WebSphere MQ developers list ()

dhornby5 | 1 Feb 2012 19:24

Re: MQ V7.1 CHLAUTH Odd Behaviour

now I seem to have an issue with "older" MQ Clients -- apps using MQ V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I don't try to apply channel authentication mapping rules.... the client authentication mapping rules seem to be completely ignored when an app connects with the "older" client versions. I wonder if T. Rob or Roger have seen this problem?

From: "Derek" <dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Sent: Thursday, January 26, 2012 7:08:40 AM
Subject: Re: Fw: MQ V7.1 CHLAUTH Odd Behaviour

I guess, but these are "single app usage" servers, so it would be
reasonable to accept almost any Id from them.... I don't think I am
willing to tighten up the requirements any more than I have now, given
that I would be causing conflict with all the app managers

On 1/26/2012 6:50 AM, David C. Partridge wrote:
> You can't trust the ID that a client presents to the channel - it is so easy to fake it - if necessary using a security exit at the client end. SSL authorisation with SSLCAUTH only I hope!
>
> Dave
>
> ________________________________
>
> From: MQSeries List [mailto:MQSERIES <at> LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Derek
> Sent: 26 January 2012 11:22
> To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
> Subject: Re: Fw: MQ V7.1 CHLAUTH Odd Behaviour
>
>
> not bad Morag but you left out the IP addresses on the rules.... When the client IP addresses are used, I am then pretty sure that client1 and client2 are on servers that are locked in a data center and protected by the OS authentication (which actually uses Centrify and AD, but that's another story....)
>
> To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

headers

Roger Lacroix | 1 Feb 2012 19:49

Re: MQ V7.1 CHLAUTH Odd Behaviour

Hi Derek,

When I was testing, I was using Java/MQ code with WMQ v7.1 and also from a PC with WMQ v7.0.1.6. I did not encounter any differences. If I have time today, I'll give it a go with WMQ v7.0.1.2 Client (I'm knee deep with a client LDAP issue on Linux for zSeries :( ).

Regards,
Roger Lacroix
Capitalware Inc.

At 01:24 PM 2/1/2012, you wrote:

now I seem to have an issue with "older" MQ Clients -- apps using MQ V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I don't try to apply channel authentication mapping rules.... the client authentication mapping rules seem to be completely ignored when an app connects with the "older" client versions. I wonder if T. Rob or Roger have seen this problem?

From: "Derek" <dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Sent: Thursday, January 26, 2012 7:08:40 AM
Subject: Re: Fw: MQ V7.1 CHLAUTH Odd Behaviour

I guess, but these are "single app usage" servers, so it would be
reasonable to accept almost any Id from them.... I don't think I am
willing to tighten up the requirements any more than I have now, given
that I would be causing conflict with all the app managers

On 1/26/2012 6:50 AM, David C. Partridge wrote:
> You can't trust the ID that a client presents to the channel - it is so easy to fake it - if necessary using a security exit at the client end. SSL authorisation with SSLCAUTH only I hope!
>
> Dave
>
> ________________________________
>
> From: MQSeries List [ mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org] On Behalf Of Derek
> Sent: 26 January 2012 11:22
> To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
> Subject: Re: Fw: MQ V7.1 CHLAUTH Odd Behaviour
>
>
> not bad Morag but you left out the IP addresses on the rules.... When the client IP addresses are used, I am then pretty sure that client1 and client2 are on servers that are locked in a data center and protected by the OS authentication (which actually uses Centrify and AD, but that's another story....)
>
> To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

List Archive - Manage Your List Settings - Unsubscribe

headers

T-Rob | 1 Feb 2012 20:57

Re: MQ V7.1 CHLAUTH Odd Behaviour

Hi Derek,

The rules you had defined allowed only one IP address to connect and there 
was a back-stop where each channel had MCAUSER('nobody') set.  Did you 
change the client installation on that one IP address?  Are you using a 
different IP address and need to open up the IP mapping rules?  When you 
say "client authentication mapping rules seem to be completely ignored" 
does that mean you are getting 2035?  If so, what do the event messages 
say? 
-- T.Rob

MQSeries List <MQSERIES@...> wrote on
02/01/2012 
01:24:40 PM:

