] args)
{
MQWrite write = new MQWrite();
try
{
write.init(args);
write.selectQMgr();
write.write();
}
catch (IllegalArgumentException e)
{
System.out.println("Usage: java MQWrite <-h host> <-p port> <-c channel> <-m QueueManagerName> <-q QueueName>");
System.exit(1);
}
catch (MQException e)
{
System.out.println(e);
System.exit(1);
}
}
private void selectQMgr() throws MQException
{
_queueManager = new MQQueueManager(qManager);
}
private void write() throws MQException
{
String line;
int lineNum=0;
int openOptions = MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING;
try
{
MQQueue queue = _queueManager.accessQueue( outputQName,
openOptions,
null, // default q manager
null, // no dynamic q name
null ); // no alternate user id
DataInputStream input = new DataInputStream(System.in);
System.out.println("MQWrite v1.0 connected");
System.out.println("and ready for input, terminate with ^Z\n\n");
// Define a simple MQ message, and write some text in UTF format..
MQMessage sendmsg = new MQMessage();
sendmsg.format = MQC.MQFMT_STRING;
sendmsg.feedback = MQC.MQFB_NONE;
sendmsg.messageType = MQC.MQMT_DATAGRAM;
sendmsg.replyToQueueName = "ROGER.QUEUE";
sendmsg.replyToQueueManagerName = qManager;
MQPutMessageOptions pmo = new MQPutMessageOptions(); // accept the defaults, same
// as MQPMO_DEFAULT constant
while ((line = input.readLine()) != null)
{
sendmsg.clearMessage();
sendmsg.messageId = MQC.MQMI_NONE;
sendmsg.correlationId = MQC.MQCI_NONE;
sendmsg.writeString(line);
// put the message on the queue
queue.put(sendmsg, pmo);
System.out.println(++lineNum + ": " + line);
}
queue.close();
_queueManager.disconnect();
}
catch (com.ibm.mq.MQException mqex)
{
System.out.println(mqex);
}
catch (java.io.IOException ioex)
{
System.out.println("An MQ IO error occurred : " + ioex);
}
}
}
The log messages produced by the EXIT code at the Qmgr is shown below:
2008-11-27|09:33:55|ConName is now [149.1.2.3]
2008-11-27|09:33:55|Starting on BlockIP2.ini processing
2008-11-27|09:33:55|BlockIP2.ini [\BlockIP2.ini] to look for.
2008-11-27|09:33:55|Info: BlockIP2.ini [\BlockIP2.ini] was not found.
2008-11-27|09:33:55|BlockIP2.ini processing ended with rc 0.
2008-11-27|09:33:55|Finished BlockIP2.ini processing
2008-11-27|09:33:55|Check for cycle files started.
2008-11-27|09:33:55|File size of C:\\BlockIP2001.log is 2692 (limit 204800)
2008-11-27|09:33:55|======= INIT ======
2008-11-27|09:33:55|lMaxChannelActive is now -1 (before channel check)
2008-11-27|09:33:55|Return status Exitresponse=0
2008-11-27|09:33:55|LoadRegistry RegOpenKeyEx failed
2008-11-27|09:33:55|Check for cycle files started.
2008-11-27|09:33:55|File size of C:\\BlockIP2001.log is 3039 (limit 204800)
2008-11-27|09:33:55|======= Start INIT_SEC ======
2008-11-27|09:33:55|ver=2.64 env=non-MVS ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2008-11-27|09:33:55|BlockExit QMgr=[QM.MQT2] ChannelName=[TQM2.TCP.MQT1] ConnName=[149.1.2.3] Uid=[] pDataLength=0
2008-11-27|09:33:55|CheckConnectionPattern()
2008-11-27|09:33:55|Pattern [149.1.*;] ip[149.1.*] j 9
2008-11-27|09:33:55|pattern [149.1.*], ConName [149.1.2.3] passed test..
