MQ

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.

Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
- CentOS Stream release 9 is a "RHEL 9 like".
- The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

So the error is "normal". It just lacks a bit of detail in the logs.

Sorry for the noise.

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.

Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
- CentOS Stream release 9 is a "RHEL 9 like".
- The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

So the error is "normal". It just lacks a bit of detail in the logs.

Sorry for the noise.

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.

Hi Luc-Michel, not sure this one is noise: RHEL 9 is supported with 9.3 LTS from 9.3.0.2 onwards, so 9.3.0.15 should be fine (and it certainly is in the IBM RHEL 9 test environments!).

The user ID validation is performed by the amqoamax process (or amqoampx if you're using a PAM configuration) - those processes will generate an FDC file for most errors, so worth checking if any were created in the errors directory.

One common reason for the process to fail to resolve a valid user ID and password is if it cannot run with appropriate authority - it must run as setuid root in order to perform the password check, so one thing to consider is whether the ownership was changed from root, or whether the setuid bit was suppressed. In this case, it would explain why a fresh install of 9.3.5 addressed the issue, as that would reset the ownership and permissions.

Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
- CentOS Stream release 9 is a "RHEL 9 like".
- The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

So the error is "normal". It just lacks a bit of detail in the logs.

Sorry for the noise.

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.

Hi Chris,

Here is a summary of the operations carried out on CentOS Stream release 9:
- Installation of MQ 9.3.0.0 (IBM_MQ_9.3_LINUX_X86-64.tar.gz)
- Installation of FixPaxk 11 (9.3.0-IBM-MQ-LinuxX64-FP0011.tar.gz=
- Creation of the Queue Manager
- Injection of MQSC configuration scripts

At this stage, I noticed the Linux account authentication issues. 

Next : 
- Installation of FixPaxk 16 (9.3.0-IBM-MQ-LinuxX64-FP0016.tar.gz)
- The problems are still present

Next:
- Remove the MQ binaries
- Remove /var/mqm
- Delete the mqm account and group
- Reboot the VM
- Install MQ 9.3.0.15 (IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz)
- Creation of the Queue Manager
- Injection of MQSC configuration scripts

The problems are still present.

Then :
- Re-installation of VMs with Red Hat Enterprise Linux release 8.9
- Installation of MQ 9.3.0.15 (IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz)
- Creation of the Queue Manager
- Injection of MQSC configuration scripts

Problem solved.

I've seen that Centos versions are now a little ahead of RHEL versions.
It is possible that in CentOS Stream release 9 there is a particular feature that causes problems with MQ 9.3.0.x. 
In any case, Centos is not one of the officially supported distributions (even if it's the first one I've had a problem with). 

Hi Luc-Michel, not sure this one is noise: RHEL 9 is supported with 9.3 LTS from 9.3.0.2 onwards, so 9.3.0.15 should be fine (and it certainly is in the IBM RHEL 9 test environments!).

The user ID validation is performed by the amqoamax process (or amqoampx if you're using a PAM configuration) - those processes will generate an FDC file for most errors, so worth checking if any were created in the errors directory.

One common reason for the process to fail to resolve a valid user ID and password is if it cannot run with appropriate authority - it must run as setuid root in order to perform the password check, so one thing to consider is whether the ownership was changed from root, or whether the setuid bit was suppressed. In this case, it would explain why a fresh install of 9.3.5 addressed the issue, as that would reset the ownership and permissions.

Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
- CentOS Stream release 9 is a "RHEL 9 like".
- The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

So the error is "normal". It just lacks a bit of detail in the logs.

Sorry for the noise.

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.

Since my first message this morning (which took a while to arrive!), we've done a lot of cross-testing and, on the face of it, the mystery has been solved:
- CentOS Stream release 9 is a "RHEL 9 like".
- The minimum level of IBM MQ for RHEL 9 is MQ 9.3.5, but I have installed 9.3.0.15

So the error is "normal". It just lacks a bit of detail in the logs.

Sorry for the noise.

Hello,
I have an incomprehensible (to me!) problem with an MQ installation, and I'd like your advice.

- I was given a freshly installed Linux VM (CentOS Stream release 9), which seems to have no special features.
- I installed an MQ 930.15 from IBM_MQ_9.3.0.15_LNX_X86-64.tar.gz, with the default options.
(Host Info :- Linux 5.14.0-412.el9.x86_64 (MQ Linux (x86-64 platform) 64-bit)
- I created a Queue Manager (DCBR01) with the default options
- I've created a "dcadmin" account, member of the mqm group, with a password.

vi /etc/passwd
mqm:x:993:1000::/var/mqm:/bin/bash
dcadmin:x:1001:1002::/var/mqm:/bin/bash

vi /etc/group
mqm:x:1000:dcadmin
dcadmin:x:1002:

From my putty session, I can do a su - dcadmin, provide the password, and administer the Queue Manager DCBR01.

So far, so good.

If I now use an MQ client from my Windows workstation (MQ 9.3.5.0) :

set MQCCDTURL=
set MQSERVER=
set MQCHLLIB=
set MQCHLTAB=
set MQSERVER=DCBR01/TCP/192.xxx.xxx.xxx(15101)
set MQSAMP_USER_ID=dcadmin
amqsputc TEST DCBR01

Sample AMQSPUT0 start
Enter password: **********
MQCONNX ended with reason code 2035

In /var/mqm/qmgrs/FRBRIR01/DCBR01/AMQERR01.LOG, I have :

--
03/11/2024 03:54:13 AM - Process(169619.17) User(mqm) Program(amqzlaa0)
                    Host(xxx) Installation(Installation1)
                    VRMF(9.3.0.15) QMgr(DCBR01)
                    Time(2024-03-11T08:54:13.748Z)
                    CommentInsert1(dcadmin)
                    CommentInsert2(J:\MQ935\bin64\amqsputc.exe)
                    CommentInsert3(N/A)

AMQ5534E: User ID 'dcadmin' authentication failed

EXPLANATION:
The user ID and password supplied by the 'J:\MQ935\bin64\amqsputc.exe' program could not be authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.
--

If I run the same test from another Windows workstation (9.3.2.0), I get the same error.

In the Queue Manager, I have :
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
and
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
  AUTHTYPE(IDPWOS) ADOPTCTX(YES)
  DESCR( ) CHCKCLNT(REQDADM)
  CHCKLOCL(OPTIONAL) FAILDLAY(1)
  AUTHENMD(OS) ALTDATE(2024-03-11)
  ALTTIME(03.00.07)
 
Other points:
- If I use the dcadmin account and its password with MQ Console, there is no problem.
- I get the same error with an account that doesn't belong to the mqm group (but has MQ access rights).
- I get the same error with MQ Explorer

I've probably missed something, but what?

Thanks in advance.