MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

MCA password does not it allow more then 12 character

  • 1.  MCA password does not it allow more then 12 character

    Posted Thu May 01, 2025 01:44 PM
    Edited by K Priyanka Thu May 01, 2025 09:42 PM

    Hello All,

    I am getting an error when the MCA user id's password is more the 12 character, is it not possible to use MCA password more the 12 character.?

    'Pipe returned 2023[Failed]'

    Thanks

    KP



    ------------------------------
    K Priyanka
    ------------------------------



  • 2.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 01:19 AM
    Edited by Francois Brandelik Fri May 02, 2025 01:19 AM

    There is not such thing as the MCA userid's password.

    There is however a userid used in the authentication context that can then be populated to the MCAUSER

    Did you force the use of the MQCSP structure for passing userid and password in the authentication call?

    Note that in some versions of MQ for Java/JMS the defaults about using the MQCSP structure for the authentication call have changed.(9.3.0.4 and above comes to mind)

    You could also review the entries in your application's mqclient.ini to force the use of the MQCSP structure if your MQ Java version is not too old!

    Hope it helps



    ------------------------------
    Francois Brandelik
    ------------------------------



  • 3.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 03:48 PM
    Edited by K Priyanka Fri May 02, 2025 05:16 PM

    Hello Francois,

    Thank you for reply.

    the MQ client version is 7.0.1.10 and Queue manager version is 9.4, I am using MQCSP structure to connect to queue manager from its client.

    Below is on queue manager:

    I am using SYSTEM.DEFAULT.AUTHINFO.IDPWOS authentication on queue manager.

    the client check is CHCKCLNT(REQDADM) on the authinfo and ADOPTCTX(YES)

    the user id is 12 character and password is 30 character.

    As per Morag blog is 

    Application team updated below in JVM arguments.

    java -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Y application_name

    ----- amqrmrsa.c : 628 --------------------------------------------------------
    05/02/2025 01:54:13 PM - Process(2931871.1525) User(mqm) Program(amqzlaa0)
                        Host(uc3600pmq01) Installation(Installation1)
                        VRMF(9.4.0.5) QMgr(RVCQPP1)
                        Time(2025-05-02T17:54:13.364Z)
                        CommentInsert1(LcrsvABCptxy)
                        CommentInsert2(WebSphere MQ Client for Java)
                        CommentInsert3(Pipe returned 2035 [FAILED])
     
    AMQ5534E: User ID 'LcrsvABCptxy' authentication failed
     
    EXPLANATION:
    The user ID and password supplied by the 'WebSphere MQ Client for Java' program
    could not be authenticated.
    Additional information: 'Pipe returned 2035 [FAILED]'.
    ACTION:
    Ensure that the correct user ID and password are provided by the application.
    Ensure that the authentication repository is correctly configured. Look at
    previous error messages for any additional information. If  MQ was installed
    using the unzip mechanism, you must not set the authentication method option

    for your configured CONNAUTH object to "OS"

    ----- amqzfuca.c : 4932 -------------------------------------------------------
    05/02/2025 01:54:13 PM - Process(2931871.1525) User(mqm) Program(amqzlaa0)
                        Host(uc3600pmq01) Installation(Installation1)
                        VRMF(9.4.0.5) QMgr(RVCQPP1)
                        Time(2025-05-02T17:54:13.364Z)
                        CommentInsert1(LcrsvABCptxy)
                        CommentInsert2(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
                        CommentInsert3(CHCKCLNT(REQDADM))
     
    AMQ5542I: The failed authentication check was caused by the queue manager
    CONNAUTH CHCKCLNT(REQDADM) configuration.
     
    EXPLANATION:
    The user ID 'LcrsvABCptxy' and its password were checked because the queue
    manager connection authority (CONNAUTH) configuration refers to an
    authentication information (AUTHINFO) object named
    'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM).
     
