Reputation: 8009
MQRC_NOT_AUTHORIZED when creating CCDT for MQ.NET Client
Error below occurs when accessing MQ server via .NET Client. Login credential is not asked when CCDT is created. But MQ server is looking for it for some reason.
I cannot find any information that covers both CCDT and the error below together.
IBM.WMQ.MQException: MQRC_NOT_AUTHORIZED
----- cmqxrsrv.c : 2356 -------------------------------------------------------
17/04/2018 23:50:44 - Process(1848.16) User(SYSTEM) Program(amqzlaa0.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5) QMgr(LocalQM)
AMQ5540: Application 'bin\Debug\Producer.exe' did not supply a user ID
and password
EXPLANATION:
The queue manager is configured to require a user ID and password, but none was
supplied.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager configuration to OPTIONAL to allow applications to connect
which have not supplied a user ID and password.
----- amqzfuca.c : 4311 -------------------------------------------------------
17/04/2018 23:50:44 - Process(1848.16) User(SYSTEM) Program(amqzlaa0.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5) QMgr(LocalQM)
AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'mqclient' and its password were checked because the user ID is
privileged and the queue manager connection authority (CONNAUTH) configuration
refers to an authentication information (AUTHINFO) object named
'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
To avoid the authentication check, you can either use an unprivileged user ID
or amend the authentication configuration of the queue manager. You can amend
the CHCKCLNT attribute in the CHLAUTH record, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
17/04/2018 23:50:45 - Process(14900.9) User(SYSTEM) Program(amqrmppa.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5) QMgr(LocalQM)
AMQ9557: Queue Manager User ID initialization failed for 'mqclient'.
EXPLANATION:
The call to initialize the User ID 'mqclient' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2356 -------------------------------------------------------
Server Setup
CCDT file is created by following the links below:
Setting up the server using IBM MQ Explorer
Server-connection Channel: LOCAL.DEF.SVRCONN
MCA User ID: empty
Setting up the client using IBM MQ Explorer
Clinet channe: LOCAL.DEF.SVRCONN
Queue Manager name: LocalQM
Connection name: 192.168.1.9(1415)
192.168.1.9 is localhost address
1415 is queue manager, LocalQM, TCP port.
SET CCDT Environment
1
C:\Users\'#.lp\source>SET MQCHLLIB=C:\ProgramData\IBM\MQ\qmgrs\LocalQM\@ipcc
C:\Users\'#.lp\source>SET MQCHLTAB=AMQCLCHL.TAB
Put AMQCLCHL.TAB also to C:\ProgramData\IBM\MQ (I don't know why which might not be correct, because error on log file:
AMQ9518: File 'C:\ProgramData\IBM\MQ\AMQCLCHL.TAB' not found.
)
IBM MQ.NET
The code is below from here
MQQueueManager qm = null;
System.Environment.SetEnvironmentVariable("MQCHLLIB", "C:\\ProgramData\\IBM\\MQ\\qmgrs\\LocalQM\\@ipcc");
System.Environment.SetEnvironmentVariable("MQCHLTAB", "AMQCLCHL.TAB");
try
{
Hashtable props = new Hashtable();
props.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
qm = new MQQueueManager("LocalQM",props);
MQQueue queue1 = qm.AccessQueue("LocalQueue", MQC.MQOO_OUTPUT | MQC.MQOO_FAIL_IF_QUIESCING);
MQMessage msg = new MQMessage();
msg.WriteUTF("Hello this message is from .net client");
queue1.Put(msg);
queue1.Close();
qm.Disconnect();
}
catch (Exception ex)
{
Console.Write(ex);
}
IBM MQ V8 on Windows 10
MQ.NET Client V8 on Windows 10
Creating a client channel definition table
Using a client channel definition table with .NET
This thread is related to MQRC_Q_MGR_NAME_ERROR
Update 1
Following the link below. But it seems info on mqccred.ini is not used by MQ Server. Because the same error occurs.
