Hi,
I am trying to connect to a v9 queue manager that has ldap enabled and CHCKCLNT(REQUIRED) using rfhutilc.
In rfhutil I have configured the Set Conn Id with userid (id1) and password and ticked used CSP.
I have used a MQCHLTAB to configure the connection (TLS).
I can connect fine using amqsputc

set MQSSLKEYR=F:\keys\key
set MQCHLLIB=F:\
set MQCHLTAB=AMQCLCHL.TAB
set MQSAMP_USER_ID=id1

amqsputc Q1 QM1
Sample AMQSPUT0 start
Enter password: passwd
target queue is Q1

Sample AMQSPUT0 end


But when I try and connect with rfhutilc it fails -

----- cmqxrsrv.c : 2363 -------------------------------------------------------
03/01/2017 11:10:45 - Process(4196.19) User(y) Program(amqzlaa0.exe)
Host(x) Installation(Installation1)
VRMF(9.0.0.0) QMgr(QM1)

AMQ5540: Application 'rfhutilc.exe' did not supply a user ID
and password

EXPLANATION:
The queue manager is configured to require a user ID and password, but none was
supplied.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager configuration to OPTIONAL to allow applications to connect
which have not supplied a user ID and password.
----- amqzfuca.c : 4751 -------------------------------------------------------
03/01/2017 11:10:45 - Process(5828.6) User(y) Program(amqrmppa.exe)
Host(x) Installation(Installation1)
VRMF(9.0.0.0) QMgr(QM1)

AMQ9557: Queue Manager User ID initialization failed for 'id2'.

EXPLANATION:
The call to initialize the User ID 'id2' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2363 -------------------------------------------------------


The id2 is the id I am running the rfhutil client, not the id I am trying to connect with. (id2 has got access so not sure why the 2035).


Additional info -
dis AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)

AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(ldap1(50072),ldap2(50072))
CHCKCLNT(REQUIRED) CHCKLOCL(OPTIONAL)
CLASSGRP(group) CLASSUSR(user)
FAILDLAY(10) FINDGRP(member)
BASEDNG(OU=GROUPS)
BASEDNU(ou=ldap)
LDAPUSER(cn=BIND)
LDAPPWD(********************************)
SHORTUSR(cn) GRPFIELD(cn)
USRFIELD( ) AUTHORMD(SEARCHGRP)
NESTGRP(NO) SECCOMM(YES)
ALTDATE(2016-12-22) ALTTIME(16.00.00)


AMQ8414: Display Channel details.
CHANNEL(CLIENT.TO.QM1) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2016-12-22)
ALTTIME(15.03.51) CERTLABL(cert1)
CLNTWGHT(0) COMPHDR(NONE)
COMPMSG(NONE) CONNAME(QM1(1414))
DEFRECON(NO) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(QM1) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
SSLPEER(CN=client
) TPNAME( )
TRPTYPE(TCP) USERID( )


dis CHLAUTH('*')
6 : dis CHLAUTH('*')
AMQ8878: Display channel authentication record details.
CHLAUTH(CLIENT.TO.QM1) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(CLIENT.TO.QM1) TYPE(BLOCKUSER)
USERLIST(nobody)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(nobody
,*MQADMIN)



rfhutil v7.5.0 Build 220



Any ideas on how I can get rfhutilc to connect?

I can connect to an LDAP protected V9 queue manager using RFHUTILC version 8.0.0 build 221.  Since your RFHUTILC version is slightly older you may want to try using a newer version.

 from where  we can download  8.0 ?    I can see only 7.5

Where can this version 221 be found ?

Do you have a link ?

That's a good question.  I got a copy from the author a while ago.  I'll attach the version that I'm using for you to try.  Since I'm not the author I cannot provide any support for this tool.

