| Author |
Message
|
| yasaboy |
 Posted: Tue Sep 16, 2014 1:15 am Post subject: MQOPEN reason code 2035 after adding security policy |
 |
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I am getting this error
| Code: |
MQOPEN ended with reason code 2035 |
after I add the security policy on any particular queue. For bob I have given get authority and while I try to open TEST.INQUEUE2 it gives the error 2035. The TEST.INQUEUE3 which does not have a defined security policy I can open it using same code.
| Code: |
Entity bob has the following authorizations for object
TEST.INQUEUE2:
get
browse |
channel details
| Code: |
AMQ8414: Display Channel details.
CHANNEL(TEST.CHANNEL) CHLTYPE(SVRCONN)
ALTDATE(2014-08-10) ALTTIME(05.08.40)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(OPTIONAL) SSLCIPH( )
SSLPEER( ) TRPTYPE(TCP) |
Listener details
| Code: |
AMQ8630: Display listener information details.
LISTENER(TEST.LISTNER) CONTROL(QMGR)
TRPTYPE(TCP) PORT(22501)
IPADDR( ) BACKLOG(0)
DESCR( ) ALTDATE(2014-08-10)
ALTTIME(05.08.40) |
Please Help me on this tried various things without any success ? |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Sep 16, 2014 1:18 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
"...after I add the security policy on any particular queue..." and "...For bob I have given get authority..." implies you are testing AMS - is that the case?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Sep 16, 2014 1:28 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
@exerk:
Yes exactly I am trying to add AMS to my solution  |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 16, 2014 2:02 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| yasaboy wrote: |
@exerk:
Yes exactly I am trying to add AMS to my solution |
Please post the security policy definitions, thank you.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Sep 16, 2014 2:13 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
hi,
here it is
| Code: |
Name: TEST.INQUEUE1
Policy:Sign and encrypt
Toleration: apply to all messages
Signing algo:SHA1
valid message originators
CN=alice, O=IBM, C=GB
Encryption algorithm : AES256
Permitted messages recipients
CN=bob , O=IBM, C=GB |
this works for alice who puts messages. It doesn't work for bob who gets the messages which is strange for me  |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 16, 2014 3:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I'd much rather see the setmqspl command...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Sep 16, 2014 6:06 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
Didn't use the setmqspl . Instead used the MQ Explorer to set the security policies |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 16, 2014 7:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| yasaboy wrote: |
Hi,
Didn't use the setmqspl . Instead used the MQ Explorer to set the security policies |
Well if you did set encrypt you must have set a few more attributes, like the DN of the allowed receiver(s), care to share them?
If Bob's (full) DN does not match this the MQOpen will return 2035. Working as designed? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Sep 22, 2014 2:13 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I have used MQCB and MQPUT commands to put and get messages from the Queue in my application.
For example queue TEST.OUTQUEUE1 has following authorities. We have used MQCB to get messages from this queue.
| Code: |
bin>dspmqaut -m Q.AMS -n TEST.OUTQUEUE1 -t q -g alice
Entity alice has the following authorizations for object TEST.OUTQUEUE1:
get |
Is this OK or do I need to provide some other privilage to the queue inorder to get messages from the Queue ? |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 22, 2014 2:53 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
+get covers the use of MQCB as well if that's your question?
However, we can't in all honestly know if your application needs any other authorities without knowing what else it does. Like does it use browse, or do an MQINQ - then you'd need other authorities.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Sep 22, 2014 3:09 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
hI,
I just checked the same solution by giving all mqaut to Queue. So 2035 is not coming from non SUFFICIENT PRIVILEGES.
it is happening in the queues where I have enabled security policies.
@fjb_saper :
Sharing ploicies of the Queues defined.
bin>dspmqspl -m Q.MAN..AMS
Policy Details:
Policy name: TEST.INQUEUE1
Quality of protection: PRIVACY
Signature algorithm: SHA1
Encryption algorithm: AES256
Signer DNs:
CN=alice,O=IBM,C=GB
Recipient DNs:
CN=bob,O=IBM,C=GB
Toleration: 0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Policy Details:
Policy name: TEST.INQUEUE2
Quality of protection: PRIVACY
Signature algorithm: SHA1
Encryption algorithm: AES256
Signer DNs:
CN=alice,O=IBM,C=GB
Recipient DNs:
CN=bob,O=IBM,C=GB
Toleration: 0
I can access TEST.INQUEUE3 and above without any problem. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 22, 2014 3:34 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
What does your error log say is the reason for the 2035?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Sep 22, 2014 3:49 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
----- amqzfubx.c : 624 --------------------------------------------------------
09/15/2014 01:15:53 PM - Process(10920.947) User(dev51) Program(amqzlaa0)
Host(sgx-env-app-06) Installation(Installation1)
VRMF(7.5.0.2) QMgr(NC.Q.MAN)
AMQ8077: Entity 'bob ' has insufficient authority to access object
'TEST.INQUEUE2'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: get
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 22, 2014 4:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| yasaboy wrote: |
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: get |
Well, I think it's pretty obvious where your issue is 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Sep 22, 2014 5:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| yasaboy wrote: |
| Code: |
bin>dspmqaut -m Q.AMS -n TEST.OUTQUEUE1 -t q -g alice
Entity alice has the following authorizations for object TEST.OUTQUEUE1:
get |
Is this OK or do I need to provide some other privilage to the queue inorder to get messages from the Queue ? |
Wondering why you would want to retrieve messages as alice if the policy clearly says that only bob can retrieve messages out of that queue....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
