userid is getting changed at the MQ side from kafka connect client

Question

I'm using https://github.com/ibm-messaging/kafka-connect-mq-source project to build the connector to pull the data from IBM MQ to Kafka topic. I'm seeing an issue where the supplied used-id is getting modified to the system user and authentication failed with the following error :

The MQ Admin reported that I'm supplying different user id. I've configured to send MQUser as userid(I'm executing this connector on linux server). But when it reaches MQ, the userid is modified to wljay (which is the user I logged in on server)

ERROR MQ error: CompCode 2, Reason 2035 MQRC_NOT_AUTHORIZED 
 (com.ibm.eventstreams.connect.mqsource.JMSReader:413)
 INFO Polling for records 
 (com.ibm.eventstreams.connect.mqsource.MQSourceTask:120)
 ERROR JMS exception {} (com.ibm.eventstreams.connect.mqsource.JMSReader:362)

com.ibm.msg.client.jms.DetailedJMSSecurityRuntimeException: JMSWMQ2008: Failed to open MQ queue 'LOC.E.KAFKA.QUEUE'.
JMS attempted to perform an MQOPEN, but IBM MQ reported an error.
Use the linked exception to determine the cause of this error. Check that the specified queue and queue manager are defined correctly.
        at com.ibm.msg.client.jms.DetailedJMSSecurityException.getUnchecked(DetailedJMSSecurityException.java:270)
        at com.ibm.msg.client.jms.internal.JmsErrorUtils.convertJMSException(JmsErrorUtils.java:173)
        at com.ibm.msg.client.jms.internal.JmsContextImpl.createConsumer(JmsContextImpl.java:416)
        at com.ibm.eventstreams.connect.mqsource.JMSReader.connectInternal(JMSReader.java:342)
        at com.ibm.eventstreams.connect.mqsource.JMSReader.receive(JMSReader.java:225)
        at com.ibm.eventstreams.connect.mqsource.MQSourceTask.poll(MQSourceTask.java:124)
        at org.apache.kafka.connect.runtime.WorkerSourceTask.poll(WorkerSourceTask.java:244)
        at org.apache.kafka.connect.runtime.WorkerSourceTask.execute(WorkerSourceTask.java:220)
        at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:175)
        at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:219)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
        at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:222)
        at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:156)
        at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.initialize(WMQConsumerShadow.java:1176)
        at com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.initialize(WMQSyncConsumerShadow.java:133)
        at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.<init>(WMQMessageConsumer.java:486)
        at com.ibm.msg.client.wmq.internal.WMQSession.createConsumer(WMQSession.java:918)
        at com.ibm.msg.client.jms.internal.JmsSessionImpl.createConsumer(JmsSessionImpl.java:1032)
        at com.ibm.msg.client.jms.internal.JmsSessionImpl.createConsumer(JmsSessionImpl.java:1116)
        at com.ibm.msg.client.jms.internal.JmsContextImpl$SessionWrapper.createConsumer(JmsContextImpl.java:1991)
        at com.ibm.msg.client.jms.internal.JmsContextImpl.createConsumer(JmsContextImpl.java:403)

IS there something I've to change the way the username passed? Any help is greatly appreciated. Thanks!!

