Topic
  • No replies
jgodden
jgodden
1 Post

Pinned topic Trying to determine cause of connection authentication error

‏2017-03-09T16:28:57Z | 2035 authentication connauth mqcsp password

I am trying to implement channel and connection authentication but am getting a 2035 error, MQRC_NOT_AUTHORIZED, when connecting from a client using the MQ supplied sample program amqsputc to test putting a message.

 

My setup follows, and an excerpt of the trace during the connection attempt below that.

 

$ dspmqver
Name:        WebSphere MQ
Version:     8.0.0.6
Level:       p800-006-170117
BuildType:   IKAP - (Production)
Platform:    WebSphere MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 2.6.32-642.6.2.el6.centos.plus.x86_64
InstName:    Installation1
Primary:     Yes
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 802


Host:          mqserver1
Username:      nonadmin (password 'nonadmin' for testing). Not in the mqm group.
Queue Manager: QM1 (listening on port 1420)
Channel:       APP.SVRCONN
Local Queue:   APP.TEST

Channel authentication enabled on the queue manager:

QMGR CHLAUTH(ENABLED)

The following channel authentication records only:

CHLAUTH SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST(nobody) DESCR(Allow users to connect using this channel)
CHLAUTH(APP.**) TYPE(ADDRESSMAP) ADDRESS ('*') USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(*NOACCESS) DESCR(Backstop rule)

Connection authentication using SYSTEM.DEFAULT.AUTHINFO.IDPWOS with CHCKCLNT(REQUIRED) and ADOPTCTX(YES)

Full authorisation (+all) of QM1 queue manager, APP.SVRCONN channel and APP.TEST queue

Environment variables set as

export MQSERVER APP.SVRCONN/TCP/mqserver1(1420)
export MQSAMP_USER_ID=nonadmin

With this setup, I run

/opt/mqm/samp/bin/amqsputc APP.TEST QM1

to connect to the APP.TEST queue on queue manager QM1

This correctly prompts for a password, due to the MQSAMP_USER_ID setting, but when I enter the correct password ('nonadmin' verified by logging in to that account), I get a 2035 error with the following details in the AMQERR file:

 
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQUIRED) configuration.
EXPLANATION:
The user ID 'nonadmin' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(REQUIRED).

 

I had expected that the correct credentials for 'nonadmin' would satisfy the CHCKCLNT(REQUIRED) requirement and I would be able to connect.

 

Excerpts from the trace for this activity, just to show that it appears it is the password that is causing the failure:

 16:42:53.211534     5493.66      CONN:000008      MQCSP - UserId (nonadmin)
 16:42:53.211536     5493.66      CONN:000008 -----------{  xcsGetMemFn
 16:42:53.211538     5493.66      CONN:000008      component:28 function:218 length:8 options:0 cbmindex:8 *pointer:0x7ff3580057d0
 16:42:53.211540     5493.66      CONN:000008 -----------}  xcsGetMemFn rc=OK FunctionTime=4
 16:42:53.211542     5493.66      CONN:000008      MQCSP - password supplied
...
 16:42:53.211656     5493.66      CONN:000008      Name: /opt/mqm/bin/security/amqoamax
 16:42:53.211659     5493.66      CONN:000008      Arg 0: /opt/mqm/bin/security/amqoamax
 16:42:53.211661     5493.66      CONN:000008      Arg 1: nonadmin
 16:42:53.211668     5493.66      CONN:000008      statBuf.st_mode = 0x8168
 16:42:53.211670     5493.66      CONN:000008 -------------{  xufCheckEffectiveRights
 16:42:53.211672     5493.66      CONN:000008      Mode: 1
 16:42:53.211677     5493.66      CONN:000008 --------------{  xcsGetMemFn
 16:42:53.211685     5493.66      CONN:000008      component:24 function:583 length:262144 options:0 cbmindex:-1 *pointer:0x7ff358018080
 16:42:53.211687     5493.66      CONN:000008 --------------}  xcsGetMemFn rc=OK FunctionTime=10
 16:42:53.211691     5493.66      CONN:000008      effectiveUid: 1205, effectiveGid: 1205, st_uid: 1205, st_gid: 1205, st_mode: 0x8168
 16:42:53.211693     5493.66      CONN:000008      Effective user matches file owner
 16:42:53.211695     5493.66      CONN:000008      Effective user has the necessary access
...
 16:42:53.213475     5493.66      CONN:000008 -----------}! zfuVerifyUnixPw rc=MQRC_NOT_AUTHORIZED FunctionTime=1869
...
 16:42:53.213794     5493.66      CONN:000008      msgid:00005542 a1:00000000 a2:00000000 c1:nonadmin c2:SYSTEM.DEFAULT.AUTHI c3:CHCKCLNT(REQUIRED)
...
 16:42:53.213905     5493.66      CONN:000008      Authenticate User nonadmin about to sleep - rc 2035
...
 16:42:54.214129     5493.66      CONN:000008 ----------}! zfu_as_AuthenticateUser rc=MQRC_NOT_AUTHORIZED FunctionTime=1002607
 16:42:54.214133     5493.66      CONN:000008 ----------{  zfp_ss_unlock_service
 16:42:54.214134     5493.66      CONN:000008 ----------}  zfp_ss_unlock_service rc=OK FunctionTime=1
 16:42:54.214142     5493.66      CONN:000008 ---------}! gpiAuthenticateUser rc=lrcE_NOT_AUTHORIZED FunctionTime=1002634
 16:42:54.214147     5493.66      CONN:000008 --------}! kqiAuthenticateUser rc=lrcE_NOT_AUTHORIZED FunctionTime=1002641
 16:42:54.214151     5493.66      CONN:000008 --------{  kqiErrorEvent
 16:42:54.214153     5493.66      CONN:000008 --------}! kqiErrorEvent rc=krcI_EVENT_OFF FunctionTime=2
 16:42:54.214154     5493.66      CONN:000008 -------}! kqiAuthenticateUserForAdopt rc=lrcE_NOT_AUTHORIZED FunctionTime=1002650
 16:42:54.214156     5493.66      CONN:000008 ------}! kqiPreAdoptUserQuery rc=lrcE_NOT_AUTHORIZED FunctionTime=1002657
 16:42:54.214165     5493.66      CONN:000008      Returning an error to the AI Layer: CompCode 2 Reason 7f3 (rc 545261555)MQRC_NOT_AUTHORIZED
 16:42:54.214168     5493.66      CONN:000008      CompCode:2 Reason:2035
 16:42:54.214171     5493.66      CONN:000008        0x0000:  4c50494b f0000000 3f000080 00000000  |LPIK....?.......|
 16:42:54.214171     5493.66      CONN:000008        0x0010:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x0020:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x0030:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x0040:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x0050:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x0060:  20202020 20202020 20202020 53595354  |            SYST|
 16:42:54.214171     5493.66      CONN:000008        0x0070:  454d2e44 45464155 4c542e41 55544849  |EM.DEFAULT.AUTHI|
 16:42:54.214171     5493.66      CONN:000008        0x0080:  4e464f2e 49445057 4f532020 20202020  |NFO.IDPWOS      |
 16:42:54.214171     5493.66      CONN:000008        0x0090:  20202020 20202020 20202020 2f6d7173  |            /mqs|
 16:42:54.214171     5493.66      CONN:000008        0x00a0:  68617265 2f716d67 72732f51 4d312f73  |hare/qmgrs/QM1/s|
 16:42:54.214171     5493.66      CONN:000008        0x00b0:  736c2f 6b657920 20202020 2020202020  |sl/key          |
 16:42:54.214171     5493.66      CONN:000008        0x00c0:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x00d0:  20202020 20202020 20202020 20202020  |                |
 16:42:54.214171     5493.66      CONN:000008        0x00e0:  20202020 20202020 20202020 20202020  |                |

 

I have spent a lot of time trying to find the cause, without success. What am I missing here?

 

Any insight much appreciated.

Updated on 2017-03-10T16:56:20Z at 2017-03-10T16:56:20Z by jgodden