Hello,
I have a problem with the AutoConfig function of a Queue Manager.

Context : IBM MQ 9.4 on Linux

When creating the Queue Manager, I use the -ic and -ii options:
crtmqm -lla -ic /var/mqm/scripts/QM01 -ii /var/mqm/scripts/QM01 QM01
A script in the folder /var/mqm/scripts/QM01 sets the AUTHINFO to CHCKLOCL(REQUIRED).
When I then run runmqsc -u QM01, I get a prompt to provide the password.

OK
On the next MQ start, the mqsc files are not executed. However, there's no problem with the .ini files.
In the log I find the message:
AMQ9508E: Program cannot connect to the queue manager.
I also have an FFDC with:
} uscRunScript rc=rrcE_MQCONN_FAILED

I have the impression that it's the CHCKLOCL(REQUIRED) that requires a password to run the mqsc commands at QM startup, password that I can't see where to enter.
What's more, these commands are run by the mqm account, which doesn't have a password.

Does anyone have any ideas?
Thank you.

Hi Luc-Michel,

Alas the way to provide the password is to have it be the first line of the mqsc script. Now you'd have to review the documentation to see if an obfuscated or encrypted password can be accepted. Otherwise it would be in clear. This is why the chcklocl is by default set to Optional as if you are on the box, it is assumed that you already had to do the login and have been authenticated. Set it to required for a remote connection is fine, but for the local one optional should be good, I would suggest for your environment that you also set the authentication method authenmd(PAM) and adoptctx(yes).

Hope it helps 

Hello,
I have a problem with the AutoConfig function of a Queue Manager.

Context : IBM MQ 9.4 on Linux

When creating the Queue Manager, I use the -ic and -ii options:
crtmqm -lla -ic /var/mqm/scripts/QM01 -ii /var/mqm/scripts/QM01 QM01
A script in the folder /var/mqm/scripts/QM01 sets the AUTHINFO to CHCKLOCL(REQUIRED).
When I then run runmqsc -u QM01, I get a prompt to provide the password.

OK
On the next MQ start, the mqsc files are not executed. However, there's no problem with the .ini files.
In the log I find the message:
AMQ9508E: Program cannot connect to the queue manager.
I also have an FFDC with:
} uscRunScript rc=rrcE_MQCONN_FAILED

I have the impression that it's the CHCKLOCL(REQUIRED) that requires a password to run the mqsc commands at QM startup, password that I can't see where to enter.
What's more, these commands are run by the mqm account, which doesn't have a password.

Does anyone have any ideas?
Thank you.

Hello Francois,

You've confirmed what I understood and what I feared.
The aim here is to create Queue Managers by immediately following on with a minimum configuration (AUTHINFO, CHLAUTH, SSLKEYR, etc.) for security reasons.
The application configuration will be applied later.

In fact there are 3 problems:
- The limitation on the cohabitation of CHCKLOCL(REQUIRED) and AutoConfig is not documented
- I'm familiar with the principle of providing a password on line 1 of an MQSC file, which is a BIG security flaw (unless it's possible to encrypt this password, I haven't seen anything to that effect, but I'll look into it).
- The account used to run the AutoConfig scripts is (probably) mqm, but here, for security reasons, the mqm account has no password here.

All this is a bit disappointing, and severely limits the interest of Queue Manager's AutoConfig.

AutoConfig scripts executed at crtmqm / strmqm should not be affected by CHCKLOCL(REQUIRED), or it should be possible to specify an account and password. Hello @Hursley ?

Hi Luc-Michel,

Alas the way to provide the password is to have it be the first line of the mqsc script. Now you'd have to review the documentation to see if an obfuscated or encrypted password can be accepted. Otherwise it would be in clear. This is why the chcklocl is by default set to Optional as if you are on the box, it is assumed that you already had to do the login and have been authenticated. Set it to required for a remote connection is fine, but for the local one optional should be good, I would suggest for your environment that you also set the authentication method authenmd(PAM) and adoptctx(yes).