> From: dhornby5@...
> To: MQSERIES@...
> Date: 02/01/2012 01:26 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES@...>
> 
> now I seem to have an issue with "older" MQ Clients -- apps using MQ
> V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I 
> don't try to apply channel authentication mapping rules.... the 
> client authentication mapping rules seem to be completely ignored 
> when an app connects with the "older" client versions.  I wonder if 
> T. Rob or Roger have seen this problem?
> 

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES

headers

Hatcher Jeter | 1 Feb 2012 21:04

Re: MQ V7.1 CHLAUTH Odd Behaviour

Would this make a great Deep Queue Topic?

Hatcher H. Jeter, Jr.
Ascendant Technology, LLC
Domain Architect

IBM Certified System Administrator WebSphere MQ v6.0 and v7.0
IBM Certified Solutions Designer WebSphere MQ v6.0
IBM Certified System Administrator WebSphere Message Broker v6.0

Mobile: 804.334.4750
Hatcher.jeter@...

This message, including files attached to it, may contain confidential
information that is intended only for the use of the ADDRESSEES(S) named
above. If you are not an intended recipient, you are hereby notified that
any dissemination or copying of the information contained in this message,
or the taking of any action in reliance upon the information, is strictly
prohibited. If you have received this message in error, please notify the
sender immediately and delete the message from your system. Thank You.

                                                                                                  
  From:       T-Rob <t.rob.wyatt@...>                                                      

  To:         MQSERIES@...,                                                 

  Date:       02/01/2012 02:58 PM                                                                 

  Subject:    Re: MQ V7.1 CHLAUTH Odd Behaviour                                                   

  Sent by:    MQSeries List <MQSERIES@...>                                  

Hi Derek,

The rules you had defined allowed only one IP address to connect and there
was a back-stop where each channel had MCAUSER('nobody') set.  Did you
change the client installation on that one IP address?  Are you using a
different IP address and need to open up the IP mapping rules?  When you
say "client authentication mapping rules seem to be completely ignored"
does that mean you are getting 2035?  If so, what do the event messages
say?
-- T.Rob

MQSeries List <MQSERIES@...> wrote on 02/01/2012
01:24:40 PM:

> From: dhornby5@...
> To: MQSERIES@...
> Date: 02/01/2012 01:26 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES@...>
>
> now I seem to have an issue with "older" MQ Clients -- apps using MQ
> V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I
> don't try to apply channel authentication mapping rules.... the
> client authentication mapping rules seem to be completely ignored
> when an app connects with the "older" client versions.  I wonder if
> T. Rob or Roger have seen this problem?
>

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES

headers

dhornby5 | 1 Feb 2012 22:01

Re: MQ V7.1 CHLAUTH Odd Behaviour

the rule is as follows:

Channel: APP.SVRCONN

Type: User Map

Client User: devapp

Address: 10.999.99.99

UserSource: Map

MCAUser in Rule: mqapps

which I would expect to override the MCAUSER in the channel def (which is "nobody") but the error I get in SYSTEM.ADMIN.QMGR.EVENT is for a 2035 against user "nobody"

I have tested this from my own PC running MQC V7.1 with the same Id and the same SVRCONN and the override works great and all is good, but when the app team run it, they get a 2035 -- the only difference I can see is that they are running MQC V7.0.1.2

I have told them to try again running MQC V7.0.1.7 to see if that makes a difference...

From: "T-Rob" <t.rob.wyatt-rIXRsD/jSGdXrIkS9f7CXA@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Sent: Wednesday, February 1, 2012 2:57:02 PM
Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour

Hi Derek,

The rules you had defined allowed only one IP address to connect and there
was a back-stop where each channel had MCAUSER('nobody') set. Did you
change the client installation on that one IP address? Are you using a
different IP address and need to open up the IP mapping rules? When you
say "client authentication mapping rules seem to be completely ignored"
does that mean you are getting 2035? If so, what do the event messages
say?
-- T.Rob

MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org> wrote on 02/01/2012
01:24:40 PM:

> From: dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org
> To: MQSERIES <at> listserv.meduniwien.ac.at
> Date: 02/01/2012 01:26 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org>
>
> now I seem to have an issue with "older" MQ Clients -- apps using MQ
> V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I
> don't try to apply channel authentication mapping rules.... the
> client authentication mapping rules seem to be completely ignored
> when an app connects with the "older" client versions. I wonder if
> T. Rob or Roger have seen this problem?
>

To unsubscribe, write to LISTSERV <at> LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

headers

T-Rob | 1 Feb 2012 22:27

Re: MQ V7.1 CHLAUTH Odd Behaviour

Let's pull a few more of these teeth out...

