ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » AMQ5530E: Error from LDAP authentication and authorization s

Post new topic  Reply to topic
 AMQ5530E: Error from LDAP authentication and authorization s « View previous topic :: View next topic » 
Author Message
Andrii
PostPosted: Mon Jan 17, 2022 12:18 pm    Post subject: AMQ5530E: Error from LDAP authentication and authorization s Reply with quote

Newbie

Joined: 26 Apr 2021
Posts: 9

Hi All,
In our organization has installed and configured IBM MQ Appliance with firmware version M2002A. It has IBM MQ software version 9.2.3.0 deployed.
In this environment are configured a queue manager with authorization on LDAP server. Connection to the LDAP server is carried out using a TLS connection on port 636. All connections to the queue manager, with authorization on the LDAP server, are successful. But during the day the following situation is observed.
At specific intervals, in the interval of 35 minutes, the following error occurs on the queue manager:

Code:
[color=darkblue]01/17/22 21:32:54 - Process(1509986.233) User(mqsystem) Program(amqrmppa)
                    Host(n7mq1) Installation(MQAppliance)
                    VRMF(9.2.3.0) QMgr(QM.SEP4.EXT)
                    Time(2022-01-17T19:32:54.134Z)
                    ArithInsert1(81)
                    CommentInsert1(ldap_simple_bind)
                    CommentInsert2(Can't contact LDAP server)
                    CommentInsert3(CN=xxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua@172.xx.x.xx:636 )             
AMQ5530E: Error from LDAP authentication and authorization service
EXPLANATION:
The LDAP authentication and authorization service has failed. The
'ldap_simple_bind' call returned error 81 : 'Can't contact LDAP server'.  The
context string is
'CN=xxxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua@172.xx.x.xx:636 '. Additional
code is 0.
ACTION:
Correct the LDAP configuration. Look at the LDAP server logs for additional
error information.[/color]

Code:
[color=brown]----- amqzfula.c : 3126 -------------------------------------------------------
01/17/22 21:32:54 - Process(1509986.233) User(mqsystem) Program(amqrmppa)
                    Host(n7mq1) Installation(MQAppliance)
                    VRMF(9.2.3.0) QMgr(QM.SEP4.EXT)
                    Time(2022-01-17T19:32:54.135Z)
                    RemoteHost(172.22.XXX.XX)
                    CommentInsert1(xxxxxxxxx)
                    CommentInsert2(REQUIRED)
                    CommentInsert3(MCAUSER(xxxxxx) CLNTUSER(xxxxxxxx) SSLPEER(SERIALNUMBER=06:BD:FE:F3:8E:27:41:FC:04:00:00:00:4D:01:00:00:2F:02:00:00,CN=S0XXSEPXXXX,O=XXXXXXXX,L=XXXXXX,C=UA) SSLCERTI(CN=.))       
AMQ9790I: The failed authentication check was caused by a CHLAUTH record with
CHCKCLNT(REQUIRED).
EXPLANATION:
The user ID 'xxxxxxxxx' and its password were checked because the inbound
connection matched a channel authentication record with CHCKCLNT(REQUIRED).
The active values of the channel were 'MCAUSER(xxxxxxxxx) CLNTUSER(xxxxxxxx)
SSLPEER(SERIALNUMBER=06:BD:FE:F3:8E:27:41:FC:04:00:00:00:4D:01:00:00:2F:02:00:00,CN=S0XXXSEPXXXX,O=XXXXX˜,L=XXXX,C=UA) SSLCERTI(CN=XXXXXX
XXXXX..)'. The MATCH(RUNCHECK) mode of the DISPLAY CHLAUTH MQSC command can
be used to identify the relevant CHLAUTH record.
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the User ID. The queue manager's connection
authentication configuration determines the User ID repository, for example the
local operating system user database or an LDAP server.
Alternatively, to avoid the authentication check you can amend the CHLAUTH
record CHCKCLNT attribute. However, allowing unauthenticated remote access is
not recommended.[/color]


The reason for the occurrence of such an error with a normally occurring authorization during the day is not clear. No errors were found in the logs of the LDAP server itself.


Last edited by Andrii on Mon Jan 24, 2022 4:27 am; edited 6 times in total
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Jan 17, 2022 8:18 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

So you have shown us that you have a remote (i.e client attached) application attempting to connect to your queue manager. It is coming in on an un-disclosed channel name because CommentInsert3 which would contain the channel name is filled with certificate details and truncated.

You are shown the client's digital certificate details in the SSLPEER and SSLCERTI attributes in CommentInsert3, and the user ID that it is presenting for password validation, S0HPSEP000. This should hopefully allow you to identify the application in question if you have not already done so?

We know that it's password is being checked because the CHLAUTH record is set to CHCKCLNT(REQUIRED) - this may help you to determine the CHLAUTH record in question given you don't have a channel name in the error message.

