MQ

 View Only
  • 1.  Authentication Compatibility Mode with .NET Client

    Posted Fri November 26, 2021 10:33 AM
    Hello,

    I'm pretty new to MQ, but I'm trying to connect to a queue manager that's using compatibility mode with the .NET client. Trying to set the USE_MQCSP_AUTHENTICATION_PROPERTY to false in the connection properties I'm passing to MQQueueManager, but it's not working. Looking at the .NET client docs for the MQQueueManager class, USE_MQCSP_AUTHENTICATION_PROPERTY is not one of the properties of MQEnvironment that MQQueueManager overrides. 

    Any Ideas on getting past the 2035 error on .net client with queue manager that requires authentication compatibility mode?

    Thanks for any assistance.

    ------------------------------
    Xing Liu
    ------------------------------


  • 2.  RE: Authentication Compatibility Mode with .NET Client

    Posted Fri November 26, 2021 10:13 PM

    The only reason I can think of that a queue manager would require you to use compatibility mode for authentication is if you have a security exit installed on the queue manager that is checking the user id and password. If this is your situation, then you will need to look at whatever output your security exit writes out to figure out what is is complaining about.

    Alternatively, if you do not have a security exit, then we might be able to assist you with understanding the 2035 error, if you can show us what is written in the queue manager's AMQERR01.LOG about the error.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: Authentication Compatibility Mode with .NET Client

    Posted Sat December 04, 2021 01:11 AM

    Hi Morag,

    Thank you so much for responding. I've been attempting to get the logs from the vendor, and they are not being helpful. I am able to successfully connect via MQ Explorer with my AIX user ID and password by checking the "User Identification Compatibility Mode" checkbox. Are you familiar with how I would replicate that behavior? 

    As back story, I took over managing data transfer operations for a system that processes insurance claims and uses MQ for all it's inbound and outbound transactions. The process their implementation team left in place was to install MQ Visual Edit (basically MQ Explorer) on workstations, and manually copy and paste inbound and outbound files from their queues. Our analysts spend hours of their time every day searching for messages in a glorified version MQ Explorer, copying the message to a text file, then manually naming and saving files to folders where processes in our windows environment can pick them up. When I sent them the ticket requesting logs, their response was to try MQ Visual Edit, so not upbeat about getting any helpful response. 

    Any clue about what to try next would be infinitely appreciated.



    ------------------------------
    Xing Liu
    ------------------------------



  • 4.  RE: Authentication Compatibility Mode with .NET Client

    Posted Sat December 04, 2021 01:47 AM
    Both MQ Explorer and MQ Visual Efit are client connected applications and will not be able to let you view a file on the server where the queue manager is running. In your ticket, tell them you need some one with a server login to get onto the box and look in the qmgr errors directory for the file AMQERR01.LOG.

    In the mean time, the first thing I would be trying are these tests.

    1. If I put in a deliberately incorrect password does it fail. This tests whether there really is something checking the password queue manager side.
    2. If I turn off compatibility mode in MQ Explorer and use my correct password, does it still work. If the queue manager,  rather than a security exit, is doing the checking, compatibility mode should make no difference. 
    Let me know your results and we can try to go from there.

    Cheers,
    Morag

    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: Authentication Compatibility Mode with .NET Client

    Posted Sat December 04, 2021 01:50 AM
    One other question. When you run the problematic application,  are the user you run under on the client box and the user you supply with the password the same? That is the other way Java compatibility mode differs.

    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 6.  RE: Authentication Compatibility Mode with .NET Client

    Posted Mon December 06, 2021 06:07 PM
    Since you are new to the world of IBM MQ, I would suggest you read the IBM MQ Primer (RedBook).  I have posted the original IBM MQ Primer and the updated version on my web site at: https://capitalware.com/library_wmq.html#MQRedbooks  Secondly, you may want to take a course on IBM MQ.  There are several companies that offer IBM MQ education including MQGem (Note: Morag knows her shit inside and out!).

    A quick recap:
    • MQ Explorer is an IBM supplied tool for MQ administration
    • Capitalware's MQ Visual Edit is an MQ message editing tool (no administration ability)

    Note: Both MQ Explorer and MQ Visual Edit are Java applications.  Note: I will explain why this is important in a moment.

    IBM MQ has a few quirks that you will probably need to learn the hard way, so, I'll try to go over the security quirks here.

    • Java & Java/JMS applications allow you to set the UserId that the applications is running under (aka runtime UserId).  Note: This can be the same or different than the credentials (UserId & Password) that are used by the queue manager or security exit for authentication.
    • C/C++/COBOL and .NET uses the UserId that the application is running under (aka runtime UserId).  You cannot override this!!  Note: You can set the authentication credentials (UserId & Password) that are used by the queue manager or security exit for authentication but this has NO bearing on the setting of the runtime UserId.

    So, from what I can gather, your queue manager is not performing authentication or only performing authentication against administrative UserIds (i.e. UserIds in the mqm group).

    Now to your problem:  Your Windows UserId is NOT the same as your AIX UserId.  Correct?  Hence, when you run your .NET application, and disable authentication (setting USE_MQCSP_AUTHENTICATION_PROPERTY to false), the MQ client library will be using your Windows UserId (runtime) for authorization checks (permission checks).  But your Windows Userid is not known to the AIX server, hence, MQ will return not authorized (RC of 2035).

    So, how do you get around this issue?  You have several options.

    1. Have the MQAdmin turn on authentication for the channel you are using and set the queue manager's  AdoptCTX to Yes. In your program, you set USE_MQCSP_AUTHENTICATION_PROPERTY to true and set your credentials (UserId & Password).  Once, authentication is successful, because ADOPTCTX is set to Yes, the queue manager will use the credential UserId and not the runtime UserId for authorization checks.
    2. Get your Windows UserId added to the AIX server and have the appropriate MQ permissions added to your Windows UserId.
    3. Have the MQAdmin create a separate channel for you and then set your AIX UserId in the channel's MCAUSER field.
    4. On Windows, use the Windows runas command but this means adding your AIX UserId to your Windows PC.

    You said that the AIX queue manager is managed by a vendor, so they may not want to do options 2 & 3.  You may convince them to do option # 1. If not, that leaves option #4.  Option # 4 is not difficult, I do it all the time, but you need administrative privileges on your PC to create your AIX UserId.

    If you have never used the Windows runas command, you can use it from Windows Explorer or from the Command Line.  Here is a great article on how to use the Windows runas command in the various ways:  http://woshub.com/run-program-as-different-user-windows/

    ​​Hope that helps.

    later
    Roger
    ​​

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON Canada
    https://capitalware.com
    ------------------------------