MQ

 View Only
  • 1.  Fetching queues using rfhutilc

    Posted Mon May 23, 2022 11:03 AM
    Hi All, 

    I am facing issue(Error Getting queues) while loading queues with rfhutilc,I am passing valid connection string,awith same connection string i can connect to Mq explorer but can't load queues on rfhutilc.

    Can someone please help me.


    Regards,





  • 2.  RE: Fetching queues using rfhutilc

    Posted Mon May 23, 2022 11:29 AM
    Is there any security enabled? Have you configured TLS? Are you using MQCHLTAB?
    Is there any errors in the queue manager log or in rfhutil?
    Regards,.
    Rab.

    ------------------------------
    Rab McGill
    ------------------------------



  • 3.  RE: Fetching queues using rfhutilc

    Posted Tue May 24, 2022 06:56 AM
    MQ configuration is done by some other team and what is MQCHLTAB?
    How to check security?





  • 4.  RE: Fetching queues using rfhutilc

    Posted Tue May 24, 2022 07:26 AM
    If you connect ok with MQ explorer you can check if you are using SSL/TLS. In MQ explorer look at the channel definition of channel you are using to connect to the queue manager. Double click it for the properties and look at the SSL section. Is there a cipher defined, is there a certificate defined.
    Do you need to enter a userid/password when connect to the queue manager?

    MQCHLIB is a table that holds connection info in that you can point to to save you typing it in.

    Can you reach out to your MQ admin for assistance?

    There is a user document - 
    https://github.com/ibm-messaging/mq-rfhutil/blob/master/ih03.pdf

    Regards,
    Rab.

    ------------------------------
    Rab McGill
    ------------------------------



  • 5.  RE: Fetching queues using rfhutilc

    Posted Tue May 24, 2022 09:13 AM
    Thank you Rab for reverting,

    Yes we connect to Mq using mqm username and password.

    MQCHLIB info is not shared to us.

    How to use MQCHLIB for connectivity to rfhutilc.


    I don't see SSL property set up at channel level but i could see SSL property set up at QM level,they have mentioned SSL repository location and certificate label QM level.


    MQ setup is done by another team and I am an IIB developer, and not getting enough support from MQ Admin team.


    Regards,





  • 6.  RE: Fetching queues using rfhutilc

    Posted Tue May 24, 2022 09:24 AM
    Hi Rab,

    There is no SSL setup at channel level but i could see same at QM level.


    No info was shared for MQCHLTAB and due to restrictions, we can't access qm logs .

    All i could see ,error msg in rfhutilc.


    Error getting queue names.

    We are connected via Citrix from my machine to client desktop and m using rfhutilc from windows to connect to remote QM.

    One more person tried to connect to same qm using rfhutilc for him error msg is 

    2035 Not Authorized(connect)


    But he is Direct sitting in the client environment and accessing rfhutilc from some jump server.


    Regards








  • 7.  RE: Fetching queues using rfhutilc

    IBM Champion
    Posted Tue May 24, 2022 06:35 AM
    Try entering a specific queue and connect; is that working?

    ------------------------------
    om prakash
    WI
    ------------------------------



  • 8.  RE: Fetching queues using rfhutilc

    Posted Tue May 24, 2022 06:55 AM
    Even after entering specific queue it wasn't working.







  • 9.  RE: Fetching queues using rfhutilc

    IBM Champion
    Posted Tue May 24, 2022 03:04 PM
    > Yes we connect to Mq using mqm username and password.

    Not to be harsh, but that is a bad, bad idea.  Nobody should be connecting to a remote queue manager with mqm credentials not even MQAdmins!!!  If you want "mqm" privileges then have your UserId put into the mqm group.

    Now to your problem.

    - MQ Explorer is a Java application which has different security privileges related to the UserId.
    - RfhUtilc is a C++ (i.e. native) application .  All native applications have restricted security privileges as it relates to the UserId.

    Yes, I know that sounds weird but it is true.

    So, it sounds like you have CONNAUTH enabled which is good. 

    (1) When you send your credentials to MQ, it is done using the MQCSP structure for all types of applications.
    (2) Your local UserId is also sent to the queue manager in a field called RemoteUserId.

    So, lets say your local UserId that you are logged into Windows with is "surbhi". 

    - When you use MQ Explorer to connect to the remote queue manager using the mqm credentials, MQ Explorer sets those values in the MQCSP structure and sets the RemoteUserId to be "mqm" when making the connection.

    - When you use RfhUtilc (client version) to connect to the remote queue manager using the mqm credentials, RfhUtilc sets those values in the MQCSP structure and the MQ Client library (not RfhUtilc) sets the RemoteUserId to be "surbhi" when making the connection.

    Therefore, while "mqm" will have permission to everything, I'm going to guess that UserId "surbhi" does not have permission, hence, that is why you are getting 2035 (not authorized) reason code.

    You could ask your MQAdmin to use the "AdoptCTX" option to force the queue manager to use the UserId from the MQCSP structure for future permission checks.  You can read more about it here:
    - https://www.ibm.com/docs/en/ibm-mq/latest?topic=users-identifying-authenticating-using-mqcsp-structure
    - https://www.ibm.com/docs/en/ibm-mq/latest?topic=authentication-connection-configuration

    Hope that helps.

    later
    Roger

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON Canada
    https://capitalware.com
    ------------------------------