Closed berlinbrown closed 2 years ago
berlinbrown
commented
3 years ago Also if I can just disable security. Don't need it for this use case
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --publish 9443:9443 --detach --env MQ_APP_PASSWORD=passw0rd ibmcom/mq:latest
berlinbrown
commented
3 years ago This is the error:
2021-06-15T21:37:58.290Z AMQ8077W: Entity 'admin' has insufficient authority to access object QM1 [qmgr]. [CommentInsert1(admin), CommentInsert2(QM1 [qmgr]), CommentInsert3(connect)] 2021-06-15T21:37:58.291Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'. [ArithInsert1(2), ArithInsert2(2035), CommentInsert1(mqm), CommentInsert2(admin), CommentInsert3(admin)] 2021-06-15T21:48:07.904Z AMQ9777E: Channel was blocked [CommentInsert1(DEV.ADMIN.SVRCONN), CommentInsert2(_gateway (172.17.0.1)), CommentInsert3(CLNTUSER(node) ADDRESS(_gateway))] 2021-06-15T21:48:07.904Z AMQ9999E: Channel 'DEV.ADMIN.SVRCONN' to host '172.17.0.1' ended abnormally. [CommentInsert1(DEV.ADMIN.SVRCONN), CommentInsert2(447), CommentInsert3(172.17.0.1)]
arthurbarr
commented
3 years ago You can disable security access checks entirely by setting the MQSNOAUT environment variable to yes. Obviously this is not a recommended approach, but may get you past the current problem.
For an application, I'd recommend connecting with the app user, with the DEV.APP.SVRCONN channel. You can see the pre-configured security settings here: https://github.com/ibm-messaging/mq-container/blob/master/incubating/mqadvanced-server-dev/10-dev.mqsc.tpl
LLACZ
commented
2 years ago For an application, I'd recommend connecting with the
appuser, with theDEV.APP.SVRCONNchannel. You can see the pre-configured security settings here: https://github.com/ibm-messaging/mq-container/blob/master/incubating/mqadvanced-server-dev/10-dev.mqsc.tpl
If AUTHINFO is defined with AUTHTYPE(IDPWOS), you need an OS account which will be used in PRINCIPAL parameter in AUTHREC definition. If I am correct (not sure), there should be "app" OS acount in mqclient group.
arthurbarr
commented
2 years ago We don't use OS users at all in the container image any more. The app user was previously an OS user, but is now defined in an htpasswd file, via a custom MQ auth service. When using the MQ Advanced for Developers image, we also set UserExternal in the qm.ini file, which prevents the standard MQ OAM from needing an OS user.
I am connecting from one docker container to another.
Here is essentially the code:
//const connectionString = 'localhost'; const connectionString = 'host.docker.internal'; const channel = 'DEV.ADMIN.SVRCONN'; const qMgr: string = 'QM1'; const topic: string = 'pritopic';
let csp = new mq.MQCSP(); //csp.UserId = 'admin'; //csp.Password = 'passw0rd' csp.UserId = 'admin'; csp.Password = 'passw0rd' cno.SecurityParms = csp;
And error:
[Nest] 8 - 06/15/2021, 3:52:38 PM [MQError: CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_NOT_AUTHORIZED [2035]] mq[publisher] error: +1209ms
/usr/local/lib/node_modules/ibmmq/lib/mqi.js:776 var err = new MQError(jsCc,jsRc,'CONNX'); ^ MQError: CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_NOT_AUTHORIZED [2035] at /usr/local/lib/node_modules/ibmmq/lib/mqi.js:776:17 at Object. (/usr/local/lib/node_modules/ibmmq/node_modules/ffi-napi/lib/_foreign_function.js:115:9) {
mqcc: 2,
mqccstr: 'MQCC_FAILED',
mqrc: 2035,
mqrcstr: 'MQRC_NOT_AUTHORIZED',
version: '0.9.17',
verb: 'CONNX'