    This message accompanies a previous error to clarify the reason for the user ID
    and password check.
    ACTION:
    Refer to the previous error for more information.
     
    Ensure that a password is specified by the client application and that the
    password is correct for the user ID. The authentication configuration of the
    queue manager connection determines the user ID repository. For example, the
    local operating system user database or an LDAP server.
     
    Note that if the authentication configuration specifies an LDAP user
    repository, a CHCKCLNT value of REQADM is treated as equivalent to a value of
    OPTIONAL.
     
    If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
    not passing a user ID across the channel. For example, by omitting the MQCSP
    structure from the client MQCONNX API call.
     
    To avoid the authentication check, you can amend the authentication
    configuration of the queue manager connection, but you should generally not
    allow unauthenticated remote access.



    ------------------------------
    K Priyanka
    ------------------------------



  • 4.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 09:34 AM

    Hello Priyanka - 

    As explained in the knowledge center: "Developing Applications Reference > MQI Applications reference Constants"

    MQ_MCA_USER_ID_LENGTH (value differs by platform or version) (value differs by platform or version)

    The length of MCA_USER_ID depends on the platform where it is being used, as example windows versus non-windows.

    Also see - 

    IBM MQ Classes for JMS 2.0 (CMQC) shows the following:

    public static final int MQ_MAX_LDAP_MCA_USER_ID_LENGTH 1024
    public static final int MQ_MAX_MCA_USER_ID_LENGTH 64
    public static final int MQ_MAX_PROPERTY_NAME_LENGTH 4095
    public static final int MQ_MAX_USER_ID_LENGTH 64
    public static final int MQ_MCA_JOB_NAME_LENGTH 28
    public static final int MQ_MCA_NAME_LENGTH 20
    public static final int MQ_MCA_USER_DATA_LENGTH 32
    public static final int MQ_MCA_USER_ID_LENGTH_OTHER 12
    public static final int MQ_MCA_USER_ID_LENGTH_WINDOWS 64

    Also note this item

    User IDs

    Last Updated: 2025-01-30

    When you create user IDs for client applications, the user IDs must not be longer than the maximum permitted length. You must not use the reserved user IDs UNKNOWN and NOBODY. If the server that the client connects to is an IBM® MQ for Windows server, you must escape the use of the at sign, @. The permitted length of user IDs is dependent on the platform that is used for the server:

    • [AIX][z/OS][Linux]On z/OS®, AIX® and Linux®, the maximum length of a user ID is 12 characters.
    • [IBM i]On IBM i, the maximum length of a user ID is 10 characters.
    • [Windows]On Windows, if both the IBM MQ MQI client and the IBM MQ server are on Windows, and the server has access to the domain on which the client user ID is defined, the maximum length of a user ID is 20 characters. However, if the IBM MQ server is not a Windows server, the user ID is truncated to 12 characters.
    • If you use the MQCSP structure to pass credentials, the maximum length of a user ID is 1024 characters. The MQCSP structure user ID cannot be used to circumvent the maximum userid length used by IBM MQ for authorization. For more information about the MQCSP structure, see Identifying and authenticating users using the MQCSP structure.

    On AIX and Linux systems the default is that user IDs are used to authenticate, and groups are used for authorization. However, you can configure these systems to authorize against user Ids. For more information, see OAM user-based permissions on AIX and Linux. Windows systems can use both user IDs for both authentication and authorization and groups for authorization.

    If you create service accounts, without paying attention to groups, and authorize all the user IDs differently, every user can access the information of every other user.

    Restricted user IDs

    The user IDs UNKNOWN and group nobody have special meanings to IBM MQ. Creating a user ID in the operating system called UNKNOWN or a group called nobody could have unintended results.

    [Windows]

    User IDs when connecting to an IBM MQ for Windows server

    An IBM MQ for Windows server does not support the connection of an IBM MQ MQI client if the client is running under a user ID that contains the @ character, for example, abc@d. The return code to the MQCONN call at the client is MQRC_NOT_AUTHORIZED.