Windows-to-Windows authorizes on SIDS.  Assuming the QMgr is *not* on 
Windows, right?
Case? Was the rule defined with ('devapp') or (devapp)?  Has the apps team 
defined DEVAPP or DevApp instead of devapp?

The mapping rule requires two items - the IP address and the user ID - to 
match exactly.  I'm assuming that the IP address is easily verified so 
that leaves discrepancies in the ID.  The easy way to find out is to 
*temporarily* blank out MCAUSER.  You should still get a 2035 but now it 
will show you the ID that is being presented on the channel rather than 
the one in MCAUSER. I always find it's better if I as the WMQ admin can 
verify the ID being presented rather than rely on someone to report it, 
understand the implications of case, understand the implications of IDs > 
12 chars, understand the interactions of groups, etc., etc. 
-- T.Rob

MQSeries List <MQSERIES@...> wrote on
02/01/2012 
04:01:11 PM:

> From: dhornby5@...
> To: MQSERIES@...
> Date: 02/01/2012 04:04 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES@...>
> 
> the rule is as follows:
> 
> Channel:  APP.SVRCONN 
> Type: User Map
> Client User: devapp
> Address: 10.999.99.99
> UserSource: Map
> MCAUser in Rule: mqapps
> 
> which I would expect to override the MCAUSER in the channel def 
> (which is "nobody") but the error I get in SYSTEM.ADMIN.QMGR.EVENT 
> is for a 2035 against user "nobody"
> 
> I have tested this from my own PC running MQC V7.1 with the same Id 
> and the same SVRCONN and the override works great and all is good, 
> but when the app team run it, they get a 2035 -- the only difference
> I can see is that they are running MQC V7.0.1.2
> 
> I have told them to try again running MQC V7.0.1.7 to see if that 
> makes a difference...
> 
> 
> From: "T-Rob" <t.rob.wyatt@...>
> To: MQSERIES@...
> Sent: Wednesday, February 1, 2012 2:57:02 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> 
> Hi Derek,
> 
> The rules you had defined allowed only one IP address to connect and 
there 
> was a back-stop where each channel had MCAUSER('nobody') set.  Did you 
> change the client installation on that one IP address?  Are you using a 
> different IP address and need to open up the IP mapping rules?  When you 

> say "client authentication mapping rules seem to be completely ignored" 
> does that mean you are getting 2035?  If so, what do the event messages 
> say? 
> -- T.Rob
> 
> 
> MQSeries List <MQSERIES@...> wrote
on 02/01/2012 
> 01:24:40 PM:
> 
> > From: dhornby5@...
> > To: MQSERIES@...
> > Date: 02/01/2012 01:26 PM
> > Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> > Sent by: MQSeries List <MQSERIES@...>
> > 
> > now I seem to have an issue with "older" MQ Clients -- apps using MQ
> > V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I 
> > don't try to apply channel authentication mapping rules.... the 
> > client authentication mapping rules seem to be completely ignored 
> > when an app connects with the "older" client versions.  I wonder if 
> > T. Rob or Roger have seen this problem?
> > 
> 
> To unsubscribe, write to
LISTSERV@... and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
> 

> List Archive - Manage Your List Settings - Unsubscribe 
> Instructions for managing your mailing list subscription are 
> provided in the Listserv General Users Guide available at 
http://www.lsoft.com

To unsubscribe, write to LISTSERV@... and,
in the message body (not the subject), write: SIGNOFF MQSERIES

headers

dhornby5 | 1 Feb 2012 23:16

Re: MQ V7.1 CHLAUTH Odd Behaviour

MQClient on Win --> MQServer on RHEL5_X64

Yes, the IP address is good -- the filter is 10.* just to be sure...

