IBM Support

MQ errors AMQ5540, AMQ5541 and AMQ5542, application did not supply a user ID and password, 2035 MQRC_NOT_AUTHORIZED [MQCSP, CONNAUTH CHCKCLNT(REQDADM)]

Troubleshooting


Problem

As an MQ administrator you create a new queue manager in MQ.
You can access the queue manager by using MQ Explorer or MQ client applications in bindings mode.
You are aware of the default behavior for the channel authentication records in which an MQ administrator cannot remotely access the queue manager.
To gain access an administrator can either set the queue manager attribute CHLAUTH to DISABLED, or add the appropriate records to allow remote access.
This behavior is documented in the following technote:
MQ RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 or JMSWMQ2013 when using client connection as an MQ Administrator (CHLAUTH, channel authentication records)
.
You try to remotely access the queue manager as an MQ administrator and you get the return code 2035 MQRC_NOT_AUTHORIZED.
You expected that the issue with the channel authentication records had been addressed.

Symptom

To find out more details, view the error log for the queue manager.
There are 3 errors:

6/6/2014 06:33:10 - Process(7512.22) User(rivera) Program(amqzlaa0.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8)
AMQ5540: Application 'Sphere MQ\bin64\amqsputc.exe' did not supply a user ID and password
EXPLANATION:The queue manager is configured to require a user ID and password, but none was supplied.
ACTION: Ensure that the application provides a valid user ID and password, or change the queue manager configuration to OPTIONAL to allow applications to connect which have not supplied a user ID and password.

-----

6/6/2014 06:33:10 - Process(7512.22) User(rivera) Program(amqzlaa0.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8)
AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION: The user ID 'rivera' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.
ACTION: Refer to the previous error for more information. Ensure that a password is specified by the client application and that the password is correct for the user ID. The authentication configuration of the queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. To avoid the authentication check, you can either use an unprivileged user ID or amend the authentication configuration of the queue manager. You can amend the CHCKCLNT attribute in the CHLAUTH record, but you should generally not allow unauthenticated remote access.

------------------

6/6/2014 06:33:10 - Process(16728.4) User(rivera) Program(amqrmppa.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8)
AMQ9557: Queue Manager User ID initialization failed for 'rivera'.
EXPLANATION: The call to initialize the User ID 'rivera' failed with CompCode 2 and Reason 2035.
ACTION: Correct the error and try again.

Cause

In MQ 8.0 a new function is introduced that requires MQ administrators using remote access to supply the userid and password. When the userid and password are not supplied or the password is incorrect, then the following error is displayed (the error AMQ5542 is very similar):

AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION: The user ID 'rivera' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.

The errors indicate the following:

1) The queue manager has a connection authority attribute called: CONNAUTH
and the value for this attribute is: SYSTEM.DEFAULT.AUTHINFO.IDPWOS

display qmgr CONNAUTH
     9 : display qmgr CONNAUTH
AMQ8408: Display Queue Manager details.
   QMNAME(QM_80)
   CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2) The authoinfo object has a value of REQDADM for the attribute CHCKCLNT.
MQ administrators are required to provide a userid and password in this instance.

display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
    10 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
   DESCR( )                                CHCKCLNT(REQDADM)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   ALTDATE(2014-07-24)                     ALTTIME(10.49.19)

Resolving The Problem


There are several ways to address the situation and the following 5 scenarios addressed:

Scenario A) MQ samples: Provide the user and password to the MQ client application
Scenario B) Modify queue manager to avoid requiring password from MQ administrators
Scenario C) MQ Explorer - when connecting to remote queue managers
Scenario D) How to specify the userid/password when using the rfhutilc utility from the SupportPac IH03
Scenario E) Application programming for authentication and password (C, Java, JMS)

The rest of this note provides more details on each of the scenarios.

+++ Scenario A) MQ samples: Provide the user and password to the MQ client application

Starting with MQ 8.0 the sample programs have been modified to use the environment variable MQSAMP_USER_ID, which if set, prompts the user for a password. The password is entered in plaintext and not obscured by asterisks).