    However, you can specify the user ID using two @ characters, for example, abc@@d. Using the id@domain format is the preferred practice, to ensure that the user ID is resolved in the correct domain consistently; thus abc@@d@domain.

    For MVS - 

    User IDs for security checking on z/OS

    Last Updated: 2025-01-30

    IBM® MQ initiates security checks based on user IDs associated with users, terminals, applications, and other resources. This collection of topics lists which user IDs are used for each type of security check.

    Hope this helps...



    ------------------------------
    JAMES Nadziejko
    ------------------------------



  • 5.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 03:52 PM

    Hello James,

    thank you for reply, I read the documentation.

    I change the JVM arguments as it is mentioned in documentation.

    I am using SYSTEM.DEFAULT.AUTHINFO.IDPWOS authentication on queue manager.

    the client check is CHCKCLNT(REQDADM) on the authinfo and ADOPTCTX(YES)

    Please check not sure what I am missing.

    Please help me if I am missing anything.



    ------------------------------
    K Priyanka
    ------------------------------



  • 6.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 04:10 PM

    Hi Priyanka,

    You have to read the error message carefully. It is not the password that is wrong, it is the combination userid/password.

    If you checkout the userid as shown in the error log you may see that the userid has been truncated at 12 chars. However you are telling us that the userid is 13 chars.

    Change to a userid of 12 chars or less and this should work.

    Hope it helps



    ------------------------------
    Francois Brandelik
    ------------------------------



  • 7.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 05:04 PM
    Edited by K Priyanka Fri May 02, 2025 05:17 PM

    hello Francois,

    My bad the userid is 12 character, user id: LcrsvABCptxy

    the password I tried with 12 character it worked however when I updated 30 character it dint worked.

    the error message is same as above.



    ------------------------------
    K Priyanka
    ------------------------------



  • 8.  RE: MCA password does not it allow more then 12 character

    Posted Fri May 02, 2025 05:36 PM
    Edited by Francois Brandelik Fri May 02, 2025 05:53 PM

    Hi Priyanka,

    The problem with a password longer than 16 chars is that in order to be able to use the MQCSP structure, I believe your MQ Client needs to be at MQ Version 8.0.0.4 or greater. Maybe using  the MQCCRED client side security exit might work for your level of MQ Client. But you'd have to copy the DLLs or so libraries from a more recent MQ Client installation...

    Don't hold me to it, as this is from memory. But I believe that you cannot do it if MQ is at level 7.5 or below. There should be no problems for an MQ Client at level MQ 9.4

    Hope it helps



    ------------------------------
    Francois Brandelik
    ------------------------------



  • 9.  RE: MCA password does not it allow more then 12 character

    Posted Mon May 05, 2025 09:33 AM

    The maximum length of a user ID depends on the platform:
    On Windows, if both the client and server are on Windows and the server has access to the domain, it's 20 characters. 
    Otherwise, it's truncated to 12 characters.

    https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=application-user-ids



    ------------------------------
    Prasad beathpudi
    ------------------------------



  • 10.  RE: MCA password does not it allow more then 12 character

    Posted Tue May 06, 2025 08:17 AM
    Edited by Francois Brandelik Tue May 06, 2025 08:19 AM

    This appears for the first time in MQ8. MQ 7.5 doc for that page says nothing about user length. So it might well not apply to MQ 7.0,1 (I know... I know... out of support for a very long time now...) which is the version the customer is using...



    ------------------------------
    Francois Brandelik
    ------------------------------



  • 11.  RE: MCA password does not it allow more then 12 character

    Posted Tue May 06, 2025 10:43 PM

    Hello Francois,

    thanks for follow up.

    after upgrading MQ client version to IBM MQv9.4.0.0 password of 30 character it worked!!

    KP



    ------------------------------
    K Priyanka
    ------------------------------