2008-11-27|09:33:55|Users: [] len [0] 0
2008-11-27|09:33:55|CheckCONList()
2008-11-27|09:33:55|CheckSSLList()
2008-11-27|09:33:55|CheckBlankUser()
2008-11-27|09:33:55|Connection refused for blank user identifier
2008-11-27|09:33:55|Connection refused, Channel [TQM2.TCP.MQT1] ConName [149.1.2.3] User []
2008-11-27|09:33:55|LoadRegistry RegOpenKeyEx failed
2008-11-27|09:33:55|======= TERM ======
2008-11-27|09:33:55|Channel closed [TQM2.TCP.MQT1] Connection Name [149.1.2.3]
2008-11-27|09:33:55|Before Free
2008-11-27|09:33:55|Free success
Thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Nov 26, 2008 3:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
If you really want some kind of authentication go with SSL and mcauser on the channel.
Otherwise as a client connection if you do not supply the userid (and java does not), it (qmgr) will assume the user id of the process running the channel agent (mqm). This may not be authorized by BlockIp2.
As such working as designed.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samsam007 |
| Posted: Wed Nov 26, 2008 3:42 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| fjb_saper wrote: |
If you really want some kind of authentication go with SSL and mcauser on the channel.
Otherwise as a client connection if you do not supply the userid (and java does not), it (qmgr) will assume the user id of the process running the channel agent (mqm). This may not be authorized by BlockIp2.
As such working as designed.
Have fun |
How to modify this java code so that it sends an *alternative* user id?
I 've tried the follow change in this java code:
MQQueue queue = _queueManager.accessQueue( outputQName,
openOptions,
null, // default q manager
null, // no dynamic q name
"fakeduser" ); // null = no alternate user id
But the BlockIP exit program still unable to get the user id - still shown blank id.
Thanks |
|
| Back to top |
|
|
| samsam007 |
| Posted: Wed Nov 26, 2008 4:08 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| samsam007 wrote: |
| fjb_saper wrote: |
If you really want some kind of authentication go with SSL and mcauser on the channel.
Otherwise as a client connection if you do not supply the userid (and java does not), it (qmgr) will assume the user id of the process running the channel agent (mqm). This may not be authorized by BlockIp2.
As such working as designed.
Have fun |
How to modify this java code so that it sends an *alternative* user id?
I 've tried the follow change in this java code:
MQQueue queue = _queueManager.accessQueue( outputQName,
openOptions,
null, // default q manager
null, // no dynamic q name
"fakeduser" ); // null = no alternate user id
But the BlockIP exit program still unable to get the user id - still shown blank id.
Thanks |
I added MQEnvironment.userID = "mqm" in the java code, now it passed the user id over to the MQ server.
But the BlockIP EXITs still close the connection, here is its log:
2008-11-27|10:53:00|LoadRegistry RegOpenKeyEx failed
2008-11-27|10:53:00|ConName is now [149.1.2.3]
2008-11-27|10:53:00|Starting on BlockIP2.ini processing
2008-11-27|10:53:00|BlockIP2.ini [\BlockIP2.ini] to look for.
2008-11-27|10:53:00|Info: BlockIP2.ini [\BlockIP2.ini] was not found.
2008-11-27|10:53:00|BlockIP2.ini processing ended with rc 0.
2008-11-27|10:53:00|Finished BlockIP2.ini processing
2008-11-27|10:53:00|Check for cycle files started.
2008-11-27|10:53:00|File size of C:\\BlockIP2001.log is 8512 (limit 204800)
2008-11-27|10:53:00|======= INIT ======
2008-11-27|10:53:00|lMaxChannelActive is now -1 (before channel check)
2008-11-27|10:53:00|Return status Exitresponse=0
2008-11-27|10:53:00|LoadRegistry RegOpenKeyEx failed
2008-11-27|10:53:00|Check for cycle files started.
2008-11-27|10:53:00|File size of C:\\BlockIP2001.log is 8859 (limit 204800)
2008-11-27|10:53:00|======= Start INIT_SEC ======
2008-11-27|10:53:00|ver=2.64 env=non-MVS ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2008-11-27|10:53:00|BlockExit QMgr=[QM.MQT2] ChannelName=[TQM2.TCP.MQT1] ConnName=[149.1.2.3] Uid=[mqm] pDataLength=0
2008-11-27|10:53:00|CheckConnectionPattern()
2008-11-27|10:53:00|Pattern [149.1.*;] ip[149.1.*] j 9
2008-11-27|10:53:00|pattern [149.1.*], ConName [149.1.2.3] passed test..
