4

I've installed WebSphere MQ 7.1 on Linux platform, after which I installed WebSphere Message Broker 8.0.0.1. Now when I try to create an execution group, I get an exception: Reason code 2035. This exception states that the user is unauthorised to connect to the queue manager. I have this user added in the mqm group. I did not face any such issue when I was working with MQ 7.0.x. I searched a lot and came to know that there is user ID blocking in MQ 7.1. But, I want this user to be able to create execution group, how can I do so? Please advise.

T.Rob
  • 31,522
  • 9
  • 59
  • 103
Tanu
  • 369
  • 5
  • 7
  • 18

2 Answers2

6

MQ security has been improved a lot in MQ v7.1 and is different from what it used to be in earlier MQ versions. In MQ v7.1, by default all SYSTEM.channels are blocked. If you are trying to use any of these SYSTEM. channels then you will get 2035 which is MQRC_NOT_AUTHORIZED. The recommended way is to create your own SVRCONN channel for broker and create channel authentication records to allow the user to access queue manager.

Please see this link for detailed answers from T.Rob on similar issue.

Update:

A SVRCONN channel defines the endpoint of a queue manager meaning the connection information required by the clients to connect to a queue manager. Client applications use this type of channel to send and receive messages to/from a queue or a topic.

Message Broker toolkit is GUI that you can use to administer message broker, for example creating execution groups, creating flow, deploying bar files etc. Toolkit is available on Windows and I guess it's available on Linux.

I got to know that MB toolkit requires SYSTEM.BRK.CONFIG channel which is a SVRCONN channel to connect to queue manager. I am thinking this is the channel you will need to authorize to allow Message Broker to connect to MQ. Can you check if this is the case and if so create channel authentication record for that channel?

Community
  • 1
  • 1
Shashi
  • 14,980
  • 2
  • 33
  • 52
  • Thanks for your reply. According to the given link... can u tell me on which all channels I should SET CHLAUTH? Since on this link it is given : SET CHLAUTH('JAVA.CHANNEL') TYPE(USERMAP) CLNTUSER('mqbrkrs') USERSRC(MAP) MCAUSER('mqbrkrs') ACTION(ADD).. But by this command i would be able to only authorize mqbrkrs on 'JAVA.CHANNEl' .. On what other channels do i need to set authorization, so that mqbrkrs (which is added in mqm group) be able to create execution group? Also, please tell me do i also need to delete mqbrkrs from mqm group? So that , mqbrkrs is no more an admin user? – Tanu Oct 15 '12 at 09:12
  • As of V7.1 you must provision access for *each* SVRCONN channel that you define. Defining a channel and authorizing groups will allow non-admin users to connect. For users with admin access you must also override the CHLAUTH rule that blocks admin users. Best advice is to do that **per channel** and not by deleting or disabling the rule. Do take mqbrkrs out of the mqm group if at all possible. Only keep actual MQ admins in the mqm group. Shashi - thanks for the link! – T.Rob Oct 15 '12 at 12:39
  • @T.Rob .. I have mqbrkrs added in the mqm group.. I'll tell you what I've done till now.. I disabled the CHLAUTH.. after which things worked fine.. but I did not want this.. Now.. I deleted the queue manages and created it afresh so that the authentication was enabled. Now i execute: SET CHLAUTH(*) TYPE (QMGRMAP) QMNAME(NSPZPAI1) USERSRC(MAP) MCAUSER('mqbrkrs') follwed by setmqaut -m NSPZPAI1 -n ** -t queue -g mqbrkrs +dsp +inq +put +get .but still I get "2035".Please advise as it is really crucial. – Tanu Oct 15 '12 at 13:31
  • What's the name of the QMgr where the broker toolkit is trying to connect? What is the SVRCONN channel name? (It is broker toolkit and not the broker itself giving problems, right?) – T.Rob Oct 15 '12 at 21:26
  • @T.Rob .. The queue manager name is NSPZPAI1, the mq admin group name is mqm and mq user is also mqm. The broker name is NSPZPAI1, broker admin user name is mqbrkrs which is also added in mqbrkrs group.The mqm user has mqm as its primary group and mqbrkrs as its secondary group. Likewise, the mqbrkrs user has mqbrkrs as its primary group and mqm as its secondary group.I make queue manager from mqm user and broker and execution group from mqbrkrs user.I am able to create broker and start it but when I attempt to create execution group, I face 2035 exception. – Tanu Oct 16 '12 at 08:03
  • @T.Rob.. I do not create any explicit channels by myself.So, I don't understand how to answer your question :"What is the SVRCONN channel name?". Besides, I apologise if this is annoying but I am new to MQ and just after installing MQ and Broker, I create a queue manager and a broker and then create an execution group , So I don't understand where does the toolkit come into play?To make things clear,this is a linux environment I am talking about and I have installed MQSeriesSDK-7.1.0-0,MQSeriesJava-7.1.0-0,MQSeriesRuntime-7.1.0-0 and MQSeriesServer-7.1.0-0 components. – Tanu Oct 16 '12 at 08:04
  • @Shashi ..Thanx for your reply.I understand I have to set channel authentication for SYSTEM.BRK.CONFIG. But when I do set the Channel authentication record.. and then try to create execution group.. I get an error like:BIP1046E: Unable to connect with the queue manager (Could not connect to queue manager 'NSPZPAI1' (MQ reason code 2538)). Why is this so? – Tanu Oct 16 '12 at 09:38
5

