MQ

 View Only
  • 1.  IBM MQ does not authenticate Linux accounts

    IBM Champion
    Posted Mon March 11, 2024 12:17 PM

    Hello,
    I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

    - I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
    - I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
    (Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
    - I created a Queue Manager (DCBR01) with the default options
    - I've created a "dcadmin" account, member of the mqm group, with a password.

    vi /etc/passwd
    mqm:x:993:1000::/var/mqm:/bin/bash
    dcadmin:x:1001:1002::/var/mqm:/bin/bash

    vi /etc/group
    mqm:x:1000:dcadmin
    dcadmin:x:1002:

    From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

    So far, so good.

    If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

    set MQCCDTURL=
    set MQSERVER=
    set MQCHLLIB=
    set MQCHLTAB=
    set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
    set MQSAMP_USER_ID=dcadmin
    amqsputc TEST DCBR01

    Sample AMQSPUT0 start
    Enter password: **********
    MQCONNX ended with reason code 2035

    In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

    --
    03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                        Host(xxx) Installation(Installation1)
                        VRMF(9.3.0.15) QMgr(DCBR01)
                        Time(2024-03-11T08:54:13.748Z)
                        CommentInsert1(dcadmin)
                        CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                        CommentInsert3(N/A)

    AMQ5534E: User ID 'dcadmin' authentication failed

    EXPLANATION:
    The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
    Additional information: 'N/A'.
    ACTION:
    Ensure that the correct user ID and password are provided by the application.
    Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
    --

    If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

    In the Queue Manager, I have :
    CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
    and
    AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
      AUTHTYPE(IDPWOS) ADOPTCTX(YES)
      DESCR( ) CHCKCLNT(REQDADM)
      CHCKLOCL(OPTIONAL) FAILDLAY(1)
      AUTHENMD(OS) ALTDATE(2024-03-11)
      ALTTIME(03.00.07)
     
    Other points:
    - If I use the dcadmin account and its password with MQ Console, there is no problem.
    - I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
    - I get the same error with MQ Explorer

    I've probably missed something, but what?

    Thanks in advance.



    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------


  • 2.  RE: IBM MQ does not authenticate Linux accounts

    IBM Champion
    Posted Mon March 11, 2024 12:31 PM

    Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
    - CentOS Stream release 9 is a "RHEL 9 like".
    - The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

    So the error is "normal". It just lacks a bit of detail in the logs.

    Sorry for the noise.



    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------



  • 3.  RE: IBM MQ does not authenticate Linux accounts

    Posted Tue March 12, 2024 07:04 PM

    BM MQ doesn't directly authenticate Linux accounts. Use OS authentication or integrate with LDAP/AD. Verify permissions, check MQ config, review error logs, and test connections. Consider security exits and update to the latest MQ version. Check IBM MQ documentation for details and contact support if needed.



    ------------------------------
    hamd 23
    ------------------------------



  • 4.  RE: IBM MQ does not authenticate Linux accounts

    Posted Wed March 13, 2024 04:58 AM

    Hi Luc-Michel, not sure this one is noise: RHEL 9 is supported with 9.3 LTS from 9.3.0.2 onwards, so 9.3.0.15 should be fine (and it certainly is in the IBM RHEL 9 test environments!).

    The user ID validation is performed by the amqoamax process (or amqoampx if you're using a PAM configuration) - those processes will generate an FDC file for most errors, so worth checking if any were created in the errors directory.

    One common reason for the process to fail to resolve a valid user ID and password is if it cannot run with appropriate authority - it must run as setuid root in order to perform the password check, so one thing to consider is whether the ownership was changed from root, or whether the setuid bit was suppressed. In this case, it would explain why a fresh install of 9.3.5 addressed the issue, as that would reset the ownership and permissions.



    ------------------------------
    Chris Leonard
    ------------------------------



  • 5.  RE: IBM MQ does not authenticate Linux accounts

    IBM Champion
    Posted Wed March 13, 2024 07:08 AM

    Hi Chris,

    Here is a summary of the operations carried out on CentOS Stream release 9:
    - Installation of MQ 9.3.0.0 (IBM_MQ_9.3_LINUX_X86-64.tar.gz)
    - Installation of FixPaxk 11 (9.3.0-IBM-MQ-LinuxX64-FP0011.tar.gz=
    - Creation of the Queue Manager
    - Injection of MQSC configuration scripts

    At this stage, I noticed the Linux account authentication issues. 

    Next : 
    - Installation of FixPaxk 16 (9.3.0-IBM-MQ-LinuxX64-FP0016.tar.gz)
    - The problems are still present

    Next:
    - Remove the MQ binaries
    - Remove /var/mqm
    - Delete the mqm account and group
    - Reboot the VM
    - Install MQ 9.3.0.15 (IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz)
    - Creation of the Queue Manager
    - Injection of MQSC configuration scripts

    The problems are still present.

    Then :
    - Re-installation of VMs with Red Hat Enterprise Linux release 8.9
    - Installation of MQ 9.3.0.15 (IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz)
    - Creation of the Queue Manager
    - Injection of MQSC configuration scripts

    Problem solved.

    I've seen that Centos versions are now a little ahead of RHEL versions.
    It is possible that in CentOS Stream release 9 there is a particular feature that causes problems with MQ 9.3.0.x. 
    In any case, Centos is not one of the officially supported distributions (even if it's the first one I've had a problem with). 



    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------



  • 6.  RE: IBM MQ does not authenticate Linux accounts

    Posted Thu March 14, 2024 08:57 AM

    Hi Luc-Michel, thanks for sharing the background.

    I'm not sure how much it helps, but I tried your steps on a CentOS 9 machine here, and I was able to successfully authenticate a local user. For reference, my machine's config is:

    []$ cat /etc/os-release
    NAME="CentOS Stream"
    VERSION="9"
    ID="centos"
    ID_LIKE="rhel fedora"
    VERSION_ID="9"
    PLATFORM_ID="platform:el9"
    PRETTY_NAME="CentOS Stream 9"
    ANSI_COLOR="0;31"
    LOGO="fedora-logo-icon"
    CPE_NAME="cpe:/o:centos:centos:9"
    HOME_URL="https://centos.org/"
    BUG_REPORT_URL="https://bugzilla.redhat.com/"
    REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
    REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"


    []$ uname -a
    Linux [host] 5.14.0-419.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Feb 7 23:01:41 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux



    ------------------------------
    Chris Leonard
    ------------------------------



  • 7.  RE: IBM MQ does not authenticate Linux accounts

    IBM Champion
    Posted Wed March 13, 2024 05:53 AM

    Hi Luc-Michel,

    If you are using the PAM module in Linux (Pluggable Authentication Module), don't forget to change the queue manager's authentication record to AUTHENMD(PAM) and then run REFRESH SECURITY TYPE(CONNAUTH).

    Hope this helps



    ------------------------------
    Francois Brandelik
    ------------------------------