2008-11-27|10:53:00|Users: [] len [0] 0
2008-11-27|10:53:00|CheckCONList()
2008-11-27|10:53:00|CheckSSLList()
2008-11-27|10:53:00|CheckBlankUser()
2008-11-27|10:53:00|Connection accepted, Channel [TQM2.TCP.MQT1] ConName [149.1.2.3] Flags [ASC=Y ] User [mqm]
2008-11-27|10:53:00|Return status Exitresponse=0
2008-11-27|10:53:00|LoadRegistry RegOpenKeyEx failed
2008-11-27|10:53:00|Check for cycle files started.
2008-11-27|10:53:00|File size of C:\\BlockIP2001.log is 9849 (limit 204800)
2008-11-27|10:53:00|======= SEC_PARMS ======
2008-11-27|10:53:00|Return status Exitresponse=0
2008-11-27|10:53:00|LoadRegistry RegOpenKeyEx failed
2008-11-27|10:53:00|======= TERM ======
2008-11-27|10:53:00|Channel closed [TQM2.TCP.MQT1] Connection Name [149.1.2.3]
2008-11-27|10:53:00|Before Free
2008-11-27|10:53:00|Free success
From the java client side, I expect the MQWrite program get connect to the Q, then start alowing me type in some message in the MQWrite
What s wrongwith this?
Thanks |
|
| Back to top |
|
|
| samsam007 |
| Posted: Wed Nov 26, 2008 4:32 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
Hi,
It is actually an idea that our MQ server will maintain a list of the *authorized* user in a text file. When an external client request for MQ connection to a Channel/Qmgr, I will expect an EXIT perform the following tasks:
1. Verify the incoming user id match a user id in the text file maintained by the MQ server.
or
2. Verify the incoming IP address match an IP address in the text file maintained by the MQ server.
3. Change the incoming user id to the default MQ authorized name.
or
4. Insert an authorized user id before passing it on...
Is this sound logical or is there a better alternative way to do that? We have about over 100+ clients running all over the places. We dont' want to use MQ command create users for these user IDs in the MQ system.
Thanks |
|
| Back to top |
|
|
| samsam007 |
| Posted: Wed Nov 26, 2008 7:52 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
I have just created a user id called masterMQ,
User masterMQ has the following rights:
C:\MqExits>dspmqaut -m QM.MQT2 -t queue -n YORK.TD.INPUT -p masterMQ
Entity masterMQ has the following authorizations for object YORK.TD.INPUT:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
I created the relevant Qmgr/channel/queue as follow:
ALTER CHANNEL(TQM2.TCP.MQT1) CHLTYPE(SVRCONN) SCYDATA('FN=c:\MqExits\BlockIP2.ini;-d8') SCYEXIT('BlockIP2(BlockExit)')
The content of BlockIP2.ini is shown below:
C:\MqExits>type BlockIP2.ini
### Patterns=149.1.*;
####################### Start maping MCAUSERs to masterMQ user #################
###
#Allow "fakeuser" when comming from 149.1.*, and set MCAUSER to masterMQ user
CON=149.1.*;fakeuser;MCA=masterMQ;
#Allow blank user id when comming from 149.1.*, and set MCAUSER to masterMQ us
er
CON=149.1.*;;MCA=masterMQ;
####################### End of user mapping ####################################
###
#
# 5. Block all other attempts.
CON=*;*;MCA=NoBody;
But the BlockIP2 in the MQSeries server still getting the following message:
2008-11-27|14:38:36|LoadRegistry RegOpenKeyEx failed
2008-11-27|14:38:36|ConName is now [149.1.2.3]
2008-11-27|14:38:36|Check for cycle files started.