Thank you
 
In Reply to Timothy Bryant:

That's a good question.  I got a copy from the author a while ago.  I'll attach the version that I'm using for you to try.  Since I'm not the author I cannot provide any support for this tool.

display qmgr CONNAUTH
     1 : display qmgr CONNAUTH
AMQ8408: Display Queue Manager details.
       QMNAME(QM_NMAE)
       CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
     2 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
       AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
       AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
       DESCR( )                                CHCKCLNT(REQDADM)
       CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
       AUTHENMD(OS)                            ALTDATE(2016-07-20)
       ALTTIME(11.58.14)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
     3 : ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
AMQ8567: IBM MQ authentication information changed.
display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
     4 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
       AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
       AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
       DESCR( )                                CHCKCLNT(OPTIONAL)
       CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
       AUTHENMD(OS)                            ALTDATE(2016-07-21)
       ALTTIME(11.08.32)
REFRESH SECURITY TYPE(CONNAUTH)
     5 : REFRESH SECURITY TYPE(CONNAUTH)
AMQ8560: IBM MQ security cache refreshed.
end
     6 : end
5 MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.

Hi,

Thanks for your help so far, I have tried using RFHUTILC version 8.0.0 build 221 but I am still getting the same error.

The main thing is I have CHCKCLNT(REQUIRED). If I set this to OPTIONAL it works, but this is obviously not what I want as it bypasses id and password.

Can you supply your mq settings -

dis qmgr CONNAUTH

dis AUTHINFO(from above command) AUTHTYPE(IDPWLDAP)

dis CHANNEL(client channel)

dis CHLAUTH('*')

Also can you screen print your rfhutilc screens, mine are in attached doc.

Thanks,

Rab.

Attachment(s)

rfhutilc Screen Prints.docx   59 KB 1 version

I've included the requested information below.  I'm curious though, are you seeing the "AMQ5540: Application 'rfhutilc.exe did not supply a user ID and password" error even when using version 8 of rfhutilc?

One challenge that you will have comparing my configuration with your is the differences in LDAP schema.  Here's a bit of background on the schema for the LDAP that I'm connecting to:

The fully qualified name of my userid is: cn=wmbuser1, ou=users, ou=wmbv8, o=ibm, c=us

The userid that I'm using is a member of an LDAP group named authorized

This is the command string that I used to create the AUTHINFO object:

DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP) ADOPTCTX(YES) CONNAME(10.0.0.5) CHCKCLNT(REQUIRED) CLASSGRP(‘groupOfNames’) CLASSUSR(‘inetOrgPerson’) FINDGRP(‘member’) BASEDNG(‘ou=users, ou=wmbv8, o=ibm, c=us’) BASEDNU(‘ou=users, ou=wmbv8, o=ibm, c=us’) LDAPUSER(‘cn=root’) LDAPPWD(‘db2admin’) SHORTUSR(‘sn’) GRPFIELD(‘cn’) USRFIELD(‘cn’) AUTHORMD(SEARCHGRP) NESTGRP(YES)

 The command that I used to create the SVRCONN channel is: DEFINE CHANNEL(USER.SVRCONN) CHLTYPE(SVRCONN)

For my purposes, the userid that I was using had the equivalent of "mqm" authority.  To enable this userid to use a client connection I had to delete the default channel authentication record that prevents adminstrators from using client connections.  Refer to the ChlAuth.jpg screen shot for an illustration.

Lastly, I've attached a screen shot of the rfhutilc parameters that I used in the file attachment named rfhutilc.jpg

Hi Timothy,

thanks for the information. I have had some success, if I connect to an unencrypted channel I can get rfhutilc to work. But on a channel with a SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) it is failing. I think my MQCHLTAB/TLS configuration is correct because if I disable CHCKCLNT I can connect and I can use amqsputc over the Secured channel ok . I will investigate more tomorrow.

Regards,

Rab.

Ok, I have done some more investigation and I think the issue is using rfhutilc with a Client Channel Definition Table (AMQCLCHL.TAB) and LDAP authentication. If I connect using CHANNEL/TCP/host(port) it works. I don't think it is a TLS issue as I previously thought, both encrypted channel and non-encrypted channels fail for me using a channel table. 

Timothy, can you try connecting using a channel table and confirm if you see this behaviour too?

Thanks,

Rab.

Was finally able to take time to test this out.

The rfhutilc program does not use the userid/password set in the "Set Conn Id" button when relying on a client channel definition table.  Instead, it uses the userid that was used to launch the program.  

It appears that I'm seeing the same behavior as you.

Timothy, thanks for taking the time and confirming this.

Regards,

Rab.