2

This is a follow-up to: Can create Websphere Queue Manager but not connect

I'm trying to set up MQ on a development machine, but if I try to connect to it using my domain account it's unable to authenticate (AMQ4999). Digging a little further I find this in the error logs:

AMQ8079: Access was denied when attempting to retrieve group membership information for user 'xxx@domain'.

Now I'm well aware of the known issue with MQ where it fails to authenticate domain accounts since it's unable to access their member information, and have confirmed from the logs that this is definitely what's happening here, so I tried overriding this using the following script gleaned from the previous post:

DEFINE CHL('DOTNET.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('MUSR_MQADMIN@hostname')
SET CHLAUTH('DOTNET.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody')
SET CHLAUTH('DOTNET.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) ACTION(ADD)

However, even with this channel in place I still cannot connect to the queue manager while logged into my domain account. I'm still plagued with the exact same error I was getting previously. One thing I did notice was that MQ Explorer reports the channel as inactive even though I started it (although judging by my reading from IBM's website this is normal).

I'm still very new to MQ so I think I'm either missing something or did something wrong, but ideally I would like to be able to set up a dev environment where I can hit the service without having to rely on the 'runas' command. I should also emphasize that this is strictly for dev/learning so obviously I'm not concerned about security.

Update:

I found out what I was doing wrong -- sure enough I was missing a step. A little more background. Upon creating the QM I was trying to connect to it using a simple C# client. Originally I wrote code that looked like this:

var queueManager = new MQQueueManager("MyQueueManager", MQC.MQCNO_STANDARD_BINDING);

Also, when trying to connect via MQExplorer both appears to be using my domain credentials to authenticate. However when I explicitly created a properties object and specified the channel like such:

var props = new Hashtable() {
    [MQC.HOST_NAME_PROPERTY] = "localhost",
    [MQC.PORT_PROPERTY] = 1414,
    [MQC.CHANNEL_PROPERTY] = "DOTNET.SVRCONN",
    [MQC.USER_ID_PROPERTY] = "DevMQUser",
    [MQC.PASSWORD_PROPERTY] = "p@$$w0rd"
};

var queueManager = new MQQueueManager("MyQueueManager", props);

Then everything worked correctly. I still need to run MQExplorer.exe as a local user (even explicitly setting credentials in Connection Details > Properties doesn't seem to work), but this isn't a big deal.

Thanks for the suggestions.

Community
  • 1
  • 1
mvastarelli
  • 51
  • 5
  • Does setting the MCAUSER. to a local user ID rather than a domain qualified user id change the behaviour? – Morag Hughson Jan 14 '16 at 17:06
  • the MCAUSER is a local user id. I've tried both with the hostname appended and without. The behavior is the same. I also tried removing the DOTNET.SVRCONN channel and replaced it with * -- no effect. – mvastarelli Jan 14 '16 at 19:33
  • So even when using a locally defined, not domain qualified user ID you still get exactly the same error message as you show at the start of your question, with what user ID shown in it? May I also check that you definitely do have CHLAUTH(ENABLED)? – Morag Hughson Jan 16 '16 at 20:26

1 Answers1

1

Try changing...
SET CHLAUTH('DOTNET.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL)

To...
SET CHLAUTH('DOTNET.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(MAP) MCAUSER(MUSR_MQADMIN)

The USERSRC(CHANNEL) says to take the ID that is presented to the channel, in this case the local process ID of your logged-in account, to override MCAUSER.

MQ Security diagnostics
For connectivity issues over channels, grab SupportPac MS0P and install into MQ Explorer. Then turn on Authorization Events and Channel Events and recreate the problem. If the connection is blocked by a CHLAUTH record, this shows up in the Channel Event queue. If it is blocked by OAM it shows up in the QMgr Event queue. From Explorer with MS0P installed, right-clicking on the queue name from the Queues panel opens a context dialog that includes "Format event messages" as an option. Select is and MS0P will parse the PCF message into human-readable values that show all the parameters that were presented to MQ and why it blocked the connection.

IBM MQ v8
If this is v8 of MQ, you also have ID and password checking to configure. If the QMgr points to an AUTHINFO record that specifies ID and password checking (IDPWOS) the password can't be blank if the ID is set. Even if the password authentication is set to OPTIONAL the check will be made if an ID is present on the channel, which the client code will ensure is true unless specifically overridden.

T.Rob
  • 31,522
  • 9
  • 59
  • 103