Browse: amqsbcgc, amqsbcg
Put: amqsputc, amqsput
Get: amqsgetc, amqsget

See the MQ product documentation:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.2.0/com.ibm.mq.dev.doc/q024270_.htm
IBM MQ 9.2.x / IBM MQ / Developing applications / Developing MQI applications with IBM MQ / Using the IBM MQ sample procedural programs / Using the sample programs on Multiplatforms / The Put sample programs / 
Running the Put sample programs
These programs also use an environment variable named MQSAMP_USER_ID which should be set to the user ID to be used for connection authentication. When this is set, the program will prompt for a password to accompany that user ID.

Example run:

$ export MQSAMP_USER_ID=rivera
$ amqsputc Q1 QM_80
Sample AMQSPUT0 start
Enter password: mypassword
target queue is Q1
test
Sample AMQSPUT0 end


+++ Scenario B) Modify queue manager to avoid requiring password from MQ administrators

Modify the queue manager to alter the new function of the attribute CHCKCLNT for the CONNAUTH from REQDADM to OPTIONAL or to NONE.

As explained in the "Cause" section, in WebSphere MQ 8.0 a new function is introduced, which requires MQ administrators to supply the userid and password for remote access, or an error message is generated.

It is possible for the MQ administrator to use the runmqsc command to change the AUTHINFO "SYSTEM.DEFAULT.AUTHINFO.IDPWOS", for the value of the attribute CHCKCLNT from REQDADM to OPTIONAL (or to NONE). This change will allow users access without providing a userid/password.

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)

REFRESH SECURITY TYPE(CONNAUTH)

If you do not issue the above REFRESH command, then you will need to restart the queue manager.


+++ Scenario C) MQ Explorer - when connecting to remote queue managers
C.1) The following technote includes information on the MQCSP structure that can be used to specify userids and passwords that are longer than 12 characters.
(See Chapter 3).
https://www.ibm.com/support/pages/node/617461
How to specify a userid and a password in MQ Explorer 8
Chapter 1: Setup of a connection for a remote queue manager
Chapter 2: Specifying userid and password using the default compatibility mode
Chapter 3: Specifying userid and password using MQCSP Authentication mode
 
C.2) When adding a remote queue manager to the MQ Explorer, one of the setup dialog windows is called:
Specify user identification details

By default, the userid and the password are not stored for this connection to the remote queue manager.
Notice that the following checkbox has not been activated:
Enable user identification



Activate the checkbox for "Enable user identification".
You will see that the Userid field becomes active:



You cannot enter a password because the field is not available.
You will need to enable the feature to save passwords in the Preference page, by clicking the "Passwords Preferences Page" link.




Click on "Save passwords to file"
By the way, this is the default file name.
C:\Users\IBM_ADMIN\IBM\WebSphereMQ\workspace-Installation1\.metadata\.plugins\com.ibm.mq.explorer.ui\WMQ_Passwords.xml



Click OK to close the Preferences page.
In the Specify user identification details window, click on the button "Enter password" and enter your password.
You will see a pop up dialog where you can enter the password.




Click Finish.
MQ Explorer will send the userid and password when connecting to the remote queue manager.

+++ Scenario D) How to specify the userid/password when using the rfhutilc utility from the SupportPac IH03

IH03: WebSphere Message Broker - Message display, test & performance utilities (RFHutil, RFHutilc)
Please note:  This SupportPac is now in withdrawn status and will remain available for back-up purposes only.  The code for IH03 now available from GitHub
https://github.com/ibm-messaging/mq-rfhutil 
mq-rfhutil
This repository contains the rfhutil program, originally released in SupportPac IH03. Both source code and binaries are included.
.
Contents of repository
This repository contains source code for the rfhutil program, managed as a Microsoft Visual Studio 2017 Solution. If you have VS 2017, then opening the RFHUtil.sln file will allow you to rebuild the program.
Pre-built copies of the programs (rfhutil for connections to a local queue manager, rfhutilc for MQ client connections) are under the bin\Release directory. They can be run directly but you may first need to run the setmqenv program to set the environment variables that allow you to locate the MQ runtime libraries.
Download note: You need to visit the following web page to download individual components:
https://github.com/ibm-messaging/mq-rfhutil/tree/master/bin/Release
 
