1

I'm trying to setup a script to check statistics in IBM MQ using python with the pymqi module. The problem is that it looks like the connection does not use the username I have provided in the script. It looks like the user is trying to use the username of the user executing the script. While testing the connection I have used a small script like this:

import pymqi

queue_manager = "MYQMGR"
channel = "CHNL.SRV01"
host = "host.to.connect.to.example.net"
port = "1444"
conn_info = "%s(%s)" % (host, port)

user = 'mq-user'
password = 'mq-user-pass'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
qmgr.disconnect()

Let's say that the script is executed by a linux user called "shell-user". Then in the logs on the queue manager it says that "shell-user" is trying to connect, not "mq-user" as I have written in the script.

The error message looks like this:

Traceback (most recent call last):   File "./test_conn.py", line 25, in <module>
    qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)   File "/usr/lib64/python2.7/site-packages/pymqi/__init__.py", line 2604, in connect
    qmgr.connect_tcp_client(queue_manager or '', CD(), channel, conn_info, user, password)   File "/usr/lib64/python2.7/site-packages/pymqi/__init__.py", line 1447, in connect_tcp_client
    self.connect_with_options(name, cd, user=user, password=password)   File "/usr/lib64/python2.7/site-packages/pymqi/__init__.py", line 1429, in connect_with_options
    raise MQMIError(rv[1], rv[2]) pymqi.MQMIError: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED

I'm using pymqi 1.8.0 and the MQSeriesClient 8.0.0-8. I have searched for days for a solution to this. Anyone out there who knows how to handle this?

Edit:

The version of the queue manager we're connecting to is 8.0.0.8.

This the error message we get from the queue manager:

2/1/2019 09:32:45 - Process(8176.400417) User(abcdefg-1234) Program(amqrmppa.exe)
                      Host(mq-host-01) Installation(Installation1)
                      VRMF(8.0.0.8) QMgr(MYQMGR)

AMQ9557: Queue Manager User ID initialization failed for 'shell-user'.

EXPLANATION:
The call to initialize the User ID 'shell-user' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was
'mq-user'.
ACTION:
Correct the error and try again.
JoshMc
  • 10,239
  • 2
  • 19
  • 38
MDK
  • 11
  • 2
  • Can you please edit your question and provide the error produced on the queue manager? Can you provide the MQ queue manager version? If the version of the queue manager is 8 or higher can you provide the output of the following commands: 1. `DIS QMGR CONNAUTH`, 2. `DIS AUTHINFO()`, Check the `qm.ini` and report if you see this setting `ChlauthEarlyAdopt` and report the value. – JoshMc Feb 01 '19 at 17:24
  • 1
    I suspect that you are either 1. connecting to a queue manager that is 7.5 or lower, or 2. connecting to a v8 or higher queue manager where `ADOPTCTX(NO)` is set. pymqi sends the username and password in a structure called the MQCSP structure. If the queue manager is v7.5 or lower it will ignore the MQCSP unless you have addition MQ security exits in place that can authenticate those, MQ will use the user running the process. For v8.0 and higher with `ADOPTCTX(NO)`, the MQCSP structure will be authenticated, but MQ will use the user running the process. – JoshMc Feb 01 '19 at 17:28
  • For alot of material and history about pymqi and MQCSP read through [pymqi issue #74(Blank password gives Unauthorised user error)](https://github.com/dsuch/pymqi/issues/74). – JoshMc Feb 01 '19 at 17:41
  • Thank you @JoshMc for your replies. I have at least added some more information above now. Unfortunately we're not hosting the MQ solution and I have no access to get the output from the commands you are asking for in the first comment. I'll bring it to discussion on Monday. – MDK Feb 01 '19 at 22:02
  • 1
    It would appear they do NOT have `ADOPTCTX(YES)` set. If this is the only error present then the authenticate probably worked fine then it just tried to use the user that runs the process. You could test this out by sending a "incorrect" password, in that case they should see a error related to the user you send with the password. This does not provide very good security as it only checks the user/pass you send but then takes your word that the user you run the process under is the user to check access against. Setting `ADOPTCTS(YES)` should resolve your issue. – JoshMc Feb 01 '19 at 22:21
  • You can also tell this as the error states toward the bottom that in the MQCSP block was user `mq-user` vs the error being for user `shell-user`. – JoshMc Feb 01 '19 at 22:26

0 Answers0