Client side security exit to insert user ID and password ( mqccred )
Setup steps:
1 Create mqccred.ini (D:\mqccred.ini)
QueueManager:
Name=LocalQM
User=mqclient
password=password
2 Set Windows Environment variable
set MQCCRED=D:\mqccred.ini
3 Using mqccred
DEFINE CHANNEL(LOCAL.DEF.SVRCONN) CHLTYPE(clntconn) +
CONNAME(127.0.0.1) +
QMNAME(LocalQM) +
SCYEXIT('mqccred(ChlExit)') +
REPLACE
4 Set ADOPTCTX(YES)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
UPDATE 2
I updated MQ objects to uppercase, and still get the same error as above, but have new error log message below:
Do I need to write exit program in .NET according to Using channel exits in IBM MQ .NET ?
22/04/2018 22:37:15 - Process(11904.1) User('#.lp) Program(mMq.Producer.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5)
AMQ9535: User exit not valid.
EXPLANATION:
Channel program 'LOCAL.DEF.SVRCONN' ended because user exit 'mqccred(ChlExit)'
is not valid.
Architecture of the exit library does not match the process's architecture
which is '' bit.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.
----- IBM.WMQ.MQChannelExitHandler.LoadExit : 0 -------------------------------
22/04/2018 22:38:21 - Process(5720.1) User('#.lp) Program(mMq.Producer.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5)
AMQ9535: User exit not valid.
EXPLANATION:
Channel program 'LOCAL.DEF.SVRCONN' ended because user exit 'mqccred(ChlExit)'
is not valid.
Architecture of the exit library does not match the process's architecture
which is '' bit.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.
----- IBM.WMQ.MQChannelExitHandler.LoadExit : 0 -------------------------------
UPDATE 3
I have a different error below when MCA user ID is set to a Windows user.
IBM.WMQ.MQException: MQRC_Q_MGR_NOT_AVAILABLE
22/04/2018 22:38:21 - Process(5720.1) User('#.lp) Program(mMq.Producer.exe)
Host(APPLE) Installation(Installation1)
VRMF(8.0.0.5)
AMQ9535: User exit not valid.
EXPLANATION:
Channel program 'LOCAL.DEF.SVRCONN' ended because user exit 'mqccred(ChlExit)'
is not valid.
Architecture of the exit library does not match the process's architecture
which is '' bit.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.
----- IBM.WMQ.MQChannelExitHandler.LoadExit : 0 -------------------------------
Update 4
Sorry for the confusion. Update 2 and 3 are the same. Both updates should have the same error: MQRC_Q_MGR_NOT_AVAILABLE, which comes after update 1. I put MQRC_NOT_AUTHORIZED by mistake.
Upvotes: 0
Views: 1892
Answers (2)
Reputation: 10652
The usage of a CCDT doesn't eliminate the need to prove identity to the queue manager. The first error you presented is because by default MQ requires a password for admin users.
There are four levels of CONNAUTH for client connections over the network:
CHCKCLNT(REQDADM)this is the default value. Any user with MQ administrative authority must provide a valid password. In addition any user without administrative authority that does provide a password must provide a valid password.CHKCLNT(OPTIONAL)this is similar #1 but does not REQUIRE a password for users with MQ administrative authority. Any user Admin or not that provided a password must provide a valid password, with this value an administrative user would not be required to send a password.CHCKCLNT(REQUIRED)this value means that all users must provide a valid password.CHCKCLNT(NONE)no users are required to provide a password, and even if they do provide a password it will not be validated.
You can set this value for the entire queue manager on the AUTHINFO object set as the CONNAUTH value on the QMGR. If you set it to REQADMIN or OPTIONAL you can then uplift it for specific channels via a CHLAUTH rule to a stricter value such as REQUIRED. You can not set it lower.
If you disable security you have no security and anyone with access to your network can connect to your queue manager.
You have a few options to keep security enabled:
- You could use a client security exit specified on the CLNTCONN to pass credentials such as mqcred.
- You could use a client side certificate with TLS and map it to a MCAUSER on the SVRCONN.
Note based on your Update 1 you were specifying QMNAME(LocalQM), because there are no single quotes around the name MQ will fold this to UPPERCASE and set this as LOCALQM.
