ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Net Core managed authorization settings

Post new topic  Reply to topic
 Net Core managed authorization settings « View previous topic :: View next topic » 
Author Message
MatthewDCampbell
PostPosted: Fri Oct 16, 2020 12:05 am    Post subject: Net Core managed authorization settings Reply with quote

Novice

Joined: 29 Sep 2020
Posts: 21

morning,

Using 9.1.2 of Net Core MQ Series. MQ server is version 08000004. Documentation states that the only transport is manager (see https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.dev.doc/q132490_.htm#q132490_). Otherwise MQRC_FUNCTION_NOT_SUPPORTED is thrown with any other transport type (e.g. client, xaclient, binding). After reading:
https://blogs.perficient.com/2019/08/05/how-to-configure-ibm-mq-authentication-os-and-ldap/

which indicates that user | password over MQCSP is the default (from 9.1.1).

MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED,
USE_MQCSP_AUTHENTICATION_PROPERTY, true,
USER_ID_PROPERTY, "some user",
PASSWORD_PROPERTY, "some password"

Can't get around MQRC_NOT_AUTHORIZED despite valid user + password.

Log entries in AMQERR01.LOG that the user (has passed in USER_ID_PROPERTY) failed with CompCode 2 and Reason 2035. Not sure if the information in:
https://www.ibm.com/support/pages/2035-mqrcnotauthorized-connecting-websphere-mq-websphere-application-server-client-bindings

is applicable. Have tested other channels using the spec: https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.con.doc/q081590_.htm
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Sun Oct 18, 2020 2:24 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Quote:
Log entries in AMQERR01.LOG that the user (has passed in USER_ID_PROPERTY) failed with CompCode 2 and Reason 2035.

You missed a vital piece of information from the log. Why did the authorization fail? Please post the message.
_________________
Glenn
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Oct 18, 2020 6:29 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand



We need to see the full message from your AMQERR01.LOG. 2035 has many different causes. As a general rule, if you find something in the error log, you should provide the whole message, or at the very least, the message number and inserts.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
MatthewDCampbell
PostPosted: Mon Oct 19, 2020 6:25 am    Post subject: Reply with quote

Novice

Joined: 29 Sep 2020
Posts: 21

-------------------------------------------------------------------------------
10/19/20 12:40:42 - Process(11731138.3030) User(mqm) Program(amqrmppa)
Host(sdcutv20) Installation(Installation1)
VRMF(8.0.0.4) QMgr(WBK10TQM)
AMQ9557: Queue Manager User ID initialization failed for 'test1'.
EXPLANATION:
The call to initialize the User ID 'test1' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Oct 19, 2020 1:58 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Does user 'test1' exist on host 'sdcutv20' ?
_________________
Glenn
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Oct 19, 2020 3:03 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

MatthewDCampbell wrote:
-------------------------------------------------------------------------------
10/19/20 12:40:42 - Process(11731138.3030) User(mqm) Program(amqrmppa)
Host(sdcutv20) Installation(Installation1)
VRMF(8.0.0.4) QMgr(WBK10TQM)
AMQ9557: Queue Manager User ID initialization failed for 'test1'.
EXPLANATION:
The call to initialize the User ID 'test1' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.


If there are no prior error messages in the log saying anything to suggest another failure (like you got the password wrong for example), then this would suggest that the user ID 'test1' doesn't exist on this machine. Can you confirm whether it exists?

If you are unsure of your application's correctness, you could use a supplied IBM sample to test that your user ID and password configuration is correct, thus:-

set MQSAMP_USER_ID=test1
set MQSERVER=channel-name/TCP/conname

then run the sample program:

amqsputc queue-name WBK10TQM

Try both a valid and invalid password to ensure you are happy that your user ID and password setup on the queue manager is correct. Then you can turn your attention back to why your application behaves differently, or fix the config on the queue manager machine if the IBM supplied sample shows the same error.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Mon Oct 19, 2020 11:06 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

If you are using windows, it could be that you trying to access MQ with a domain id when the user running the MQ service is a local user.

This means that you can only access the box with local users...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
MatthewDCampbell
PostPosted: Tue Oct 20, 2020 12:09 am    Post subject: Reply with quote

Novice

Joined: 29 Sep 2020
Posts: 21

test1 exists. A similar program written in Python works fine:

Code:

import pymqi

queue_manager = '....'
channel = 'SYSTEM.DEF.SVRCONN'
host = '....'
port = '1421'
queue_name = 'SLASK.SDCANNY'
message = 'Hello from Python!'

conn_info = '%s(%s)' % (host, port)
user = 'test1'
password = '....'

bytes_encoding = 'iso-8859-1'
default_ccsid = 819

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password, bytes_encoding=bytes_encoding, default_ccsid=default_ccsid)

queue = pymqi.Queue(qmgr, queue_name)
queue.put(message)
queue.close()
qmgr.disconnect()
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Oct 20, 2020 3:09 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

MatthewDCampbell wrote:
test1 exists. A similar program written in Python works fine

Everything else the same? Channel name, user id and password?

And can you just confirm, were there any messages in the error log prior to the one you showed us?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Tue Oct 20, 2020 6:54 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Moved from General Forums Information...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
MatthewDCampbell
PostPosted: Tue Oct 20, 2020 7:37 am    Post subject: Reply with quote

Novice

Joined: 29 Sep 2020
Posts: 21

Nope. Nothing else in the log prior to the C# call.

Not limited to C#. Assuming the most stabil client is Java. So we can shift over to Java (docker-like environment). Wondering if Python is also stabil? Or maybe another twist could be to use the MQ REST API från C#?
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Oct 20, 2020 1:50 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

Why don't you turn on queue manager 'Authority Events', then run your program. Next use a tool like SupportPac MS0P or MO71 or even MQ Visual Edit to look at the event messages in the 'SYSTEM.ADMIN.QMGR.EVENT' queue.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
gbaddeley
PostPosted: Tue Oct 20, 2020 3:54 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Code:
channel = 'SYSTEM.DEF.SVRCONN'

Do not use this channel. You should disable it in your qmgr by setting MCAUSER('nobody').
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Net Core managed authorization settings
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.