IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 3 replies
  • Latest Post - ‏2013-08-01T00:50:48Z by GBaddeley
8NDE_Carlo_Turi
8NDE_Carlo_Turi
2 Posts

Pinned topic .NET client connecting MQ Manager

‏2013-07-30T18:35:24Z |

Hi everyone,

   i have a question.

I developed a client using .NET MQ libraries. The client must connect a QueueManager in another server.

The problem is that i receive always a 2035 - MQRC_NOT_AUTHORIZED.

I have an user id authorized in MQ server, "da7392mq".

If i run my client as "da7392mq" user, everything works. But i need my client to run as LOCAL SYSTEM ACCOUNT. 

For this reason, i set these properties:

 Hashtable properties = new Hashtable();

            properties.Add(MQC.USER_ID_PROPERTY, userId);

           properties.Add(MQC.HOST_NAME_PROPERTY, server);

           properties.Add(MQC.PORT_PROPERTY, port);

           properties.Add(MQC.CHANNEL_PROPERTY, channelName);

               

         MQQueueManager mqQMgr =  new MQQueueManager(queueManagerName, properties);

 

But i have always the 2035 error.

I noticed that if the user da7392mq is a MCA user for the channel, it works. But my company's policies doesn't allow to use MCA user, for security reason.

How can I send the correct information to the QueueManager in order to connect?

 

Thanks in advance

Updated on 2013-07-30T18:47:30Z at 2013-07-30T18:47:30Z by 8NDE_Carlo_Turi
  • GBaddeley
    GBaddeley
    273 Posts

    Re: .NET client connecting MQ Manager

    ‏2013-07-30T23:36:11Z  

    >But my company's policies doesn't allow to use MCA user, for security reason.

    Sorry, I don't understand. Most companies insist on setting the MCAUSER attribute on SVRCONN channels to a non-blank userid that only has the required authorities to MQ objects (queues) it needs to use, which is granted via OS group memberships. Other security controls such as SSL, CHLAUTH and Channel Security Exits can also be used.

    You should not be attempting to set the userid for the MQ client channel in your application. This is untrusted and insecure.

    HTH, G.

  • 8NDE_Carlo_Turi
    8NDE_Carlo_Turi
    2 Posts

    Re: .NET client connecting MQ Manager

    ‏2013-07-31T01:02:17Z  
    • GBaddeley
    • ‏2013-07-30T23:36:11Z

    >But my company's policies doesn't allow to use MCA user, for security reason.

    Sorry, I don't understand. Most companies insist on setting the MCAUSER attribute on SVRCONN channels to a non-blank userid that only has the required authorities to MQ objects (queues) it needs to use, which is granted via OS group memberships. Other security controls such as SSL, CHLAUTH and Channel Security Exits can also be used.

    You should not be attempting to set the userid for the MQ client channel in your application. This is untrusted and insecure.

    HTH, G.

    Thanks for the answer.

    I'm new to Websphere MQ, I don't know a lot about it. I just had the task to develop a client to connect a queue.

    They said that they don't use MCA user, don't know why :) So i was trying to find a solution...

     

    Good to know, anyway. I'll tell them! 

  • GBaddeley
    GBaddeley
    273 Posts

    Re: .NET client connecting MQ Manager

    ‏2013-08-01T00:50:48Z  

    Thanks for the answer.

    I'm new to Websphere MQ, I don't know a lot about it. I just had the task to develop a client to connect a queue.

    They said that they don't use MCA user, don't know why :) So i was trying to find a solution...

     

    Good to know, anyway. I'll tell them! 

    OK. There should be no need to set the userid property.  If MQ was honoring that setting, you could set it to 'mqm' (if queue manager is on UNIX) and have full administrator access to MQ and full access to all message queues and queued messages !