You have shown us that at the time this LDAP authentication check is attempted, the queue manager reports that it "can't contact LDAP server" at IP address 172.22.0.10 and port number 636.

You have not shown us any of the configuration for your LDAP authentication setup. You mention that all other connections to the queue manager are successful.

Do all the successful connections you mention also do password validation? or are you only using the LDAP server for authorization and not authentication for these other applications?

I suspect for us to be able to help you further you will need to tell us a little more about your setup.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Andrii
PostPosted: Tue Jan 18, 2022 12:18 pm    Post subject: AMQ5530E: Error from LDAP authentication and authorization Reply with quote

Newbie

Joined: 26 Apr 2021
Posts: 9

Еhanks for your reply
The WEB Application Server is connected remotely. In this case, the WEB Application Server is authorized by the user S0XXXSEPXXXX. In the following error message, the QMgr field contains the name of the queue manager QM.SEP4.EXT to which the connection is being made.
An error occurred while connecting the WEB Application Server Liberty server. The WEB Application Server we have two nodes but which are not connected at the physical level into a cluster among themselves. But also with a similar error there are connections from Data Power. We have three of their physical nodes combined into a logical cluster for balancing.
Below are the parameters for connecting to the LDAP server:
Code:
DEFINE AUTHINFO('TEST_US') +
   AUTHTYPE(IDPWLDAP) +
   ADOPTCTX(YES) +
   DESCR('TEST_US') +
   CONNAME('172.xx.x.xx(636)') +
   CHCKCLNT(REQUIRED) +
   CHCKLOCL(OPTIONAL) +
   CLASSGRP('group') +
   CLASSUSR('user') +
   FAILDLAY(1) +
   FINDGRP('memberof') +
   BASEDNG('OU=MQ,DC=test_us,DC=tets,DC=gov,DC=ua') +
   BASEDNU('OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua') +
   LDAPUSER('CN=xxxxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua') +
*  LDAPPWD('           ') +
   SHORTUSR('cn') +
   GRPFIELD('sAMAccountName') +
   USRFIELD('sAMAccountName') +
   AUTHORMD(SEARCHUSR) +
   NESTGRP(NO) +
   SECCOMM(YES) +
   REPLACE
[/code][/quote]

Last edited by Andrii on Mon Jan 24, 2022 4:26 am; edited 4 times in total
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jan 20, 2022 9:38 pm    Post subject: Re: AMQ5530E: Error from LDAP authentication and authorizati Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Andrii wrote:
Below are the parameters for connecting to the LDAP server:

Thank you for that. Did you have a chance to think about any of the other questions I asked?

Andrii wrote:
But also with a similar error there are connections from Data Power.

Do you mean that Data Power is also making use of the same LDAP Server and is seeing similar errors?

Have you checked with your network administrators that the error being reported isn't simply due to a network outage at that time?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Fri Jan 21, 2022 5:54 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

why are user field and group field the same in your LDAP definition?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Andrii
PostPosted: Sat Jan 29, 2022 10:12 am    Post subject: AMQ5530E: Error from LDAP authentication and authorization Reply with quote

Newbie

Joined: 26 Apr 2021
Posts: 9

Yes, all other successful connections also perform password verification and use authorization to obtain information about access to queue manager objects. According to my ideas on IBM MQ, it stores all authorization records in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the autorotation records.
But the Appliance is running other queue managers whose users are also authorized and authenticated on the same LDAP server. And these queue managers do not generate such errors.
We also contacted our network specialists, they said that all connections are successful. We also found one feature on the gateway equipment, we do not have active TCP connects that have not been active for more than an hour, they close automatically. But correlations of this parameter on network equipment and the occurrence of an LDAP connection error have not yet been traced.
I am answering the question why in the connection settings we use the same definition for the group and users - since the main users and groups that are used for authorization are in the root of the LDAP container, the rest of the users are in the subdirectories of this LDAP container.


Last edited by Andrii on Sun Jan 30, 2022 11:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Jan 30, 2022 10:00 pm    Post subject: Re: AMQ5530E: Error from LDAP authentication and authorizati Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Andrii wrote:
According to my ideas on IBM MQ, it stores all autorotation data in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the autorotation records.

I am not familiar with autorotation data in IBM MQ, can you elaborate?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Andrii
PostPosted: Mon Jan 31, 2022 3:55 am    Post subject: AMQ5530E: Error from LDAP authentication and authorization Reply with quote

Newbie

Joined: 26 Apr 2021
Posts: 9

Hi All.

I'm sorry, I made a spelling mistake. I meant something else about this.

According to my ideas on IBM MQ, it stores all authorization records in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the authorization records.
Quote:
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » AMQ5530E: Error from LDAP authentication and authorization s
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.