Hope it helps 

Hello,
I have a problem with the AutoConfig function of a Queue Manager.

Context : IBM MQ 9.4 on Linux

When creating the Queue Manager, I use the -ic and -ii options:
crtmqm -lla -ic /var/mqm/scripts/QM01 -ii /var/mqm/scripts/QM01 QM01
A script in the folder /var/mqm/scripts/QM01 sets the AUTHINFO to CHCKLOCL(REQUIRED).
When I then run runmqsc -u QM01, I get a prompt to provide the password.

OK
On the next MQ start, the mqsc files are not executed. However, there's no problem with the .ini files.
In the log I find the message:
AMQ9508E: Program cannot connect to the queue manager.
I also have an FFDC with:
} uscRunScript rc=rrcE_MQCONN_FAILED

I have the impression that it's the CHCKLOCL(REQUIRED) that requires a password to run the mqsc commands at QM startup, password that I can't see where to enter.
What's more, these commands are run by the mqm account, which doesn't have a password.

Does anyone have any ideas?
Thank you.

Hello Luc-Michel,

The fact that the mqm account has no password should not be a problem, if the only way to access it is via sudo call.

This should then clearly show in the logs, which accounts did that call.

It should also allow you to relax the security and use checklocl(optional). Remember that all all members of the access to mqm is limited and the only time this is really needed is at qmgr startup.

Hope it helps.

Hello Francois,

You've confirmed what I understood and what I feared.
The aim here is to create Queue Managers by immediately following on with a minimum configuration (AUTHINFO, CHLAUTH, SSLKEYR, etc.) for security reasons.
The application configuration will be applied later.

In fact there are 3 problems:
- The limitation on the cohabitation of CHCKLOCL(REQUIRED) and AutoConfig is not documented
- I'm familiar with the principle of providing a password on line 1 of an MQSC file, which is a BIG security flaw (unless it's possible to encrypt this password, I haven't seen anything to that effect, but I'll look into it).
- The account used to run the AutoConfig scripts is (probably) mqm, but here, for security reasons, the mqm account has no password here.

All this is a bit disappointing, and severely limits the interest of Queue Manager's AutoConfig.

AutoConfig scripts executed at crtmqm / strmqm should not be affected by CHCKLOCL(REQUIRED), or it should be possible to specify an account and password. Hello @Hursley ?

Hi Luc-Michel,

Alas the way to provide the password is to have it be the first line of the mqsc script. Now you'd have to review the documentation to see if an obfuscated or encrypted password can be accepted. Otherwise it would be in clear. This is why the chcklocl is by default set to Optional as if you are on the box, it is assumed that you already had to do the login and have been authenticated. Set it to required for a remote connection is fine, but for the local one optional should be good, I would suggest for your environment that you also set the authentication method authenmd(PAM) and adoptctx(yes).

Hope it helps 

Hello,
I have a problem with the AutoConfig function of a Queue Manager.

Context : IBM MQ 9.4 on Linux

When creating the Queue Manager, I use the -ic and -ii options:
crtmqm -lla -ic /var/mqm/scripts/QM01 -ii /var/mqm/scripts/QM01 QM01
A script in the folder /var/mqm/scripts/QM01 sets the AUTHINFO to CHCKLOCL(REQUIRED).
When I then run runmqsc -u QM01, I get a prompt to provide the password.

OK
On the next MQ start, the mqsc files are not executed. However, there's no problem with the .ini files.
In the log I find the message:
AMQ9508E: Program cannot connect to the queue manager.
I also have an FFDC with:
} uscRunScript rc=rrcE_MQCONN_FAILED

I have the impression that it's the CHCKLOCL(REQUIRED) that requires a password to run the mqsc commands at QM startup, password that I can't see where to enter.
What's more, these commands are run by the mqm account, which doesn't have a password.

Does anyone have any ideas?
Thank you.