Introduction
From MQ v9.2.1, to setup OAM on MQ objects when user is not known to the system, there is one option which can be set in qm.ini under Service stanza which can be set as SecurityPolicy=UserExternal. This functions similarly to the "User" option, with the distinction that the operating system does not require knowledge of the username. Consequently, it allows you to assign permissions to users that are specified in an external repository of your choosing (or even not defined anywhere at all). These users are not considered to be in any operating system groups.
In which case the qm.ini will have additional entry which looks something like below,
Service:
Name=AuthorizationService
EntryPoints=14
SecurityPolicy=UserExternal
Problem Statement
The above mentioned setting works seamlessly when added to a queue manager's qm.ini on an on-premise setup.
When the same is tried for a queue manager is deployed on OCP/CP4I using IBM MQ Operator it crashes with CrashLoopBack error and the FFDC logs would lead us to MQRC_NOT_AUTHORIZED error. Most of the times for cp4i, UserExternal option is usually used for mTLS incoming connections to configure the queue manager to define authority records for a user name that is not known to the system.
Reason & Solution
The main reason behind this issue is because of the additional wrapper, which is the MQ container's environment variable MQSNOAUT. In OpenShift web console, it gets set by default during a queue manager creation. This variable decides whether to enable or disable security access checks. This setting can be viewed in a sample queue manager yaml used during creation as below,
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
metadata:
name: quickstart-cp4i
annotations:
com.ibm.mq/write-defaults-spec: 'false'
namespace: mq-test
spec:
license:
accept: true
license: L-RJON-CD3JKX
use: NonProduction
web:
enabled: true
template:
pod:
containers:
- env:
- name: MQSNOAUT
value: 'yes'
name: qmgr
queueManager:
ini:
- configMap:
items:
- service.ini
name: service-stanza-configmap
resources:
limits:
cpu: 500m
requests:
cpu: 500m
storage:
queueManager:
type: ephemeral
name: QUICKSTART
version: 9.3.0.1-r1
If we want to add the Service stanza to qm.ini, i.e., SecurityPolicy=UserExternal
, then MQSNOAUT must be removed from the queue manager yaml. More explanation can be found in this link. The altered yaml would look like something below,
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
metadata:
name: quickstart-cp4i
annotations:
com.ibm.mq/write-defaults-spec: 'false'
namespace: mq-test
spec:
license:
accept: true
license: L-RJON-CD3JKX
use: NonProduction
web:
enabled: true
queueManager:
ini:
- configMap:
items:
- service.ini
name: service-stanza-configmap
resources:
limits:
cpu: 500m
requests:
cpu: 500m
storage:
queueManager:
type: ephemeral
name: QUICKSTART
version: 9.3.0.1-r1
When the queue manager is created using a similar yaml as shown in green, then it will come up successfully without any pod errors. Please note this is a sample yaml and it must be customized according to the environment needs by adding/removing other sections/entries/storages.
Important points to be kept in mind while achieving this
1) In order to avoid the error which is discussed, do not use the environment variable MQSNOAUT at queue manager creation. So remove it from queue_manager.yaml while creating
2) If MQSNOAUT has already been set when a Queue Manager is created then it cannot be disabled afterwards
3) For testing purpose it is good to create the queue manager with a different name along with point no.1
Note:
In OCP, additional stanzas to qm.ini can be rendered using the ConfigMaps. The steps to be followed is found in the following link - Example for supplying INI to MQ Operator
#IBMMQ