1

I am getting the below error while WAS QCF tries to connect to MQ, after hours of investigation found out that QCF is ignoring JAAS auth given to it and instead using its own method to get WAS user.name and passing that to MQ to get connection, and failing..Does anyone know why is WAS QCF ignoring JAAS auth here. I see a post about it but don't see a concrete answer on it.

ERROR :

JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'QMGR' with connection mode 'Client' and host name 'qmgrhost(1431)'. Please check if the supplied username and password are correct on the QueueManager you are connecting to...JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED'). "
JoshMc
  • 10,239
  • 2
  • 19
  • 38
Zack
  • 23
  • 5
  • Can you provide some information on how your QCF is configured, how your application is getting the QCF and how the resource reference is defined. – Alasdair Jun 26 '18 at 22:23
  • 2
    Check out this Technote from IBM. Basically J2C Authentication Alias are not flowed to the queue manager if you are using direct lookup of the JNDI resource, only if you use a indirect lookup will the Authentication Alias be used. [IBM Technote: Enterprise applications, the WebSphere Application Server WebSphere MQ messaging provider connection factories and Authentication Aliases explained](http://www-01.ibm.com/support/docview.wss?uid=swg21580097). – JoshMc Jun 26 '18 at 22:23
  • With direct lookup the only option is to pass the userID and password to the createQueueConnection method as suggested by @Roger, but the Technote describes how to setup the indirect references to allow indirect lookup to be used and Authenticate Aliases to be flowed. – JoshMc Jun 26 '18 at 22:24
  • If this is what you are looking for I'll write up a quick answer highlighting some of the specific sections of the Technote. – JoshMc Jun 26 '18 at 22:25
  • @Alasdair 1 .QCF is created at cluster scope on client mode and configured to use J2C auth alias wen connect to MQ. 2. Application uses indrect jndi lookup to locate qcf at WAS to start a connection with mq. – Zack Jun 26 '18 at 23:23
  • @JoshMc Yes, thats exactly what i am looking for but this did not resolve my issue... So my application uses indirect Jndi lookup to locate qcf resouces in WAS. is set to container in my web.xml but still the QCf does not flow down J2C auth alias that is set on WAS to MQ instead presets the user with which WAS was installed for authentication and fails because of MQ CHLAUTH restriction which allows only user mentioned in J2C auth alias. – Zack Jun 26 '18 at 23:31
  • What is MQ RA version and queue manager MQ version? – JoshMc Jun 27 '18 at 00:16
  • @JoshMc both on 7.1 version – Zack Jun 27 '18 at 06:27
  • are you using bindings or client connection modes? – Alasdair Jun 27 '18 at 12:56
  • @Alasdair in the error it indicates it is a client connection mode `QueueManager 'QMGR' with connection mode 'Client' and host name 'qmgrhost(1431)'.` – JoshMc Jun 27 '18 at 15:10
  • @JoshMc yup, client mode not binding. – Zack Jun 27 '18 at 16:43
  • Can you check your `resources.xml` to see if `authDataAlias` is pointing to the correct authentication alias? – JoshMc Jun 27 '18 at 16:56
  • **Root Cause Found :** One of my dear developer friend found out that this particular application was developed differently instead following the standard that we use and it was not using WAS QCF to get a connection to MQ instead was developed to use some spring JMS container which was creating its own MQ connection factory and passing JVM's user ID for authentication. Generally application uses QCF in WAS to make connections to MQ and for authentication J2C auth data is being used by QCF to get connect to the server conn channel. Thank you, appreciate you all for your comments. – Zack Jun 28 '18 at 09:58

1 Answers1

0

You need to pass the user credentials to the QueueConnection as follows:

QueueConnection conn = cf.createQueueConnection(userID, password);
conn.start();

where cf is the QueueConnectionFactory.

i.e.

try
{
   Hashtable env = new Hashtable();
   env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");
   env.put(Context.PROVIDER_URL, "file:/" + "some_path_to_mq_jndi"

   Context ctx = new InitialContext(env);

   cf = (QueueConnectionFactory) ctx.lookup("myQCF");
}
catch (NamingException e)
{
   System.err.println(e.getLocalizedMessage());
   e.printStackTrace();
   throw e;
}
Roger
  • 7,062
  • 13
  • 20
  • 1
    I would not recommend doing this in an application server. Credentials should be sourced from the container environment and you should pick up the connection factories from the app server managed resources. – Alasdair Jun 26 '18 at 22:22
  • You can get the connection factory from ANY where you want. The point is that the user credentials need to be passed into the createQueueConnection method. – Roger Jun 26 '18 at 22:24