Set the MQSERVER variable:
set MQSERVER=SYSTEM.DEF.SVRCONN/TCP/hostname(1414)

Run the GUI in client mode:
C:\MQ-SupportPac\IH03 rfhutil>
rfhutilc

You can specify the userid/password to be used by this GUI by clicking the Set Conn Id button.



You will see the Set Connection Parameters window.

You can enter your "User id" and "Password".
ATTENTION!!! You MUST activate the checkbox: "Use CSP"




Click OK.

Then you can proceed to access the queue manager and perform tasks, such as getting messages from a queue.

+++ Scenario E) Application programming for authentication and password (C, Java, JMS)
.
See Chapter 3 from the following free redbook:
https://www.redbooks.ibm.com/abstracts/sg248218.html?Open
IBM MQ V8 Features and Enhancements (published 02-Oct-2014) 
 

+ begin excerpt

Chapter 3. User authentication (page 39)

3.5 Application programming for authentication

The programming interfaces for setting the user ID and password information to applications depend on which API the application is using.

3.5.1 MQI (C code)

For an application developer using MQI, the only change that is needed is to use the correct parameters when connecting to the queue manager. In the procedural languages such as C, this means using the MQCONNX verb instead of MQCONN, and filling in the MQCSP structure.
Example 3-2 on page 40 shows a fragment of C code used to connect to a queue manager.

Example 3-2 Authenticating a connection using C

char *QMName = “QM1”;
char *Userid = “rbmqid1”;
char *Password = “passw0rd”;
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
...
cno.SecurityParmsPtr = &csp;
cno.Version = MQCNO_VERSION_5;
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.CSPPasswordLength = strlen(csp.CSPPasswordPtr);
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);

For the object-oriented languages, such as the Java classes, properties are set before connecting to the queue manager.
Example 3-3 shows a fragment of Java code used to connect to a queue manager.
The MQEnvironment class can also be used instead of the hash table.

Example 3-3 Authenticating a connection using Java

String QMNAme = “QM1”;
String Userid = “rbmqid1”;
String Password = “passw0rd”;
Hashtable h = new Hashtable();
h.put(MQConstants.USER_ID_PROPERTY, Userid);
h.put(MQConstants.PASSWORD_PROPERTY, Password);
h.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
MQQueueManager qMgr = new MQQueueManager(QMName,h);

3.6 JMS and XMS

A form of the JMS (and hence XMS) connection methods takes user ID and password parameters, as in the following example:

connectionFactory.createConnection(Userid,Password)

No further changes are needed.

+ end excerpt

Location of MQ V8 samples for Java and JMS that show how to handle passwords:

+ JMS

Windows: C:\Program Files\IBM\WebSphere MQ\Tools\jms\samples\
Unix: /opt/mqm/samp/jms/samples

File: JmsProducer.java
Java Statements related to the handling of userid and password:

* Usage:
 * JmsProducer -m queueManagerName -d destinationName [-h host -p port -l channel] [-u user -w passWord]
...
  private static String user = null;
  private static String password = null;
...
      if (user != null) {
          cf.setStringProperty(WMQConstants.USERID, user);
          cf.setStringProperty(WMQConstants.PASSWORD, password);
          cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
        }


+ Java (not JMS)

For plain Java (not JMS), see:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q118680_.htm
IBM MQ 9.2.x / IBM MQ / Securing / Security overview / IBM MQ security mechanisms / Connection authentication / 
Connection authentication with the Java client

+++ end +++

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008QDAAY","label":"Security->Authorization"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
07 April 2021

UID

swg21680930