unable to connecting application to queue manager getting error JMSWMQ2013

1
votes

we are using websphere MQ version 9.0.0.1,basically we have configured the active/passive cluster setup on linux machine, all queue managers are running on fine on both active/passive node.we have configured the channels queues in queue managers, while application is trying to connecting my queue manager we are facing errors

below error getting at application side.

The Security athuntication was not valid that supplied for  QUEUEMANAGER 'xxxxx_OUTWARD'WITH CONNECTION 'CLIENT' and HOST NAME 'xxxxx'PLEASE CHECK IF THE ERROR QUEUEMANAGER 'xxxxx_OUTWARD'WITH CONNECTION MODE 'CLIENT'AND HOST NAME'xxxxxx.

below ERROR we found in queuemanager level error logs

----- cmqxrsrv.c : 2362 -------------------------------------------------------
04/27/2018 07:52:35 PM - Process(29498.16) User(mqm) Program(amqzlaa0)
                    Host(xxxxxxx) Installation(Installation2)
                    VRMF(9.0.0.1) QMgr(xxxxx_INWARD)

AMQ5534: User ID 'mqm' authentication failed

EXPLANATION:
The user ID and password supplied by the 'WebSphere MQ Client for Java' program
could not be authenticated. 
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4486 -------------------------------------------------------
04/27/2018 07:52:35 PM - Process(29498.16) User(mqm) Program(amqzlaa0)
                    Host(JPRIPAYMENTMQ2) Installation(Installation2)
                    VRMF(9.0.0.1) QMgr(xxxxx_INWARD)

AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.

EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL). 

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information. 

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. 

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call. 

To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
04/27/2018 07:52:36 PM - Process(18265.105) User(xxx) Program(amqrmppa)
                    Host(xxxxx) Installation(Installation2)
                    VRMF(9.0.0.1) QMgr(xxxxx_INWARD)

AMQ9557: Queue Manager User ID initialization failed for 'mqm'.

EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was 'mqm'.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2362 -------------------------------------------------------

after this i have provided permission to 'mqm' user in queue manager level and queue level with the below command still we are facing same error.

setmqaut -m queue manager name -t qmgr -p mqm +connect & 
setmqaut -m queue manager name -n queue name -t queue -p mqm user name +all

can any one help this issue

@Morag Hughson:- How to turn off userid and password in queue manager level

@Morag Hughson:- any command for turn off user id and password please share the command to resolve this issue.

@JoshMC:- if i was turn it off it is a good practice or is there any other option to resolve this issue from queue manager/application side?

@Hello all , i was informed to application to place the messages without mentioning any user id and password.after that my application able to access the all queue managers. issue got resolved. Thanks to all for helping this issue.

2
ibm-mq
Error is clear you have chkclnt optional. With this set if a password is sent it must be valid and be able to be validated based on how the authinfo object specified in the qmgr connauth attribute is configured.JoshMc
What is it you are trying to accomplish? If you turn it off then anyone with access to your network will have full admin rights.JoshMc
Morag gave 2 options the best one is to send the correct password and make sure mq is configured to authenticate. Roger also had good advice, why are you running the app as mqm? Is it an admin tool? If it is not it should not need to run with mqm authority.JoshMc

2 Answers

2
votes

The queue manager error messages tell you exactly the problem. First it says:-

AMQ5534: User ID 'mqm' authentication failed

EXPLANATION:
The user ID and password supplied by the 'WebSphere MQ Client for Java' program
could not be authenticated.

So the Java application that was trying to connect over a client was sending up 'mqm' as the user id and either the wrong password (or possibly no password at all).

The password is being checked by the queue manager. The second error message tells you WHY it is being checked.

AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.

EXPLANATION:
The user ID 'mqm' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).

The configuration described in the second error message is there by default on your queue manager.

You have two options.

  1. Send the correct password to go with the 'mqm' user id on your Java application.
  2. Choose to turn off user id and password checking on the queue manager.
0
votes

First off, no applications should be using the 'mqm' account except for MQAdmins and those MQ services that run under 'mqm' account. Regular business applications should NEVER EVER use the 'mqm' account. It is a BIG security risk and goes against the IBM's MQ Best Practices.

Secondly, the 'mqm' account already has full authority to everything.

setmqaut -m queue manager name -t qmgr -p mqm +connect & 
setmqaut -m queue manager name -n queue name -t queue -p mqm +all

You are trying to give permission to a UserId that already has full permission.

Third, by doing those commands, you are potentially messing up your queue manager.

Fouth, the error message is not about authorization but as JoshMc pointed out it is about authentication. setmqaut command is for authorization (i.e. permission).

Fifth, create a UserId and Password on the server where you are running the queue manager (or use MS AD) and supply those credentials when your application connects to the queue manager. Note: you will need to use the setmqaut command to give your new UserId permission to access the queue manager and the queues.