Yes, I was passed the Id I was expecting to match the rule, which is a 12 char Id lower case (something like "serviceacct1") but no quotes around the Id in either case

I forced them to upgrade to the new MQV7.1 client and it is still not working, yet it works for me "as-is", with no changes, when I pass in the same Id from my PC to the same SVRCONN (I am on the same 10. net)

-- I am beginning to think I am overlooking something very silly.

From: "T-Rob" <t.rob.wyatt-rIXRsD/jSGdXrIkS9f7CXA@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Sent: Wednesday, February 1, 2012 4:27:21 PM
Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour

Let's pull a few more of these teeth out...

Windows-to-Windows authorizes on SIDS. Assuming the QMgr is *not* on
Windows, right?
Case? Was the rule defined with ('devapp') or (devapp)? Has the apps team
defined DEVAPP or DevApp instead of devapp?

The mapping rule requires two items - the IP address and the user ID - to
match exactly. I'm assuming that the IP address is easily verified so
that leaves discrepancies in the ID. The easy way to find out is to
*temporarily* blank out MCAUSER. You should still get a 2035 but now it
will show you the ID that is being presented on the channel rather than
the one in MCAUSER. I always find it's better if I as the WMQ admin can
verify the ID being presented rather than rely on someone to report it,
understand the implications of case, understand the implications of IDs >
12 chars, understand the interactions of groups, etc., etc.
-- T.Rob

MQSeries List <MQSERIES-JX7+OpRa80Tm/m1qu2chkQ@public.gmane.orgwien.ac.at> wrote on 02/01/2012
04:01:11 PM:

> From: dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org
> To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org
> Date: 02/01/2012 04:04 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org>
>
> the rule is as follows:
>
> Channel: APP.SVRCONN
> Type: User Map
> Client User: devapp
> Address: 10.999.99.99
> UserSource: Map
> MCAUser in Rule: mqapps
>
> which I would expect to override the MCAUSER in the channel def
> (which is "nobody") but the error I get in SYSTEM.ADMIN.QMGR.EVENT
> is for a 2035 against user "nobody"
>
> I have tested this from my own PC running MQC V7.1 with the same Id
> and the same SVRCONN and the override works great and all is good,
> but when the app team run it, they get a 2035 -- the only difference
> I can see is that they are running MQC V7.0.1.2
>
> I have told them to try again running MQC V7.0.1.7 to see if that
> makes a difference...
>
>
> From: "T-Rob" <t.rob.wyatt-rIXRsD/jSGdXrIkS9f7CXA@public.gmane.org>
> To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
> Sent: Wednesday, February 1, 2012 2:57:02 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
>
> Hi Derek,
>
> The rules you had defined allowed only one IP address to connect and
there
> was a back-stop where each channel had MCAUSER('nobody') set. Did you
> change the client installation on that one IP address? Are you using a
> different IP address and need to open up the IP mapping rules? When you

> say "client authentication mapping rules seem to be completely ignored"
> does that mean you are getting 2035? If so, what do the event messages
> say?
> -- T.Rob
>
>
> MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org> wrote on 02/01/2012
> 01:24:40 PM:
>
> > From: dhornby5 <at> COMCAST.NET
> > To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org
> > Date: 02/01/2012 01:26 PM
> > Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> > Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4rJnsXP9lhjF@public.gmane.orgn.ac.at>
> >
> > now I seem to have an issue with "older" MQ Clients -- apps using MQ
> > V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I
> > don't try to apply channel authentication mapping rules.... the
> > client authentication mapping rules seem to be completely ignored
> > when an app connects with the "older" client versions. I wonder if
> > T. Rob or Roger have seen this problem?
> >
>
> To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
>

> List Archive - Manage Your List Settings - Unsubscribe
> Instructions for managing your mailing list subscription are
> provided in the Listserv General Users Guide available at
http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

headers

Roger Lacroix | 1 Feb 2012 23:29

Re: MQ V7.1 CHLAUTH Odd Behaviour

Hi Derek,

Do the following MQSC command via runmqsc and post the results:

dis chlauth(*)

Regards,
Roger Lacroix
Capitalware Inc.

