2

I've installed the Websphere MQ 7.5 and written a Java-client to connect to the queue. To perform the task, I'ev created a custom connect-to-server channel that is based on the SYSTEM.DEF.SVRCONN channel.

Firstly, to block all users with administrator privileges and all anauthorized users for all channels I've types such a command (runmqsc TEST_MANAGER): SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody', *MQADMIN) . Now I see this restriction in the MQ Explorer (TEST_MANAGER -> Channels -> Channel Identification Records).

After that, to provide my test user (Java-client) with an access, I've typed such a command:

SET CHLAUTH(TEST_CHANNEL) TYPE(ADDRESSMAP) ADDRESS('*') MCAUSER('TestUser') .

Lastly, I've set the username/password pair in the Spring's UserCredentialsConnectionFactoryAdapter where the username is TestUser.

The problem is I can't connect with the 2035 MQRC_NOT_AUTHORIZED exception. If I remove the 'nobody'/*MQADMIN blocking rule, everything works fine (only the rule for the TestUser client rule presents).

JimHawkins
  • 4,843
  • 8
  • 35
  • 55
Dmitry
  • 3,028
  • 6
  • 44
  • 66

1 Answers1

2

SET CHLAUTH(TEST_CHANNEL) TYPE(ADDRESSMAP) ADDRESS('*') MCAUSER('TestUser')

I do not think you understand this command. This command says that ALL applications connecting on channel 'TEST_CHANNEL' will use UserID of 'TestUser'.

I've set the username/password pair in the Spring's UserCredentialsConnectionFactoryAdapter where the username is TestUser.

Setting a Password is pointless, as MQ does NOT perform authentication. You need to purchase a 3rd party product (i.e. MQAUSX) to handle the authentication. Also, your CHLAUTH command is actually overriding whatever UserID you set in your Spring application.

The problem is I can't connect with the 2035 MQRC_NOT_AUTHORIZED exception. If I remove the 'nobody'/*MQADMIN blocking rule, everything works fine (only the rule for the TestUser client rule presents).

Did you use the setmqaut command to give the UserID 'TestUser' the appropriate access to the queue manager and queue?

Turn on the queue manager's Authority Event and to see exactly why MQ is returning 2035.

Roger
  • 7,062
  • 13
  • 20
  • Hello, Roger. Thanks for the answer. There are several moments I don't understand. Could you, please, clarify them? (1). "Also, your CHLAUTH command is actually overriding whatever UserID you set in your Spring application". I've not seen this in the documentation. How exactly does this process go? (2). "Did you use the setmqaut command...". No. Is it necessary if I provide a security mechanism for the channel? Of course it would be more secure, but what if I will not provide the queue security? (3). "Turn on the queue manager's Authority Event". Could you, please, suggest how to do this? – Dmitry Jul 22 '13 at 19:49
  • Well, there is the T. Rob's answer: http://stackoverflow.com/questions/9416522/websphere-mq-v7-1-security-user-credentials?rq=1 that clarifies a bit the first answer. But what if I don't specify the user ID - would the WebSphere take this identifier and give it to the queue manager/queue security mechanisms? – Dmitry Jul 22 '13 at 20:50
  • 1
    I've also found an interesting article about the setmqauth: http://patrikvarga.blogspot.ru/2012/11/ibm-mq-object-authorization-for-jms.html – Dmitry Jul 23 '13 at 06:30