search

ibm-messaging / mq-container

Container images for IBM® MQ
Apache License 2.0
250 stars 187 forks source link

How to Connect QMgr from MQ Explorer #367

Open atulsingh0 opened 5 years ago

atulsingh0 commented 5 years ago

Hi team, I have run a few commands to create a channel by which I can connect from QMgr from MQ explorer but I am unable to -

Commands:

DEFINE LISTENER (QM1.LISTENER) TRPTYPE(TCP) CONTROL(QMGR) PORT(1414)  
START LISTENER (QM1.LISTENER)
setmqaut -m QM1 -t queue -n SYSTEM.MQEXPLORER.REPLY.MODEL -p mqm +browse +get +inq +put +set +setall +passall +passid +chg +dsp 

SET CHLAUTH(QM1.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allow privileged users on this channel')
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
SET CHLAUTH(QM1.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
REFRESH SECURITY TYPE(CONNAUTH)

Error: Access not permitted. You are not authorized to perform this operation. (AMQ4036) Access not permitted. You are not authorized to perform this operation. (AMQ4036) Severity: 10 (Warning) Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.

arthurbarr commented 5 years ago

Which user did you use to run these commands? How did you supply them?

A few other notes:

  1. You don't normally need to define your own listener, as there's one there by default.
  2. You can use an MQSC AUTHREC instead of setmqaut
  3. Are you using the developer image, or the production image? The developer image includes some MQSC configuration out-of-the-box, as well as some users. Note that the production image only comes with the "mqm" user.
rudra108 commented 4 years ago

I am also facing this problem with MQ 9.1.2. mine is developer image and I have QMGR CHLAUTH(DISABLED). My docker container is running on a remote server. I created a separate SVRCONN channel for mqm user.

Define channel (MY.SVRCONN) chltype (svrconn) trptype (tcp) mcauser('')

But when I try to connect to my Qmanager via MQ Explorer, I get this error -

Access not permitted. You are not authorized to perform this operation. (AMQ4036) Severity: 10 (Warning) Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.

I tried to disable the CONNAUTH but no luck. I can connect to a non containerized mq by this method. Not sure what is different when I try connecting to a dockerized MQ.

Any help will be highly appreciated.

callumpjackson commented 4 years ago

Although you have disable ChannelAuth, standard MQ Authorization will still occur. Within your context this means that the user identity used to connect to MQ will be mapped to the associated groups, and the permissions checked for the messaging resources you are attempting to access.

My gut feeling would be that you are attempting to connect without a username and password, if you specify the admin username and password for the connection I’m guessing the connection should work.

rudra108 commented 4 years ago

Although you have disable ChannelAuth, standard MQ Authorization will still occur. Within your context this means that the user identity used to connect to MQ will be mapped to the associated groups, and the permissions checked for the messaging resources you are attempting to access.

My gut feeling would be that you are attempting to connect without a username and password, if you specify the admin username and password for the connection I’m guessing the connection should work.

Thanks, it was my misunderstanding. I need to create another user and add to the mq group in order the access from MQ explorer from outside of the cluster. Or create the mqm with a known password in the image iteslf.

bigtfromaz commented 3 years ago

None of the above seems to work for my situation. I created an Ubuntu 18.01 VM for the sole purpose of resolving this issue. In there, I ran this command:

docker run \
   -e "LICENSE=accept" \
   -e "MQ_QMGR_NAME=MYQM" \
   --publish 1414:1414 \
   --publish 9443:9443 \
   --name MYQM \
   -h MYQM \
   -u 1026:0 \    ---- note this user is my user id on the host and the 0 group seems to be required
   -e "MQ_ADMIN_PASSWORD=mypwd" \
   -d ibmcom/mq:latest

In the documentation for the development version of the container, I see this note

Two channels are created, one for administration, the other for normal messaging:

DEV.ADMIN.SVRCONN - configured to only allow the admin user to connect into it. A user and password must be supplied.
DEV.APP.SVRCONN - does not allow administrative users to connect. Password is optional unless you choose a password for app users.

When I try to connect from MQ Explorer on Windows, using DEV.ADMIN.SVRCONN and the user admin/mypwd, I receive this message:

Could not establish a connection to the queue manager - reason 2538. (AMQ4059)
  Could not establish a connection to the queue manager - reason 2538. (AMQ4059)
  Severity: 10 (Warning)
  Explanation: The attempt to connect to the queue manager failed. This could be because the queue manager is incorrectly configured to allow a connection from this system, or the connection has been broken.
  Response: Try the operation again. If the error persists, examine the problem determination information to see if any information has been recorded.

There doesn't seem to be anything useful in the AMQERR01.LOG either are the top level or the MYQM level.

All we want to do is set up a remote queue manager where developers can write getters and putters and share the queues. And, where we can administer using Explorer. What am I missing?

Craigmckeeman commented 3 years ago

bigtfromaz I know this may be a bit late but it may help someone 2538 is Host not available, have a look at the host you are connecting to (IPAddress may be easier) and the port are correct. also check the Listener is running

Got my DEV image working, after setting SET AUTHREC PROFILE('self') PRINCIPAL('admin') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)

i cannot however get MQExplorer to work with the production version

set up with ALTER QMGR CONNAUTH('ADMIN.AUTHINFO') DEADQ('DEAD.LETTER.QUEUE') DEFINE AUTHINFO('ADMIN.AUTHINFO') AUTHTYPE(IDPWOS) ADOPTCTX(YES) CHCKCLNT(REQDADM) SET AUTHREC PROFILE('ADMIN.AUTHINFO') PRINCIPAL('admin') OBJTYPE(AUTHINFO) AUTHADD(CHG,DLT,DSP,INQ) SET AUTHREC PRINCIPAL('admin') OBJTYPE(QMGR) AUTHADD(CONNECT,DSP,INQ) SET CHLAUTH('ADMIN.SVRCONN') TYPE(USERMAP) DESCR('Allow admin as MQ-admin') CLNTUSER('admin') USERSRC(MAP) SET CHLAUTH('ADMIN.SVRCONN') TYPE(BLOCKUSER) DESCR('Allows admins on ADMIN channel') USERLIST('nobody') REFRESH SECURITY (CONNAUTH)

i get in the log AMQ5534E: User ID 'admin' authentication failed [CommentInsert1(admin), CommentInsert2(MQ Explorer 9.0.0), CommentInsert3(Pipe returned 2035 [FAILED])] AMQ5542I: The failed authentication check was caused by the queue manager CONNAUTH CHCKCLNT(REQDADM) configuration. [CommentInsert1(admin), CommentInsert2(SYSTEM.DEFAULT.AUTHINFO.IDPWOS), CommentInsert3(CHCKCLNT(REQDADM))]