At 05:16 PM 2/1/2012, dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org wrote:

MQClient on Win --> MQServer on RHEL5_X64
Yes, the IP address is good -- the filter is 10.* just to be sure...
Yes, I was passed the Id I was expecting to match the rule, which is a 12 char Id lower case (something like "serviceacct1") but no quotes around the Id in either case

I forced them to upgrade to the new MQV7.1 client and it is still not working, yet it works for me "as-is", with no changes, when I pass in the same Id from my PC to the same SVRCONN (I am on the same 10. net)
-- I am beginning to think I am overlooking something very silly.

From: "T-Rob" <t.rob.wyatt-rIXRsD/jSGdXrIkS9f7CXA@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
Sent: Wednesday, February 1, 2012 4:27:21 PM
Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour

Let's pull a few more of these teeth out...

Windows-to-Windows authorizes on SIDS. Assuming the QMgr is *not* on
Windows, right?
Case? Was the rule defined with ('devapp') or (devapp)? Has the apps team
defined DEVAPP or DevApp instead of devapp?

The mapping rule requires two items - the IP address and the user ID - to
match exactly. I'm assuming that the IP address is easily verified so
that leaves discrepancies in the ID. The easy way to find out is to
*temporarily* blank out MCAUSER. You should still get a 2035 but now it
will show you the ID that is being presented on the channel rather than
the one in MCAUSER. I always find it's better if I as the WMQ admin can
verify the ID being presented rather than rely on someone to report it,
understand the implications of case, understand the implications of IDs >
12 chars, understand the interactions of groups, etc., etc.
-- T.Rob

MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org> wrote on 02/01/2012
04:01:11 PM:

> From: dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org
> To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org
> Date: 02/01/2012 04:04 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org>
>
> the rule is as follows:
>
> Channel: APP.SVRCONN
> Type: User Map
> Client User: devapp
> Address: 10.999.99.99
> UserSource: Map
> MCAUser in Rule: mqapps
>
> which I would expect to override the MCAUSER in the channel def
> (which is "nobody") but the error I get in SYSTEM.ADMIN.QMGR.EVENT
> is for a 2035 against user "nobody"
>
> I have tested this from my own PC running MQC V7.1 with the same Id
> and the same SVRCONN and the override works great and all is good,
> but when the app team run it, they get a 2035 -- the only difference
> I can see is that they are running MQC V7.0.1.2
>
> I have told them to try again running MQC V7.0.1.7 to see if that
> makes a difference...
>
>
> From: "T-Rob" <t.rob.wyatt-rIXRsD/jSGdXrIkS9f7CXA@public.gmane.org>
> To: MQSERIES-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org
> Sent: Wednesday, February 1, 2012 2:57:02 PM
> Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
>
> Hi Derek,
>
> The rules you had defined allowed only one IP address to connect and
there
> was a back-stop where each channel had MCAUSER('nobody') set. Did you
> change the client installation on that one IP address? Are you using a
> different IP address and need to open up the IP mapping rules? When you

> say "client authentication mapping rules seem to be completely ignored"
> does that mean you are getting 2035? If so, what do the event messages
> say?
> -- T.Rob
>
>
> MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org> wrote on 02/01/2012
> 01:24:40 PM:
>
> > From: dhornby5-Bhb0V27niACOppBP9C4UkQ@public.gmane.org
> > To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org
> > Date: 02/01/2012 01:26 PM
> > Subject: Re: MQ V7.1 CHLAUTH Odd Behaviour
> > Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/W97FXqFh9Ls21Oc@public.gmane.org>
> >
> > now I seem to have an issue with "older" MQ Clients -- apps using MQ
> > V7.0.1.2 clients connecting to MQ V7.1 seem to work OK as long as I
> > don't try to apply channel authentication mapping rules.... the
> > client authentication mapping rules seem to be completely ignored
> > when an app connects with the "older" client versions. I wonder if
> > T. Rob or Roger have seen this problem?
> >
>
> To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
>

> List Archive - Manage Your List Settings - Unsubscribe
> Instructions for managing your mailing list subscription are
> provided in the Listserv General Users Guide available at
http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+2wyY2g16FtwPuJ0ROkVbw@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