I'm fetching the properties from a config file. This's the class -> https://github.com/ibm-messaging/kafka-connect-mq-source/blob/master/src/main/java/com/ibm/eventstreams/connect/mqsource/JMSReader.java — kuti, Sep 06 '19 at 21:45
Sounds like your queue manager isn't configured to use CONNAUTH, or if it is, it has ADOPTCTX(NO). What happens if you supply an incorrect passwords? — Morag Hughson, Sep 07 '19 at 03:24
@MoragHughson good point about `ADOPTCTX(NO)`, I added info about this to my answer. — JoshMc, Sep 07 '19 at 13:57
Thanks guys for the reply. I've tried giving incorrect password. Still the same issue `JMSWMQ2008: Failed to open MQ queue 'LOC.E.KAFKA.QUEUE'. JMS attempted to perform an MQOPEN, but IBM MQ reported an error. Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED'). ERROR MQ error: CompCode 2, Reason 2035 MQRC_NOT_AUTHORIZED (com.ibm.eventstreams.connect.mqsource.JMSReader:413) ` — kuti, Sep 07 '19 at 17:13
And I don't have control on the MQ as it's managed by third party. The MQ version is `IBM WebSphere MQ for z/OS V7.1.0` — kuti, Sep 07 '19 at 17:14
MQ 7.1 did not support CONNAUTH and is not a currently supported version from IBM. The options on that version are: 1. use client side certs that the queue manager maps to a MCAUSER on the channel or via CHLAUTH SSLPEERMAP rules. 2. Use security exits. — JoshMc, Sep 07 '19 at 17:35
If the MQ Admins really do not care about authenticating your application they can hard code a MCAUSER on the channel or use a CHLAUTH USERMAP rule to map wljay to MQUser. — JoshMc, Sep 07 '19 at 17:40

JoshMc · Accepted Answer · 2019-09-07T21:16:14.000

1

The following line means that the user and password you provide will be sent in the MQCSP structure.

mqConnFactory.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);

The user the process is running as will be sent in the MQCD RemoteUser field. The fact that your Queue Manager is denying the connection based on the user the process is running under means that it is not authenticating you, instead it is letting you assert a username.

If the queue manager is at a supported version of MQ then the admin could configure it to turn on CONNAUTH and require that you send a valid username and password. If it is already configured to require CONNAUTH then they would need to make sure to set ADOPTCTX(YES) to have MQ used the authenticated username for authority checks.

MQ 7.1 does not support CONNAUTH and is not a currently supported version from IBM. The options to authenticate on that version are:

Use client side certs that the queue manager maps to a MCAUSER on the channel or via CHLAUTH SSLPEERMAP rules.
Use security exits.

If the MQ Admins really do not care about authenticating your application they can

hard code a MCAUSER on the channel
use a CHLAUTH USERMAP rule to map wljay to MQUser.

edited Sep 07 '19 at 21:16

answered Sep 07 '19 at 02:13

JoshMc

10,239
2
19
38

I'm not sure if they'll do that (about MQ Admin modifying the authentication). Is there anyway from a client side (i.e., from connector code), I can do something? – kuti Sep 07 '19 at 18:12
There are multiple ways to spoof the asserted user that can be easily found via a Google search, but I would prefer not to promote setups that are insecure. What if you spoof the CHIN user, the MQ Admin should want to make things secure. – JoshMc Sep 07 '19 at 18:56
I don’t want to spoof user. What about security exit ? – kuti Sep 07 '19 at 19:48
In the setup you describe the queue manager is just taking your word that the user you provide is who you are. If you are honest and do not spoof a user you are not, it still does not mean it is not an insecure setup. Hint the easiest answer to allow you to do what you're asking is in the beginning of my answer already. – JoshMc Sep 07 '19 at 20:20
I hope that my answer is indirectly helpful. – JoshMc Sep 07 '19 at 21:17
Sorry. You mean, I've to create a user (i.e., the `userID` that I'm passing in the configuration) and login to that user and execute my configuration. Which means, if I'm passing `userID` as `ABC`, I've to create a user in my linux as `ABC` and now login as `ABC` and execute the configuration to connect to MQ? – kuti Sep 09 '19 at 15:58
No. I pointed out the setting in the Kafka connector that is causing the behavior you are seeing. – JoshMc Sep 09 '19 at 16:07
I've made this property `XMSC_USER_AUTHENTICATION_MQCSP` to `false` and able to connect to MQ without error and able to see the data in my kafka topic :) – kuti Sep 10 '19 at 16:33
Hope that you would be kind enough to accept my answer if helpful. – JoshMc Sep 10 '19 at 16:53
Done :) Thanks for the guidance. – kuti Sep 10 '19 at 18:17

userid is getting changed at the MQ side from kafka connect client

1 Answers1