MQ

 View Only
Expand all | Collapse all

cobol with the mqconnx api passing a user name and password..

  • 1.  cobol with the mqconnx api passing a user name and password..

    Posted Tue September 14, 2021 12:56 PM
    I am trying to connect to IBM MQ with the mqconnx api.  Before the user id and password needed to be validated by MQ, it was working perfectly.  I can see my pointers are being setup correctly but it still gives a 2035 error on connection..

    I am using acucobol.

    ------------------------------
    Christine Tod
    ------------------------------


  • 2.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Tue September 14, 2021 06:24 PM
    Edited by Morag Hughson Wed September 15, 2021 12:11 AM

    You should probably show us a snippet of your code so we can help you find the problem. However, first guess, did you set the MQCSP_AUTH_USER_ID_AND_PWD flag in the MQCSP structure?

    Also, you should probably show us what your error log has to say on the matter, AMQERR01.LOG on distributed platforms or the MSTR joblog on z/OS.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 01:09 AM
    thank you for your response.  I am very new at forums so thank you for your assistance.
    Below is my copy element for connecting.  It works perfectly on a queue that does not expect a user name and password.
    If I display my pointers I do have valid 32 bit values.  

    MQCONNX.


    SET CONFIGURATION "DLL-CONVENTION" TO "1".

    $ GET MQS-RECORD NOLOCK .

    MOVE MQCSP-AUTH-USER-ID-AND-PWD TO
    MQCSP-AUTHENTICATIONTYPE.


    MOVE MQCNO-VERSION-5 TO MQCNO-VERSION.



    SET MQCSP-CSPUSERIDPTR TO ADDRESS OF MQS-USER.

    SET MQCSP-CSPPASSWORDPTR TO ADDRESS OF MQS-PWD.



    MOVE 0 TO W-CHARS.

    INSPECT MQS-USER TALLYING W-CHARS
    FOR CHARACTERS BEFORE INITIAL SPACE .

    MOVE W-CHARS TO MQCSP-CSPUSERIDLENGTH .


    MOVE 0 TO W-CHARS.

    INSPECT MQS-PWD TALLYING W-CHARS
    FOR CHARACTERS BEFORE INITIAL SPACE.

    MOVE W-CHARS TO MQCSP-CSPPASSWORDLENGTH.

    SET MQCNO-SECURITYPARMSPTR TO ADDRESS OF SECOPTIONS.

    MOVE MQCC-OK TO COMPLETION-CODE.
    MOVE MQRC-NONE TO CON-REASON.


    CALL "MQCONNX" USING
    MQS-QM,
    BY REFERENCE CONNECTOPTS
    BY REFERENCE HCONN ,
    COMPLETION-CODE, CON-REASON
    ON EXCEPTION MOVE "Z001" TO ERR--PARAM
    MOVE "CONNECTION ERROR" TO ERR--EXTRA
    PERFORM ERR--HANDLER.



    IF COMPLETION-CODE IS EQUAL TO MQCC-FAILED
    MOVE CON-REASON TO W-RETURN
    STRING "MQCONNX ended with reason code "
    W-RETURN INTO W-TEXT
    PERFORM ERR-MSG
    GOBACK
    END-IF.

    MQCONNX-EXIT.
    EXIT.

    ------------------------------
    Christine Tod
    ------------------------------



  • 4.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Wed September 15, 2021 01:28 AM
    Edited by Morag Hughson Wed September 15, 2021 01:56 AM

    When you say "it works perfectly on a queue [manager] that does not expect a user name and password" do, you mean when nothing is checking the user ID and password at all? Or do you mean when the queue manager is configured to use CHCKCLNT(OPTIONAL) it works?

    Please can you show us what your <MQ_DATA_PATH>/qmgrs/<QM-name>/errors/AMQERR01.LOG says at the time of the failure please?

    Also could you share with us the output of the following two MQSC commands on your queue manager:

    DISPLAY QMGR CONNAUTH

    DISPLAY AUTHINFO(name-output-on-above-command) ALL

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 01:54 AM

    Please can you show us what your <MQ_DATA_PATH>/qmgrs/<QM-name>/errors/AMQERR01.LOG says at the time of the failure please?   Would this be on the server or the client?  I only have limited access to the client side and nothing on the server - I would need to request this then..

    Also could you share with us the output of the following two MQSC commands on your queue manager:

    DISPLAY QMGR CONNAUTH

    DISPLAY AUTHINFO(name-output-on-above-command) ALL

    Where would I do this from or should I request from IT..




    ------------------------------
    Christine Tod
    ------------------------------



  • 6.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Wed September 15, 2021 02:00 AM

    Looks like you found the error log since you posted us an example (albeit a rather old example).

    If you don't have administrative access to the queue manager in question, then yes, you would need to ask someone who does, to run those commands. They can type them into the runmqsc tool, or other equivalent MQ admin tool.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 7.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 01:45 AM
    This is the error detail supplied by IBM admin user..


    ------------------------------
    Christine Tod
    ------------------------------



  • 8.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Wed September 15, 2021 01:56 AM

    One thing that error message immediately shows is that the queue manager does not believe that it has received a user id in the MQCSP block.

    Is 'flexapp' the user ID under which you are running the application? Can we assume this is a client connected application since we can see it is Program(amqrmppa) in your error message?

    Is this the most recent error you have for this problem? I ask because the date on the error message is over two weeks ago?