List Archive - Manage Your List Settings - Unsubscribe

headers

DAVID AWERBUCH, BLOOMBERG/ 731 LEXIN | 2 Feb 2012 22:30

SupportPac MA0Z - Message Exit

Hello all,

I am trying to trace all message traffic through a channel.  I followed the directions in the documentation
(imagine that!) and are receiving the following errors in AMQERR01.LOG:

**** note - object names have been changed ****

1.  Error message in AMQERR01.LOG starting channel:
----- amqrcmsa.c : 912 --------------------------------------------------------
02/02/12 04:01:01 PM - Process(13957.1) User(mqm) Program(runmqchl_nd)
                    Host(fny-mqdev1)
AMQ6174: The dynamically loadable shared library '<NULL>' was not found. The
system returned error number '2' and error message 'No such file or directory'.

EXPLANATION:
This message applies to UNIX systems. The shared library '<NULL>' was not
found.
ACTION:
Check that the file exists, and is either fully qualified or is in the
appropriate director, also check the file access permissions.
-------------------------------------------------------------------------------
02/02/12 04:01:02 PM - Process(13957.1) User(mqm) Program(runmqchl_nd)
                    Host(host)
AMQ9535: User exit not valid.

EXPLANATION:
Channel program 'outbound.chl' ended because user exit 'wmqcml64.so(wmqcml)'
is not valid.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.


1a.  Channel is RETRYING


2: The channel is defined as:

AMQ8414: Display Channel details.
   CHANNEL(outbound.chl)                   CHLTYPE(SDR)
   ALTDATE(2012-02-02)                     ALTTIME(15.58.22)
   BATCHHB(0)                              BATCHINT(0)
   BATCHSZ(50)                             COMPHDR(NONE)
   COMPMSG(NONE)                           CONNAME(16.34.29.17(1414))
   CONVERT(NO)                          
   DESCR()
   DISCINT(3600)                           HBINT(10)
   KAINT(AUTO)                             LOCLADDR(160.43.94.142)
   LONGRTY(999999999)                      LONGTMR(1200)
   MAXMSGL(4194304)                        MCANAME( )
   MCATYPE(PROCESS)                        MCAUSER(Bloomberg)
   MODENAME( )                             MONCHL(OFF)
   MSGDATA(PF=outbound.mlcfg)              MSGEXIT(wmqcml64.so(wmqcml))
   NPMSPEED(FAST)                          PASSWORD( )
   PROPCTL(COMPAT)                         RCVDATA( )
   RCVEXIT( )                              SCYDATA( )
   SCYEXIT( )                              SENDDATA( )
   SENDEXIT( )                             SEQWRAP(999999999)
   SHORTRTY(10)                            SHORTTMR(60)
   SSLCIPH( )                              SSLPEER( )
   STATCHL(OFF)                            TPNAME( )
   TRPTYPE(TCP)                            USERID( )
   XMITQ(XQ.outbound.chl)            


3: File outbound.mlcfg contains:
outbound.chl:LO=0,3,6,10,11;LF=/bb/mqm/log/to-BBLP.#N.log;UC=.;LC=9;LS=50


4: /var/mqm/exits64 $ ls -ltr 
total 1622
-r-xr-x---   1 mqm      mqm       105592 Feb 25  2009 BlockIP2_2.48
-r-xr-x---   1 mqm      mqm       167440 Apr 16  2009 BlockIP2_2.69.6021
-rwxr-x---   1 mqm      mqm       167416 May  1  2009 BlockIP2
-r-xr-x---   1 mqm      mqm       167416 May  1  2009 BlockIP2_2.69_6010
-rw-rw-r--   1 mqm      mqm          722 May 25  2011 wmqcml.readme
-rwxr-x---   1 mqm      mqm       146152 Feb  2 14:55 wmqcml64.so
-rwxrwxr-x   1 mqm      mqm         1312 Feb  2 14:56 mlconfig.ivt
-rwxrwxr-x   1 mqm      mqm         1675 Feb  2 14:56 mlconfig.sample
-rwxrwxr-x   1 mqm      mqm         9060 Feb  2 14:56 mlutil
-rwxrwxr-x   1 mqm      mqm         1677 Feb  2 15:43 mlconfig.nasdaq
-rw-rw-r--   1 mqm      mqm           53 Feb  2 15:46 mlutil.cmdin
-rw-rw-r--   1 mqm      mqm          273 Feb  2 15:46 mlutil.history
-rwxrwxr-x   1 mqm      mqm          304 Feb  2 15:52 nasdaq.mlcfg