As Roger pointed out you also did not specify port 1415 on your CONNAME . You indicated you had problems with this you need to put single quotes around the CONNAME value if there are ( or ) characters in it.
Note based on your UPDATE 2 (Below gathered from comments that were moved to Chat):
Under the MQ installation directory normally under Program Files or Program Files(x86) you should find a sub-directory called Tools\c\Samples\mqccred, this should have sub-directories for 32bit (lib) and 64bit (lib64). You should copy the file from lib to the exits directory and from lib64 to the exits64 directory.
You only need a native .NET exit if you are using Managed .NET client mode which you indicate you are not using by having props.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
UPDATE 2a based on your comment:
Sorry, I am using
MQC.TRANSPORT_MQSERIES_MANAGED. I copied from other thread. Does it mean I need to write .NET exit?
mqcred will not work with Managed mode .NET, to use a exit to provide the credentials you would need to write the equivalent in .net.
It would be much simpler to specify the credentials in your program via properties than to write a Managed mode exit similar to mqcred.
Roger's answer to "Sending message on IBM MQ: Hangs on AccessQueue " provides a excellent sample that demonstrates passing the username and password in Managed mode. You can still get the connection details from the CCDT.
if (inParms.ContainsKey("-u")) qMgrProp.Add(MQC.USER_ID_PROPERTY, ((System.String)inParms["-u"])); if (inParms.ContainsKey("-x")) qMgrProp.Add(MQC.PASSWORD_PROPERTY, ((System.String)inParms["-x"])); if ( (inParms.ContainsKey("-u")) && (inParms.ContainsKey("-x")) ) qMgrProp.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
Upvotes: 1
Reputation: 7476
Queue Manager name: LocalQM
Bad idea. You are shooting yourself in the foot. Use UPPERCASE for queue manager name and MQ object names. Once you are an intermediate or advance level MQAdmin, then you can try using mixed-case names.
DEFINE CHANNEL(LOCAL.DEF.SVRCONN) CHLTYPE(clntconn) + CONNAME(127.0.0.1) + QMNAME(LocalQM) + SCYEXIT('mqccred(ChlExit)') + REPLACE
1st issue: If you do NOT put quotes around an MQ object name then MQ will AUTOMATICALLY uppercase it! So, MQ will see your command as for LOCALQM and not LocalQM.
The 2nd issue is that you did NOT specify the port # for CONNAME. Therefore, MQ will default to 1414. But you stated that you are using port # 1415.
And in case you don't know, MQ object names ARE case sensitive.
If I were you, I would delete the queue manager LocalQM and start over with LOCALQM and create all MQ objects with uppercase names.
Using CCDT should not require login credentials, which is one of the purposes of using CCDT.
CCDT entries ONLY contain connection information. They will never include user/application credentials. To specify user/application credentials, you specify them in the application or use the mqccred client-side security exit.
In this day and age, every user and every application should be specifying user credentials so that we can have a secure MQ environments.
Update April 23, 2018
Architecture of the exit library does not match the process's architecture which is '' bit.
Architecture is referring to the addressability of your program or the running framework of your program. Is it running as a 32-bit or 64-bit program. If it is running as a 32-bit program then you need to use the 32-bit mqccred.dll and if it is running as a 64-bit program then you need to use the 64-bit mqccred.dll.
I seem to remember something about .NET managed-mode (MQC.TRANSPORT_MQSERIES_MANAGED) programs cannot use natively built exits. You should ask IBM Support.
Upvotes: 0
Related Questions
- Error '2035' ('MQRC_NOT_AUTHORIZED') While Connecting to MQ
- IBM Websphere MQ: Failing to authorize 'mqadmin'
- MQ error 2085 while connecting with remote queue
- Connecting to IBM MQ using CCDT file in JMS
- Connecting to the MQ Server using CCDT
- IBM MQ Server Setup to Create CCDT file used by .NET Client
- C# IBM MQ WEBSPHERE MQRC_NOT_AUTHORIZED
- Connecting to IBM WebSphere MQ using .Net throws error MQRC_NOT_AUTHORIZED
- MQRC_Q_MGR_NOT_AVAILABLE while using managed client
- MQ client connect to remote MQ server have insufficient authority