0

Got a trouble:

  • IBM MQ Server v9.1.0.0
  • pymqi==1.11.1

When trying connect to server got an error:

pymqi.MQMIError: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED

When I check traffic in Wireshark i got that: Actual result

And in server log this:

07/31/2020 10:08:02 AM - Process(27333.5) User(mqm) Program(amqrmppa)
                    Host(host) Installation(Installation1)
                    VRMF(9.1.0.0) QMgr(queue_manager)
                    Time(2020-07-31T07:08:02.253Z)
                    ArithInsert1(2) ArithInsert2(2035)
                    CommentInsert1(haha)
                   
AMQ9557E: Queue Manager User ID initialization failed for 'haha'.

EXPLANATION:
The call to initialize the User ID 'haha' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.

My code sample:

import pymqi

host = "host"
port = 1416

conn_info = f"{host}({port})"
channel = "channel"

queue_manager = "queue_manager"


def main():
    manager = pymqi.connect(queue_manager=queue_manager, channel=channel, conn_info=conn_info)


if __name__ == '__main__':
    main()

I tried to execute the code from other devices and there, accordingly, the account under which I ran was taken as the UserID.

After that I asked our support to deal with the problem, after which I was able to connect with an account haha, but the solution with the creation of a list of allowed users does not suit me. Is there any way to control the UserID that is sent by pymqi?

UPD 04.08.2020

The support team said that the user phoenix was created on the IBM MQ server with the password 123456789, tried to send an MQSCP:

manager = pymqi.connect(queue_manager=queue_manager, channel=channel,
            conn_info=conn_info, user="phoenix", password="123456789")

And got similar error MQRC_NOT_AUTHORIZED and server log contains error as above with username of machine where code launches (not phoenix).

Mikhail Murugov
  • 113
  • 5
  • Did you try passing a userid and password? There are samples on the pymqi github repository that show this. Your queue manage would need to have CONNAUTH enabled. Short of that or creating/impersonating the user on your local system with pymqi there is no way for you to send an alternate userid. – JoshMc Aug 03 '20 at 06:50
  • @JoshMc Tried with user and password, UserID is sent before this data, response is the same. *>creating/impersonating the user on your local system with pymqi* - сreate user with pymqi? Did I understand correctly? – Mikhail Murugov Aug 03 '20 at 06:52
  • no at the system level. If sending MQCSP didn't help it is because the MQ Admin has disabled CONNAUTH. They are trusting you to send a valid userid. This leaves them open to spoofing. Can you please add similar example to your post showing the MQCSP configuration you tried. I assume most answers will simply point this out so best to point out you tried this. – JoshMc Aug 03 '20 at 06:58
  • @JoshMc Sorry, but i dont understand what is *MQCSP configuration*. Can you explain, please? And can I show my configuration? – Mikhail Murugov Aug 03 '20 at 07:16
  • Check out my comments on [pymqi issue 74](https://github.com/dsuch/pymqi/issues/74#issuecomment-417842453) and [pymqi issue 140](https://github.com/dsuch/pymqi/issues/140). Let me know if you have further questions. – JoshMc Aug 03 '20 at 07:27
  • To clarify my 1st comment, adding a comma where needed: Short of that or creating/impersonating the user on your local system, with pymqi there is no way for you to send an alternate userid. – JoshMc Aug 03 '20 at 09:28
  • @JoshMc Ok. Understand. Is it because of the pymqi implementation? Or of the using IBM MQ client? And there is no way not to pass UserID (In other words: is this UserID necessary?)? Because there are suspicions that IBM MQ thinks this is an authorized connection due to UserID. – Mikhail Murugov Aug 03 '20 at 09:51
  • I went into great detail in comment linked on #74. MQ client allways sends the user the process runs under in all APIs except Java and JMS. I'll write an answer on this question later today. – JoshMc Aug 03 '20 at 10:25
  • @JoshMc Added info about MQCSP if I understand this entity correctly. – Mikhail Murugov Aug 04 '20 at 09:54
  • The queue manager CONNAUTH AUTHINFO needs to have `ADOPTCTX(YES)` to use the authenticated user for authorization. – JoshMc Aug 04 '20 at 11:03
  • @JoshMc Could you post an answer here so that I can create a translated association on ru SO? – Mikhail Murugov Dec 05 '20 at 10:04

0 Answers0