5. $ uname -a
SunOS fny-mqdev1 5.10 142900-02 sun4u sparc SUNW,Sun-Fire-V210


I am hoping for some ideas.
Thanks,
Dave


------------------------------------------------------------
David Awerbuch - Sr. Systems Administrator - WebSphereMQ Infrastructure
email:         dawerbuch <at> bloomberg.net      || ==== Bloomberg LP ==== ||
phone:         + 1 212 617 6184             ||  Making Financial      ||
WMQ support:   mq-support <at> bloomberg.com     ||    Markets Transparent ||

731 Lexington Avenue - New York, New York  10022   U.S.A.
_________________________________________________________________________

headers

Roger Lacroix | 2 Feb 2012 22:43

Re: SupportPac MA0Z - Message Exit

Hello Dave,

> Channel program 'outbound.chl' ended because user exit 'wmqcml64.so(wmqcml)' is not valid.

Are you sure that you are using the appropriate shared library for Solaris SPARC. i.e. You didn't accidently use the one for Linux or AIX.

What do you get when issue the following commands:

file /var/mqm/exits64/wmqcml64.so
ldd /var/mqm/exits64/wmqcml64.so

Regards,
Roger Lacroix
Capitalware Inc.

At 04:30 PM 2/2/2012, you wrote:

Hello all,

I am trying to trace all message traffic through a channel. I followed the directions in the documentation (imagine that!) and are receiving the following errors in AMQERR01.LOG:

**** note - object names have been changed ****

1. Error message in AMQERR01.LOG starting channel:
----- amqrcmsa.c : 912 --------------------------------------------------------
02/02/12 04:01:01 PM - Process(13957.1) User(mqm) Program(runmqchl_nd)
                    Host(fny-mqdev1)
AMQ6174: The dynamically loadable shared library '<NULL>' was not found. The
system returned error number '2' and error message 'No such file or directory'.

EXPLANATION:
This message applies to UNIX systems. The shared library '<NULL>' was not
found.
ACTION:
Check that the file exists, and is either fully qualified or is in the
appropriate director, also check the file access permissions.
-------------------------------------------------------------------------------
02/02/12 04:01:02 PM - Process(13957.1) User(mqm) Program(runmqchl_nd)
                    Host(host)
AMQ9535: User exit not valid.

EXPLANATION:
Channel program 'outbound.chl' ended because user exit 'wmqcml64.so(wmqcml)'
is not valid.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.

1a. Channel is RETRYING

2: The channel is defined as:

AMQ8414: Display Channel details.
   CHANNEL(outbound.chl)                   CHLTYPE(SDR)
   ALTDATE(2012-02-02)                     ALTTIME(15.58.22)
   BATCHHB(0)                              BATCHINT(0)
   BATCHSZ(50)                             COMPHDR(NONE)
   COMPMSG(NONE)                           CONNAME(16.34.29.17(1414))
   CONVERT(NO)
   DESCR()
   DISCINT(3600)                           HBINT(10)
   KAINT(AUTO)                             LOCLADDR(160.43.94.142)
   LONGRTY(999999999)                      LONGTMR(1200)
   MAXMSGL(4194304)                        MCANAME( )
   MCATYPE(PROCESS)                        MCAUSER(Bloomberg)
   MODENAME( )                             MONCHL(OFF)
   MSGDATA(PF=outbound.mlcfg)              MSGEXIT(wmqcml64.so(wmqcml))
   NPMSPEED(FAST)                          PASSWORD( )
   PROPCTL(COMPAT)                         RCVDATA( )
   RCVEXIT( )                              SCYDATA( )
   SCYEXIT( )                              SENDDATA( )
   SENDEXIT( )                             SEQWRAP(999999999)
   SHORTRTY(10)                            SHORTTMR(60)
   SSLCIPH( )                              SSLPEER( )
   STATCHL(OFF)                            TPNAME( )
   TRPTYPE(TCP)                            USERID( )
   XMITQ(XQ.outbound.chl)