2008-11-27|14:38:36|File size of C:\\BlockIP2001.log is 10430 (limit 204800)
2008-11-27|14:38:36|======= INIT ======
2008-11-27|14:38:36|lMaxChannelActive is now -1 (before channel check)
2008-11-27|14:38:36|Return status Exitresponse=0
2008-11-27|14:38:36|LoadRegistry RegOpenKeyEx failed
2008-11-27|14:38:36|Check for cycle files started.
2008-11-27|14:38:36|File size of C:\\BlockIP2001.log is 10778 (limit 204800)
2008-11-27|14:38:36|======= Start INIT_SEC ======
2008-11-27|14:38:36|ver=2.64 env=non-MVS ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2008-11-27|14:38:36|BlockExit QMgr=[QM.MQT2] ChannelName=[TQM2.TCP.MQT1] ConnName=[149.1.2.3] Uid=[fakeuser] pDataLength=0
2008-11-27|14:38:36|CheckConnectionPattern()
2008-11-27|14:38:36|Pattern [*;] ip[*] j 1
2008-11-27|14:38:36|pattern [*], ConName [149.1.2.3] passed test..
2008-11-27|14:38:36|Users: [] len [0] 0
2008-11-27|14:38:36|CheckCONList()
2008-11-27|14:38:36|CONList[i] = [149.176.*;fakeuser;MCA=masterMQ;]
2008-11-27|14:38:36|CON Pattern: [149.1.*]
2008-11-27|14:38:36|CON Pattern matched [149.1.*] CON name [149.1.2.3]
2008-11-27|14:38:36|CON Userid: [fakeuser]
2008-11-27|14:38:36|CON/RemUid Pattern matched [fakeuser] RemUID [fakeuser]
2008-11-27|14:38:36|CON MCA specified
2008-11-27|14:38:36|RespectMCA was not specified...
2008-11-27|14:38:36|CON Set MCA userid to [masterMQ] from [fakeuser] [i3 e16]
2008-11-27|14:38:36|CheckCONList leave return 0 (OK)
2008-11-27|14:38:36|CheckSSLList()
2008-11-27|14:38:36|CheckBlankUser()
2008-11-27|14:38:36|Connection accepted, Channel [TQM2.TCP.MQT1] ConName [149.1.2.3] Flags [ASC=Y ] User [fakeuser]
2008-11-27|14:38:36|Return status Exitresponse=0
2008-11-27|14:38:36|LoadRegistry RegOpenKeyEx failed
2008-11-27|14:38:36|Check for cycle files started.
2008-11-27|14:38:36|File size of C:\\BlockIP2001.log is 12296 (limit 204800)
2008-11-27|14:38:36|======= SEC_PARMS ======
2008-11-27|14:38:36|Return status Exitresponse=0
2008-11-27|14:38:36|LoadRegistry RegOpenKeyEx failed
2008-11-27|14:38:36|======= TERM ======
2008-11-27|14:38:36|Channel closed [TQM2.TCP.MQT1] Connection Name [149.1.2.3]
2008-11-27|14:38:36|Before Free
2008-11-27|14:38:36|Free success
Very appreciate for the help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 26, 2008 8:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Maybe the author of BlockIp2 (joergen?) can help you further. I've taken you as far as I can.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samsam007 |
| Posted: Wed Nov 26, 2008 10:13 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
HI, I just figured out this....
what a shame...
I spell the Qmgr name incorrectly in the client command line, that s why the client program returned the Reason code 2058.
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Nov 27, 2008 1:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| samsam007 wrote: |
| It is actually an idea that our MQ server will maintain a list of the *authorized* user in a text file. |
It seems to me you're reinventing a wheel, and not a particually secure one. Even the most inept unauthorised person can edit a text file, especially when all they need is a user id and no credentials.
Stick with SSL for this sort of thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Nov 27, 2008 3:52 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| fjb_saper wrote: |
| If you really want some kind of authentication go with SSL and mcauser on the channel. |
Or use an authenticating security solution implemented with MQ security exits. Faster implementation, easier maintenance and uses your existing infrastructure. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
