MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MQ Client connection problem

    Posted Mon January 18, 2021 09:13 AM
    Hello!

    I am running IBM MQ Server (v9.1.4) on one node using Linux CentOS, which sits behind load balancer. I have one queue manager installed with couple of queues and channels. Also have SVRCONN channel for our Java client, what consumes messages from different queues.

    For our Java client, I created local user and password. Qmgr is using CONNAUTH, what i configured and everything seems to be working.

    Now I am trying to set up node number two with IBM MQ Server (v9.2.0).  But the same configuration doesnt seem to work. I added the same user and password. Altered qmgr to use the same CONNAUTH with same parameters that older version has.

    If I send traffic from load balancer to IBM MQ server (v9.2.0), I am getting errors that authentication failed.

    From logs: 
    AMQ5534E: User ID 'xxxx' authentication failed

EXPLANATION:
The user ID and password supplied by the 'xxxx' program could not be
authenticated.
Additional information: 'Pipe returned 2035 [FAILED]'.

AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQUIRED) configuration.

EXPLANATION:
The user ID 'xxxx' and its password were checked because the queue
manager connection authority (CONNAUTH) configuration refers to an
authentication information (AUTHINFO) object named 'USE.PW' with
CHCKCLNT(REQUIRED)


    Meanwhile, the Java client gets the error, which is ofcourse:

    JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')


    Here is my queue manager CONNAUTH and AUTHINFO:

    CONNAUTH:

    AMQ8408I: Display Queue Manager details.
   QMNAME(xxx_xxx)                  CONNAUTH(USE.PW)


    AUTHINFO:

    AMQ8566I: Display authentication information details.
   AUTHINFO(USE.PW)                        AUTHTYPE(IDPWOS)
   ADOPTCTX(YES)                           DESCR( )
   CHCKCLNT(REQUIRED)                      CHCKLOCL(OPTIONAL)
   FAILDLAY(10)                            AUTHENMD(OS)
   ALTDATE(2021-01-18)                     ALTTIME(15.01.21)


    If I set CHCKCLNT to NONE,  Java client is able to connect and get the messages.


    I have also tried with sample programs (amqsputc, amqsgetc). With the default AUTHINFO (SYSTEM.DEFAULT.AUTHINFO.IDPWOS) I am able to connect/consume but with my own (USE.PW), which has the same parameters, I am not.

    Am I missing something here? What am I doing right on node number one and wrong on node number two?

    Thanks!




    ------------------------------
    Kristjan Voolaid
    ------------------------------



  • 2.  RE: MQ Client connection problem

    Posted Mon January 18, 2021 05:10 PM

    The most likely issue from what you have described is that while you believe you have created exactly the same user id and password on both nodes, in fact you haven't. Please double and triple check the user ID and password that you have created for your application to use, and that your application is supplying it correctly when connecting to both nodes.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: MQ Client connection problem

    Posted Tue January 19, 2021 02:14 AM
    Edited by FJ Brandelik Tue January 19, 2021 02:17 AM
    How did you create the authorizations for MQ 9.2.0 ?

    How did you create the users in CentOs? They need to have the same uid and gid for a copy of the qmgr objects to work from one server to the other.

    ------------------------------
    FJ
    ------------------------------

    Original Message


  • 4.  RE: MQ Client connection problem

    Posted Tue January 19, 2021 04:06 AM
    Do you work with qm.ini

    ------------------------------
    Matthias Jungbauer
    ------------------------------

    Original Message


  • 5.  RE: MQ Client connection problem

    Posted Tue January 19, 2021 10:14 AM

    Thanks for the answers.

    All the configuration comes from chef cookbook. Mabye that is the reason? (user ID & password). Actually, I have also tried manually to add users, groups and passwords that match node 1 user and password. (changed uIDs and gIDs)

    Actions what I did:

    Add connauth to qmgr

    alter qmgr connauth (USE.PW)

    Define authinfo

    DEFINE AUTHINFO(USE.PW) AUTHTYPE(IDPWOS) FAILDLAY(10) CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED)

REFRESH SECURITY TYPE(CONNAUTH)

    Add permissions to Java client user

    ./setmqaut -m QMGR -t qmgr -p john_doe +all
./setmqaut -m QMGR -n QUEUE -t channel -p john_doe +all
./setmqaut -m QMGR -n CHANNEL -p -t channel john_doe +all


    Is that enough for Java client to connect and consume messages? Note: Java client is inside container. Do I have to add users to container also?

    I've also set up IBM in docker. Same configuration, same users and everything works..

    What about the qm.ini file?



    ------------------------------
    Kristjan Voolaid
    ------------------------------

    Original Message


  • 6.  RE: MQ Client connection problem

    Posted Tue January 19, 2021 02:03 PM
    Edited by FJ Brandelik Tue January 19, 2021 02:05 PM
    You got your permissions a bit tangled
    ./setmqaut -m QMGR -t qmgr -p john_doe +connect +allmqi +dsp
./setmqaut -m QMGR -n QUEUE -t queue -p john_doe +allmqi + dsp
​

    This should be all you need. And remember as you are on Linux/Unix you should be setting the permissions for the group. If you did no specify user permissions in the qm.ini you are in fact authorizing the primary group for john_doe...



    ------------------------------
    FJ Brandelik

    ------------------------------

    Original Message