3: File outbound.mlcfg contains:
outbound.chl:LO=0,3,6,10,11;LF=/bb/mqm/log/to-BBLP.#N.log;UC=.;LC=9;LS=50

4: /var/mqm/exits64 $ ls -ltr
total 1622
-r-xr-x---   1 mqm      mqm       105592 Feb 25 2009 BlockIP2_2.48
-r-xr-x---   1 mqm      mqm       167440 Apr 16 2009 BlockIP2_2.69.6021
-rwxr-x---   1 mqm      mqm       167416 May 1 2009 BlockIP2
-r-xr-x---   1 mqm      mqm       167416 May 1 2009 BlockIP2_2.69_6010
-rw-rw-r--   1 mqm      mqm          722 May 25 2011 wmqcml.readme
-rwxr-x---   1 mqm      mqm       146152 Feb 2 14:55 wmqcml64.so
-rwxrwxr-x   1 mqm      mqm         1312 Feb 2 14:56 mlconfig.ivt
-rwxrwxr-x   1 mqm      mqm         1675 Feb 2 14:56 mlconfig.sample
-rwxrwxr-x   1 mqm      mqm         9060 Feb 2 14:56 mlutil
-rwxrwxr-x   1 mqm      mqm         1677 Feb 2 15:43 mlconfig.nasdaq
-rw-rw-r--   1 mqm      mqm           53 Feb 2 15:46 mlutil.cmdin
-rw-rw-r--   1 mqm      mqm          273 Feb 2 15:46 mlutil.history
-rwxrwxr-x   1 mqm      mqm          304 Feb 2 15:52 nasdaq.mlcfg

5. $ uname -a
SunOS fny-mqdev1 5.10 142900-02 sun4u sparc SUNW,Sun-Fire-V210

I am hoping for some ideas.
Thanks,
Dave

------------------------------------------------------------
David Awerbuch - Sr. Systems Administrator - WebSphereMQ Infrastructure
email:         dawerbuch-AlFclGv/SK3MFIMGWPqnnw@public.gmane.org      || ==== Bloomberg LP ==== ||
phone:         + 1 212 617 6184             || Making Financial      ||
WMQ support:   mq-support-AlFclGv/SK36V6G2DxALlg@public.gmane.org     ||    Markets Transparent ||

731 Lexington Avenue - New York, New York 10022   U.S.A.
_________________________________________________________________________

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

125	May 2013
143	April 2013
150	March 2013
108	February 2013
117	January 2013
84	December 2012
219	November 2012
110	October 2012
92	September 2012
84	August 2012
74	July 2012
118	June 2012
138	May 2012
231	April 2012
79	March 2012
132	February 2012
104	January 2012
63	December 2011
112	November 2011
138	October 2011
160	September 2011
63	August 2011
81	July 2011
141	June 2011
60	May 2011
138	April 2011
117	March 2011
113	February 2011
125	January 2011
110	December 2010
95	November 2010
109	October 2010
71	September 2010
136	August 2010
103	July 2010
113	June 2010
81	May 2010
136	April 2010
159	March 2010
89	February 2010
137	January 2010
135	December 2009
143	November 2009
194	October 2009
166	September 2009
159	August 2009
184	July 2009
200	June 2009
174	May 2009
216	April 2009
183	March 2009
126	February 2009
186	January 2009
146	December 2008
147	November 2008
198	October 2008
153	September 2008
125	August 2008
194	July 2008
295	June 2008
258	May 2008
299	April 2008
270	March 2008
299	February 2008
176	January 2008
164	December 2007
171	November 2007
162	October 2007
205	September 2007
270	August 2007
174	July 2007
162	June 2007
286	May 2007
245	April 2007
226	March 2007
335	February 2007
250	January 2007
130	December 2006
208	November 2006
298	October 2006
274	September 2006
284	August 2006
237	July 2006
211	June 2006
192	May 2006
235	April 2006
293	March 2006
318	February 2006
293	January 2006
166	December 2005
192	November 2005
288	October 2005
213	September 2005
115	August 2005

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29