WMQ JNDI look up with authentication

4
votes

For the following code 

 public class JMSSamplePut 
    {
      private static String initialContextUrl = null;
      private static String connectionFactoryFromJndi = "UM_QMGR_QCF";
      private static String queueFromJndi = "BCUFXW.EXB.ATHENA.FX.IN";
      private static String outString = "A sample text message " +
                                    "from JMSSampleput";
      private static int retryInterval = 10;
      private static int retryCount = 3;
      private static int connStatus = 1;


      /**
       * @param args
       */
      public static void main( String[] args ) 
      {

        // Variables
        Queue                   ioQueue      = null;
        QueueSession            session      = null;
        QueueSender             queueSender  = null;
        QueueConnection         connection   = null;
        QueueConnectionFactory  factory      = null;
        boolean                 transacted   = false;
        int i = 0;

        try { 
          // Instantiate the initial context for JNDI
          String contextFactory ="com.sun.jndi.fscontext.RefFSContextFactory";
          Hashtable environment = new Hashtable();
          environment.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
          environment.put(Context.PROVIDER_URL, "file:/c:/jndi"); 
          Context context = new InitialDirContext(environment);
          System.out.println("Initial context found!");

          // Create a Queue ConnectionFactory
          factory = (QueueConnectionFactory) context.lookup(connectionFactoryFromJndi);

    ...........

The last line is failing with

caught JMSException: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager '' with connection mode 'Client' and host name 'NATMIB1.hostname.net(1414)'. Please check if the supplied username and password are correct on the QueueManager you are connecting to linked exception: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED'). Finished

JVM args

-Djavax.net.ssl.keystore=c://keystore//a_dev.jks \
-Djavax.net.ssl.keyStorePassword=******** \
-Djavax.net.ssl.trustStorePassword=******** \
-Djavax.net.ssl.trustStore=c://keystore//cacerts.jks \
-Djavax.net.debug=all

Any pointers? Why is the following line?

security authentication was not valid that was supplied for QueueManager '' with connection mode 'Client' and host name 'NATMIB1.hostname.net(1414)'

Looks like the JNDI agent is not able to find the name of the QueueManager? I have the following line in .bindings file and the queue manager name is NATMIB1

UM_QMGR_QCF/RefAddr/3/Content=NATMIB1.xyz.net

Thanks in Advance

Sundar

2
ibm-mq

2 Answers

3
votes

Debugging WMQ security errors is dead-simple if you have the right tools. First, go get SupportPac MS0P and install into WMQ Explorer according to the instructions. If you do not have a modern version of WMQ Explorer, you can download it from SupportPac MS0T.

Next, enable authorization events on the QMgr and recreate the error.

At this point, right-click on the event queue in WMQ Explorer and select Format Event Messages. This will show you all aspects of the error including:

  1. The User ID that generated the error. Depending on the channel setup, exits and the client settings, the ID used may not be the one you expect.
  2. The API call that was made. Probably Connect in this case, but sometimes this is also not what you expect. For example, the IBM JMS classes will always inquire on the QMgr to get the DLQ name and if you didn't grant inquire, it fails.
  3. The exact options used for the call.
  4. The object against which the call was issued.

Once you know these elements of the error, you can identify whether it is a problem with the ID itself, the channel, the authorizations for the ID, etc.

Update

In response to a question in the comments, to enable Authorization Events use MQ Explorer or runmqsc as follows:

Command line version

For the MQ Explorer version, first right-click on the QMgr and select Properties.

enter image description here

Then select Events in the nav panel, set the events as required and click OK.

enter image description here

2
votes

In this example you're using a File System Context as the JNDI provider. The JMS objects are being stored in a flat file format in the c:/jndi directory. As you've done you can look at this file in a text editor, it's not that easy to read but you'll be able to see some elements of the object. As an aside I would recommend using the WMQ Explorer as the admin tool of choice here - that can read and update any JNDI including File System Context.

The last line is doing a lookup of an object with the name "UM_QMGR_QCF". This is only doing a lookup of the object. It wouldn't connect to the QueueManager to do this, and creation of a connection factory object won't create a connection back to the QueueManager.

The error that is being seen would come from the createConnection call. The error implies that the userid/password supplied on the createConnection call doesn't match or is not authenticated with what ever security is setup on the QM.

That error isn't connected with the SSL setup on the TCP/IP link.

For information on setting up WMQ Security you could start with this scenarion http://publib.boulder.ibm.com/infocenter/prodconn/v1r0m0/index.jsp?topic=%2Fcom.ibm.scenarios.wmqwas101.doc%2Ftopics%2Fscenario_overview.htm

I'd suggest validating where the exception is coming from - also try just doing a System.out.println() on the object that comes back from JNDI. All WMQ Admin objects will format themselves via a built in toString()