Provide anonymous access to IBM WebSphere MQ

3
votes

I am new to IBM WebSphere MQ. I am running it within a docker container. The user 'sampleuser' and 'root' are part of the 'mqm' group within the conatiner. I am able to access the MQ from the host as a 'root' user and as a 'sampleuser' (I created 'sampleuser' in the host aswell).

I want to enable anonymous authentication, so that irrrespective of the client user id, they should be able to access the MQ. I though MCAUSER('sampleuser') would do it for me. But it does't work. I get error AMQ4036 (not authorized) from the eclipse IBM explorer. Please advice.

ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE

Update #1 I updated the code to allow privileged user. But still fails.

ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)

SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')

DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE

Here is the log, that I have got.

EXPLANATION:
The user ID 'sampleuser' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named
'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). 

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information. 

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. 

To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.

Update #2 Based on JohnMC's answer and refernce to Provide anonymous access to IBM WebSphere MQ I finally made it work.. : )

ALTER QMGR PSNPRES(SAFE)
ALTER QMGR PSMODE (ENABLED)
ALTER QMGR CHLAUTH(DISABLED)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('sampleuser') REPLACE
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
1
ibm-mq
I suggest checking the queue manager error logs to find the reason for the failure.Umamahesh P
If you look in the queue manager error log it will tell you exactly the reason for the failure, whether it is "Channel auth blocked you", or "unknown user", or "user doesn't have the correct authority", or "user didn't supply a password when the queue manager is configured to expect one" etc etc. As you can see there are a number of reasons, so the error log is all important in helping you.Morag Hughson
I have added the logs.Muthukumar
The ALTER QMGR CHLAUTH(DISABLED) and SET CHLAUTH(*) as shown in the update are mutually exclusive. Either disable CHLAUTH or set CHLAUTH rules, not both. (Hint: Do not disable CHLAUTH!)T.Rob
Also, please see MQ Password/CHLAUTH research – Exec Summary and the two later posts if you have password authentication enabled. It is horribly broken and will not be fixed until at least the next Fix Pack or so, if indeed it ever is.T.Rob

1 Answers

4
votes

I will assume you are using a supported version of MQ (7.1 or later).

With MQ 7.1 and later a new queue manager by default will come with a few CHLAUTH rules, one of these disables connections to SVRCONN channels from users with MQ administrative authority. In this case you have placed the user sampleuser in the MCAUSER of the channel. Since sampleuser is a member of the mqm group it is disallowed by default.

Based on the setup you present if the connection was allowed you would be allowing any user that can connect over the network to your MQ listener port the ability to manage the queue manager, define queues, delete queues, add permissions, etc.

Look at this answer by T.Rob for some more detail on how to make this work without disabling security "Unable to connect to queue manager in WebSphere MQ 7.1".

I also have another post with some similar information "C# MQ Connect get Error 2035 but Java MQ Connect works well"

Update #1

The logs show that you are getting a connection authentication error. With MQ 8.0 and later by default the queue manager is configured to require a valid password be specified for MQ Administrative users, since sampleuser is part of the mqm group it falls into this category.

You can configure MQ Explorer to send a username and password when connecting to the queue manager.

  1. Right click the queue manager name
  2. Select Connection Details
  3. Select Properties...
  4. Select Userid
  5. Check the box next to "Enable user identification"
  6. Fill in the Userid field
  7. If you leave it as "Prompt for password" it will ask you each time you open MQ Explorer for the password when you attempt to connect to the queue manager. You have the option of selecting "Use saved password" and then providing the password.

I do not recommend you do this, but if you want to disable security and allow anyone to connect as a MQ administrator to your queue manager with out providing a valid password you can disable this with the following command. 

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)