Accessing IBM MQ 8 using JMS with user but without password

2
votes

I try to connect to a new MQ setup using IBM JMS example code for testing:

https://developer.ibm.com/messaging/learn-mq/mq-tutorials/develop-mq-jms/

private static final String HOST = "MYIP"; // Host name or IP address
private static final int PORT = MYPORT; // Listener port for your queue manager
private static final String CHANNEL = "MY.APP.SVRCONN"; // Channel name
private static final String QMGR = "MYQMGR"; // Queue manager name
private static final String APP_USER = "MYUSER"; // User name that application uses to connect to MQ
private static final String APP_PASSWORD = ""; // Password that the application uses to connect to MQ
private static final String QUEUE_NAME = "MYQUEUE"; // Queue that the application uses to put and get messages to an

and

// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "JmsPutGet (JMS)");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
cf.setStringProperty(WMQConstants.USERID, APP_USER);
cf.setStringProperty(WMQConstants.PASSWORD, APP_PASSWORD);

Assume all parameters provided and used are correct (HOST, PORT, CHANNEL, QMGR, QUEUE_NAME), since I can connect to the manager and see the queue with a read-only user using MQ Explorer and I get Errors when modifying the parameters, that there is no such QMGR running, just to make sure the problem is related to USERID and PASSWORD. My example works great with another queue, where I have to use UserID + password authentication.

Now the Setup-team provided me a technical user userid, but no password, since this is not needed.

Exception in thread "main" com.ibm.msg.client.jms.DetailedJMSSecurityRuntimeException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'MYQUEUEMANAGER' with connection mode 'Client' and host name 'MYIP(MYPORT)'.
Please check if the supplied username and password are correct on the QueueManager to which you are connecting.
        at com.ibm.msg.client.jms.DetailedJMSSecurityException.getUnchecked(DetailedJMSSecurityException.java:270)
        at com.ibm.msg.client.jms.internal.JmsErrorUtils.convertJMSException(JmsErrorUtils.java:173)
        at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createContext(JmsConnectionFactoryImpl.java:478)
        at com.ibm.mq.samples.jms.JmsTestClient.main(JmsTestClient.java:78)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').

Can somebody please direct me to the correct configuration or which parameter to set to connect with a passwordless user via JMS?

update#1: I tried to set password empty or do not to set string property WMQConstants.PASSWORD of cause.

2
javaauthenticationjmsibm-mq
Why don't you do proper security and have your client application set BOTH a UserId and Password for the createQueueConnection() method.Roger
@Roger This is, what I asked the Ops team. :) ...would have worked like in my DEV setup.PdM
Proper testing means you have a UserId & Password for DEV, then when it moves to QA, you have a different UserId & Password for testing and finally, when it moves to PROD, you have a different UserId & Password for real business workload.Roger
@Roger I know how this should be done. I'm doing this in any environment, I have to maintain. MQ setup itself is done and maintained by another team and they are not providing password authentication for any user. :)PdM
Have you asked your MQAdmin what the underlining reason is for RC of 2035 (MQRC_NOT_AUTHORIZED)? Is the UserId & Password known to the server where the queue manager is running? (or LDAP server if the queue manager is configured for LDAP authentication). Also, maybe UserId is missing a particular permission. i.e. connect, inquire, etc.Roger

2 Answers

2
votes

In your code you have set the property WMQConstants.USER_AUTHENTICATION_MQCSP to true. This tells your Java client that you want to use the Connection Authentication feature which was added in v8 to provide a userid and password for authentication.

If you want to use the old mechanism to only provide a user id then you need to set this to false. For example:

cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, false);

This is refered to as Compatability Mode and is applicable to Java applications trying to connect to IBM MQ (e.g. MQ Explorer)

Reference: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q118680_.htm

1
votes

For passwordless authentication (userid only), use:

cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, false);

Unfortunately there existed a misconfiguration introduced by our MQ team and I never tried this option again. IBM docs are a bit tight-lipped. https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.javadoc.doc/WMQJMSClasses/com/ibm/msg/client/jms/JmsConstants.html#USER_AUTHENTICATION_MQCSP