    While I am by no means a COBOL expert, the code you have shown looks correct from an MQ perspective, although I did wonder about this line:-

    SET MQCNO-SECURITYPARMSPTR TO ADDRESS OF SECOPTIONS.

    since I couldn't see in the snippet you have supplied, what SECOPTIONS was? It is named plausibly to be the MQCSP block.

    You've said that you have displayed your pointers and they appear to be valid 32bit values. Is that also true of the MQCNO-SECURITYPARMSPTR. Have you also checked that the lengths look valid?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 9.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 02:55 AM

    One thing that error message immediately shows is that the queue manager does not believe that it has received a user id in the MQCSP block.  – this seems be be the issue

    Is 'flexapp' the user ID under which you are running the application? Can we assume this is a client connected application since we can see it is Program(amqrmppa) in your error message?

    I am connecting from a client on a Linux machine.  Flexapp is the user name provided by IT(all lowercase).

    Is this the most recent error you have for this problem? I ask because the date on the error message is over two weeks ago?  I have been trying so many options with the same result..

    While I am by no means a COBOL expert, the code you have shown looks correct from an MQ perspective, although I did wonder about this line:-

    SET MQCNO-SECURITYPARMSPTR TO ADDRESS OF SECOPTIONS.
    SECOPTIONS is the 01 level for the MSCP record layout..
     
          * Connection options
           01 CONNECTOPTS.
               COPY CMQCNOV.CPY.
    *************MQCNO
     
     
          *  Security Options
           01 SECOPTIONS.
               COPY CMQCSPV.CPY.
    **********MQSP
     

    since I couldn't see in the snippet you have supplied, what SECOPTIONS was? It is named plausibly to be the MQCSP block.   These are displays of my pointers.  They do change each time I recompile my programs.

     
     
     
     
     

    You've said that you have displayed your pointers and they appear to be valid 32bit values. Is that also true of the MQCNO-SECURITYPARMSPTR. Have you also checked that the lengths look valid?

     

     

    Sent from Mail for Windows

     






  • 10.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Wed September 15, 2021 03:10 AM

    You say, "Flexapp is the user name provided by IT(all lowercase)". Do you mean that it is the user ID you are putting into the MQCSP block, or do you mean that it is the user ID on your Linux box that is the MQ client in this situation, and under which you are running your MQ program, i.e. your Linux logon?

    I would expect your pointer values might change every time you run your program even without recompiling it. The fact that they change is not a cause for concern.

    Have you also checked the lengths are valid too?

    You say, "I have been trying so many options with the same result," as a reason for showing us a 2 week old error message. Be aware that the reason code 2035 that the queue manager can return you, would happen for many different possibilities from the MQ application. It is possibly, and deliberately, the least helpful MQ Reason code there is, because the queue manager does not want to give a hacker any assistance in working out how he might manage to break in. It would be very useful to see an example of an error message from your most recent failure, since that would align with the code we are also looking at. Also, be aware, that there could be 3 or 4 related error messages one after the other for failures from user ID and password checking, so make sure your queue manager administrator gives you all of the pertinent information.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 11.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 03:17 AM

    I was given the user id of flexapp to use for MQ specifically.  I have a different Linux user name.

    I am moving this andt the password via the pointer to MQCSP..

    Glad to know my pointers are correct as I have not used these before.

     

    I will setup a new test with the MQ administrators and do displays of all data as I run.

     

     

    Sent from Mail for Windows

     






  • 12.  RE: cobol with the mqconnx api passing a user name and password..

    IBM Champion
    Posted Wed September 15, 2021 03:24 AM

    Ok - I'll look forward to hearing the results and seeing more recent error messages.

    It is very odd to hear that the user id 'flexapp' is the one that you are moving into the MQCSP block, since the error message you have shown us says:-

    The call to initialize the User ID 'flexapp' failed with CompCode 2 and Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a userID flow was used, the User ID in the UID header was '' ......

    It is weird that the queue manager knows about the user id 'flexapp' and yet it did not learn about it through the MQCSP block. Is it possible that this user ID is also used somewhere else, for example in a CHLAUTH rule or hard-coded in an MCAUSER on the SVRCONN? You may need to ask your queue manager administrator this question.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 13.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 11:35 AM

     

    I thought the same thing but this is my first project with MQ and the answer I got was that it was expecting flexapp for that queue manger and I was passing spaces.

     

    Will try to get a response to the second question..

     

    Sent from Mail for Windows

     






  • 14.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Thu September 16, 2021 02:28 PM

     

    Hi

     

    Our MQ administrator changed the implementation to use a .TAB with all the parameters in but encrypted and the mqqcred.ini file and this has worked.  Thank you all for your assistance with this.  I was going crazy and needed some other thoughts to go forward.

    Sent from Mail for Windows

     






  • 15.  RE: cobol with the mqconnx api passing a user name and password..

    Posted Wed September 15, 2021 01:58 AM

    When you say "it works perfectly on a queue [manager] that does not expect a user name and password" do, you mean when nothing is checking the user ID and password at all? Or do you mean when the queue manager is configured to use CHCKCLNT/LOCL(OPTIONAL) it works?

    There are 3 servers involved.
    The test one is setup to work without user id and password - so my programs worked perfectly.

    The second server and third servers are for QA and PROD.  These both require user ids and passwords.
    I have not tried PROD yet as I do not queue details.  QA - gives 2035 error as per previous post.




    ------------------------------
    Christine Tod
    ------------------------------