Topic
12 replies Latest Post - ‏2013-02-14T12:12:16Z by SystemAdmin
SystemAdmin
SystemAdmin
8524 Posts
ACCEPTED ANSWER

Pinned topic Testing cluster with channel authentication in WebSphere mq 7.5

‏2012-10-30T15:45:15Z |
Hi,

I am testing queue manager cluster. I have a sample program which send messages to the cluster queue. Channel authentication is enabled. I am using use a non-administrator userid to access the queue manager, while connecting it's throwing Error '2035' ('MQRC_NOT_AUTHORIZED') . It works fine if I disabled channel authentication and for stand alone queue manger.

If I enable channel authentication , I'm getting 2035 .

Please help me.

Amar
Updated on 2014-03-06T11:54:47Z at 2014-03-06T11:54:47Z by Morag Hughson
  • Shashikanth@BLR
    Shashikanth@BLR
    110 Posts
    ACCEPTED ANSWER

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-03T13:32:57Z  in response to SystemAdmin
    Security has been beefed up in WebSphere MQ v7.5. By default channel authentication is enabled and it's for valid reason. You would want only authorized users connect to queue manager. Accessing queue managers using SYSTEM.* channels is blocked.

    The best practice is to create your own SVRCONN channel and create a channel authentication record for the user you want to allow access to queue manager. This way you will know who is connecting to your queue manager. Please follow http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.doc/zs14190_.htm for more details on channel authentication.
    • SystemAdmin
      SystemAdmin
      8524 Posts
      ACCEPTED ANSWER

      Re: Testing cluster with channel authentication in WebSphere mq 7.5

      ‏2012-11-05T06:47:02Z  in response to Shashikanth@BLR
      Thanks for the reply Sashi.

      I have created my own channels for cluster as below. I have authorized a administrative user to connect to the queue manager.
      define CHANNEL(TO.AJ1) CHLTYPE(CLUSRCVR) TRPTYPE(TCP) CONNAME('9.55.49.220(6543)') CLUSTER(INVENTORY)
      define CHANNEL(TO.AJ2) CHLTYPE(CLUSSDR) TRPTYPE(TCP) CONNAME('9.55.49.221(6543)') CLUSTER(INVENTORY)

      The output of DISPLAY CHLAUTH(*) is
      1 : DISPLAY CHLAUTH(*)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
      ADDRESS(*) USERSRC(CHANNEL)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER)
      USERLIST(nobody)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
      ADDRESS(9.55.49.220) MCAUSER(mquser)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
      ADDRESS(9.55.49.221) MCAUSER(mquser)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
      ADDRESS(9.55.49.220) MCAUSER(mquser)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
      ADDRESS(9.55.49.221) MCAUSER(mquser)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
      ADDRESS(*) USERSRC(NOACCESS)
      AMQ8878: Display channel authentication record details.
      CHLAUTH(*) TYPE(ADDRESSMAP)
      ADDRESS(9.55.*) USERSRC(CHANNEL)
      I still get 2035 MQRC_NOT_AUTHORIZED error.
      • fjb_saper
        fjb_saper
        146 Posts
        ACCEPTED ANSWER

        Re: Testing cluster with channel authentication in WebSphere mq 7.5

        ‏2012-11-12T03:31:07Z  in response to SystemAdmin
        I do hope that mquser is not part of group mqm.
        Any administrative type of connection via a SVRCONN channel is by default refused.
        • SystemAdmin
          SystemAdmin
          8524 Posts
          ACCEPTED ANSWER

          Re: Testing cluster with channel authentication in WebSphere mq 7.5

          ‏2012-11-14T05:26:02Z  in response to fjb_saper
          Yes, mqmuser does not belong to administrative group ( mqm ).
      • SystemAdmin
        SystemAdmin
        8524 Posts
        ACCEPTED ANSWER

        Re: Testing cluster with channel authentication in WebSphere mq 7.5

        ‏2012-11-21T16:07:16Z  in response to SystemAdmin
        May I suggest you look for the error message in your AMQERR01.LOG that indicates the channel has been blocked. In that error message will be the various characteristics of the inbound channel connection in question, channel name, ip address, remote queue manager name or client user ID depending on the type of channel, and SSL Peer name if SSL is in use.

        You can then take the information from that error message and form a DISPLAY CHLAUTH(chl-name) MATCH(RUNCHECK) .... command which will tell you exactly why that channel is being refused entry.

        If you are unsure of how to do this, please post the contents of the "channel is blocked" error message and I will take you through it.

        Cheers
        Morag
        • SystemAdmin
          SystemAdmin
          8524 Posts
          ACCEPTED ANSWER

          Re: Testing cluster with channel authentication in WebSphere mq 7.5

          ‏2013-01-24T16:38:08Z  in response to SystemAdmin
          Hi Morag,

          Below is the output for AMQERR01.LOG
          cmqxrmsa.c : 910
          10/25/12 08:52:43 - Process(6095024.42) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
          (9.55.49.220)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
          (9.55.49.220)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
          (9.55.49.220)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
          (9.55.49.221)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
          (9.55.49.221)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
          (9.55.49.221)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
          (9.55.49.220)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9777: Channel was blocked

          EXPLANATION:
          The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
          because the active values of the channel matched a record configured with
          USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
          ACTION:
          Contact the systems administrator, who should examine the channel
          authentication records to ensure that the correct settings have been
          configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
          authentication records are used. The command DISPLAY CHLAUTH can be used to
          query the channel authentication records.

          cmqxrmsa.c : 910
          10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
          abnormally.

