2

I would like to pull IBM MQ from dockerhub but there are versions starting from 9, I need 8. On dockerhub page https://hub.docker.com/r/ibmcom/mq/ is link to the information how to build your own image if version 8 is necessary, but the resource is deprecated and dockerfile attached doesn't work. Could you please indicate any hint?

Using version 9 I get an error "Entity 'app' has insufficient authority to access object MYNAME [queue]. The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: get/browse/inq". There were no such problems wirh version 8.

JJ36
  • 139
  • 1
  • 13
  • Any reason why you can't use 9? – JoshMc Jun 29 '20 at 13:43
  • application is built based on 8 and can not connect with newest image on docker – JJ36 Jun 29 '20 at 14:52
  • Versions are backward and forward compatible. There should be no reason a app compiled against MQ v8.0 would not work against a MQ v9.0 or MQ v9.1 docer image. What errors do you get when you try this combination. – JoshMc Jun 29 '20 at 15:13
  • – JJ36 Jun 29 '20 at 17:10
  • I've tried alter qmgr chlauth(disabled) but still connection doesn't work – JJ36 Jun 29 '20 at 17:13
  • and with pulled version 8 from dockerhub everything was working – JJ36 Jun 29 '20 at 17:30
  • 2035 will require you look at the queue manager's AMQERR01.LOG to check why it failed. 2035 on the client side is very general and looking at the Qmgr error logs will narrow it down to the specific cause. Likely a setting difference between your v8 config and your v9 config, but nothing that can't be fixed by altering the config. – JoshMc Jun 29 '20 at 18:49
  • I've found the message: "Entity 'app' has insufficient authority to access object MYNAME [queue] " this user has privileges to connect and inquire, it's not enough I see. – JJ36 Jun 29 '20 at 19:30
  • That same message will usually tell the specific authority that is lacking. You can edit your quest and paste the log entry into the question surrounded by ``` on the line above and below to show what you are getting. – JoshMc Jun 29 '20 at 22:21
  • What is the full error? The same message should state what is missing. Something like `The following requested permissions are unauthorized: put` – JoshMc Jun 30 '20 at 07:03
  • "The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: get/browse/inq" But in config file i have "DEFINE QLOCAL (MYNAME) SET AUTHREC PROFILE('MYNAME') OBJTYPE(QUEUE) GROUP('mqclient') AUTHADD(BROWSE, GET, PUT, INQ)" – JJ36 Jun 30 '20 at 09:52
  • Is the `app` user a part of the `mqclient` group? If not that would account for the difference. You could try setting a principal `AUTHREC` instead of a group entry. – JoshMc Jun 30 '20 at 17:49
  • I have SRVCONN settled in that way, what I'm misisng? DEFINE CHANNEL(MINE.TCP.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('app') REPLACE SET CHLAUTH(MINE.TCP.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(ASQMGR) ACTION(REPLACE) – JJ36 Jul 01 '20 at 13:52
  • I'm asking if at the unix level is the `app` user part of the `mqclient` group. On Linux you could run `id -a app` to see what groups it is a member of. – JoshMc Jul 01 '20 at 14:32
  • if ibm mq is in docker how can I check this? – JJ36 Jul 01 '20 at 15:24
  • There is a command let lets you run commands in the docker container, you can usually just start a bash and do it from there. But as I mentioned, alternatively set your AUTHREC against the principal instead of the group. – JoshMc Jul 01 '20 at 21:19
  • I see you opened a new question if setting permission on the principal worked, I will right it up as a answer with more details. Let me know please. – JoshMc Jul 02 '20 at 15:50
  • command 'id - a app' shows : user app not exists. – JJ36 Jul 02 '20 at 20:14
  • Ok. Then there is no app user on that. – JoshMc Jul 02 '20 at 20:38
  • You said v9 is it v9.0 or v9.1? I understand that the newest 9.1.5 docker images per openshift best practices have no user defined in the container. I had also heard that there is a htpassword way to setup a user. See: https://github.com/ibm-messaging/mq-container/issues/400 – JoshMc Jul 02 '20 at 20:40
  • See this answer for some details on how to create the user at 9.1.5: https://stackoverflow.com/questions/61373195/ibmcom-mq-docker-image-backward-compatibility-issue/62192274#62192274 – JoshMc Jul 02 '20 at 20:45
  • How did you resolve this? – JoshMc Jul 09 '20 at 05:03
  • I've added user app to queue. But app it is default user I'm not adding any special user. – JJ36 Jul 13 '20 at 11:26
  • Can you confirm that when you say "added user app to the queue" that you mean you "set your AUTHREC against the principal instead of the group." meaning that you did the authorization against the user (principal) "app" not the group "mqclient"? – JoshMc Jul 13 '20 at 19:45
  • @JJ36 The default developer config includes auth records for the app user to connect to the DEV.* queue resources. Assuming you have not extended the default MQSC setup, it could be worth checking you can put to DEV.QUEUE.1 This tutorial might also be helpful as it explains the dev config for Ubuntu users https://developer.ibm.com/components/ibm-mq/tutorials/mq-connect-app-queue-manager-ubuntu – richc Jul 30 '20 at 18:00

0 Answers0