DetailedJMSSecurityException while trying to access queue in IBM MQ

1
votes

Here is my problem.

I am using trial version of IBM MQ V7.1. I have created a queue manager MYQM, a channel MY_SVRCONN with MCA User Id abc. I have provided user abc to access MYQM. I am trying to put a message into the queue Q1. But while getting the queue connection i am getting below exception.

com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'MYQM' with connection mode 'Client' and host name '(1500)'. Please check if the supplied username and password are correct on the QueueManager to which you are connecting.

I have used below command to allow user abc to access MYQM.

[mqm@localhost ~]$ setmqaut -m MYQM -t qmgr -p abc +connect
The setmqaut command completed successfully.

Here is my Java program

 public class MqPut
 {
     public static void main(String[] args)
     {
      sendMsg("Sample Message");
     }
     public static void sendMsg(String msg)
     {
       MQQueueConnectionFactory connectionFactory = null;
       QueueConnection queueConn = null;
       QueueSession queueSession = null;
       QueueSender queueSender = null;
       TextMessage message = null;

       try
       {
         connectionFactory = new MQQueueConnectionFactory();
         connectionFactory.setHostName(<MQ SERVER IP>);
         connectionFactory.setPort(1500);
         connectionFactory.setTransportType(WMQConstants.WMQ_CLIENT_NONJMS_MQ);
         connectionFactory.setQueueManager("MYQM");
         connectionFactory.setChannel("MY_SVRCONN");   
         queueConn = connectionFactory.createQueueConnection("abc","password");
         queueSession = queueConn.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
         queueSender = queueSession.createSender(queueSession.createQueue("Q"));   
         queueSender.setDeliveryMode(DeliveryMode.NON_PERSISTENT);   
         message = queueSession.createTextMessage(msg);
         queueSender.send(message);
         queueConn.close();
       }
       catch (Exception je)
       {
           je.printStackTrace();
       }
   }   
  }

I have tried with WebSphere 7, configuring JMS Q connection factory without user id: MQRC_NOT_AUTHORIZED, but still my problem persist. I am not getting what I am doing wrong. Any help is appreciated.

EDIT

User abc is not part of mqm group

3
javaibm-mq

3 Answers

2
votes

Have you set chlauth (channel authentication) for the user on the svrconn channel? Channel authentication is new from MQ 7.1 onwards. The password validation is available from MQ 8 only. Basically you need to allow the remote connections from your client IP on the qmgr svrconn channel.

try in the mqsc console SET CHLAUTH(MY_SVRCONN) TYPE(ADDRESSMAP) ADDRESS(ip of the client machine) USERSRC(CHANNEL)

If this doesnt work, check the qmgr log. It should exactly say what is causing the 2035. A good technote is found here http://www-01.ibm.com/support/docview.wss?uid=swg21577137 Morag's really useful blog https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/blocked_by_chlauth_why?lang=en

1
votes

Whenever you get any error back from a queue manager, remember that you should always look in the queue manager AMQERR01.LOG for a more detailed explanation. This is especially true for any security related error, since only a single error code - MQRC_NOT_AUTHORIZED (2035) - which is translated into JMS Exception JMSWMQ2013 - is returned to the application so as to not give away the details why to any potential hacker. You must always look at the queue manager error log for the details.

1
votes

In a development environment (WMQ 8.0), I prefer to modify the authorization so that it is optional.

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)

(Disabling this feature is not recommended for production queue managers due to security implications.)

In WMQ 7.1, it's possible to set channel authorization to be disabled, but that does not appear to work on WMQ 8.0

ALTER QMGR CHLAUTH(DISABLED)