          EXPLANATION:
          The channel program running under process ID 6095024 for channel
          'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
          (9.55.49.220)'; in some cases the host name cannot be determined and so is
          shown as '????'.
          ACTION:
          Look at previous error messages for the channel program in the error logs to
          determine the cause of the failure. Note that this message can be excluded
          completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
          attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
          found in the System Administration Guide.

          amqrmrsa.c : 898
          10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9207: The data received from host 'iss06 (9.42.115.206)' on channel '????'
          is not valid.

          EXPLANATION:
          Incorrect data format received from host 'iss06 (9.42.115.206)' over TCP/IP. It
          may be that an unknown host is attempting to send data. An FFST file has been
          generated containing the invalid data received.

          The channel name is '????'; in some cases it cannot be determined and so is
          shown as '????'.
          ACTION:
          Tell the systems administrator.

          amqccita.c : 3842
          10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9492: The TCP/IP responder program encountered an error.

          EXPLANATION:
          The responder program was started but detected an error.

          The host name was 'iss06 (9.42.115.206)'; in some cases the host name cannot be
          determined and so is shown as '????'.
          ACTION:
          Look at previous error messages in the error files to determine the error
          encountered by the responder program.

          amqrmrsa.c : 889
          10/31/12 08:09:13 - Process(6095024.62) User(mqm) Program(amqrmppa)
          Host(dubua018v02) Installation(Installation1)
          VRMF(7.5.0.0) QMgr(INDUSQM1)

          AMQ9002: Channel 'TO.INDUSQM2' is starting.

          EXPLANATION:
          Channel 'TO.INDUSQM2' is starting.
          ACTION:
          None.
          • SystemAdmin
            SystemAdmin
            8524 Posts
            ACCEPTED ANSWER

            Re: Testing cluster with channel authentication in WebSphere mq 7.5

            ‏2013-01-24T17:54:57Z  in response to SystemAdmin
            So the error message shows that the user ID from the client machine is mqm

            CLNTUSER(mqm)

            therefore this would be blocked by one of the default CHLAUTH rules. The one with *MQADMIN in it.

            Cheers
            Morag
          • SystemAdmin
            SystemAdmin
            8524 Posts
            ACCEPTED ANSWER

            Re: Testing cluster with channel authentication in WebSphere mq 7.5

            ‏2013-01-24T17:59:20Z  in response to SystemAdmin
            To use the DISPLAY CHALAUTH MATCH(RUNCHECK) command to find out which rule you are matching against from the error message, here's what to do.

            10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
            Host(dubua018v02) Installation(Installation1)
            VRMF(7.5.0.0) QMgr(INDUSQM1)

            AMQ9777: Channel was blocked

            EXPLANATION:
            The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
            because the active values of the channel matched a record configured with
            USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
            ACTION:
            Contact the systems administrator, who should examine the channel
            authentication records to ensure that the correct settings have been
            configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
            authentication records are used. The command DISPLAY CHLAUTH can be used to
            query the channel authentication records.

            DISPLAY CHLAUTH(chl-name-from-error-message) MATCH(RUNCHECK) ADDRESS(ip-address-from-error-message) CLNTUSER(from-error-message)

            thus:-

            DISPLAY CHLAUTH('SYSTEM.DEF.SVRCONN') MATCH(RUNCHECK) ADDRESS('9.55.49.220') CLNTUSER('mqm')

            Issue that and see what record it says it is matching against.

            Cheers
            Morag
            • SystemAdmin
              SystemAdmin
              8524 Posts
              ACCEPTED ANSWER

              Re: Testing cluster with channel authentication in WebSphere mq 7.5

              ‏2013-01-24T18:11:37Z  in response to SystemAdmin
              This is the output,

              AMQ8878: Display channel authentication record details.
              CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
              ADDRESS(*) USERSRC(NOACCESS)
              • SystemAdmin
                SystemAdmin
                8524 Posts
                ACCEPTED ANSWER

                Re: Testing cluster with channel authentication in WebSphere mq 7.5

                ‏2013-01-24T23:55:40Z  in response to SystemAdmin
                So now you know which rule to either remove, or that you need to use a channel name that doesn't match SYSTEM.*.

                Cheers
                Morag
                • SystemAdmin
                  SystemAdmin
                  8524 Posts
                  ACCEPTED ANSWER

                  Re: Testing cluster with channel authentication in WebSphere mq 7.5

                  ‏2013-01-29T10:28:03Z  in response to SystemAdmin
                  Hi Morag,

                  Thanks for all your help. The authentication issue got resolved by creating new channel (not using the oob SYSTEM.DEF.SVRCONN ) and using a non privileged user id.

                  I followed the steps to create new channel by following the steps mentioned in
                  http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Ffg17050_.htm .

                  I was able to send messages to the cluster queue.

                  Thanks a ton again.

                  Regards,
                  Amar