If you create a new QMgr at V7.1 or above, it comes with the following default CHLAUTH rules:

SET CHLAUTH(SYSTEM.ADMIN.SVRCONN)           TYPE(ADDRESSMAP)
    DESCR(Default rule to allow MQ Explorer access)
    ADDRESS(*) 
    MCAUSER( )                              USERSRC(CHANNEL)

SET CHLAUTH(SYSTEM.*)                       TYPE(ADDRESSMAP)
    DESCR(Default rule to disable all SYSTEM channels)
    ADDRESS(*)
    MCAUSER( )                              USERSRC(NOACCESS)

SET CHLAUTH(*)                              TYPE(BLOCKUSER)
    DESCR(Default rule to disallow privileged users)
    USERLIST(*MQADMIN)

The one on the bottom tells the QMgr "if someone tries to connect over a SVRCONN using an administrative user ID, block the connection in all cases."

To allow a connection from Broker Toolkit you have two choices as follows:

  1. Remove mqbrkrs from the mqm group. This allows it to connect without firing the CHLAUTH rule that blocks admin users. You will of course be required to grant authorization for the mqbrkrs group to all the broker and application queues to which it needs access since it is no longer an MQ admin.
  2. Override the CHLAUTH rule to allow the broker toolkit to connect as an admin on the SYSTEM.BROKER.CONFIG channel.

As a security specialist, I favor the first option. It is unavoidable that the MQ admin can administer the broker. However it is possible to avoid allowing the broker (and by extension all the broker flows) to administer the QMgr.

If, however, you wish to take the second route you'll need to override the CHLAUTH rule that blocks admin access. There are several ways to do this. You could delete the rule but that opens all your channels to admin connections. A more precise approach is to provide a rule just for the channel on which the administrator is to connect. For example:

SET CHLAUTH(SYSTEM.BKR.CONFIG) TYPE(BLOCKUSER) +
    USERLIST('*NOACCESS')

Since WMQ applies the most specific rule, the default rule is overridden by the new one but only for the SYSTEM.BKR.CONFIG channel. The BLOCKUSER rule syntax allows us to specify who to deny but not who to allow and it takes user IDs rather than group IDs. In order to allow admin access it is necessary to specify some ID that is not *MQADMIN. I picked *NOACCESS because it cannot be an actual user ID and is a reserved word used by WMQ elsewhere. You could as easily used any user ID such as nobody or even mqm. (Blocking mqm would allow mqbrkrs but not mqm however since mqbrkrs is in the mqm group it would not restrict mqbrkrs from administering the QMgr.)

Finally, note that any channel which allows admin access should be strongly authenticated. If the only CHLAUTH rule you set is the one above, then anybody with a network route to the QMgr can connect on that channel by asserting the mqbrkrs user ID on the connection. Once connected, they would have full control over the QMgr and the ability to remotely, anonymously execute commands using the mqm or mqbrkrs user IDs. At the very least add a CHLAUTH rule to filter conenctions on this channel by IP address. Or, even better, use SSL and filter connections by the certificate distinguished name.

T.Rob
  • 31,522
  • 9
  • 59
  • 103
  • ..Thanx alot for your answers, they were really useful ..and I came to know alot about MQ 7.1 and its security features. I was also able to create execution group successfully. thanx.. – Tanu Oct 17 '12 at 08:17