search

ibm-messaging / mq-metric-samples

IBM® MQ metric gathering client samples
Apache License 2.0
57 stars 70 forks source link

mqhtpass: User does not exist. #307

Open aheyers opened 5 days ago

aheyers commented 5 days ago

We setup this exporter inside a kubernetes cluster with Argo CD. If the connection was successful and metrics exported upon opening the MQ logs on ArgoCD the following error message appears. There are no logs in the error logs of IBM MQ. We are using IBM MQ 9.3.2.0.

mqhtpass: mqhtpass_authenticate_user_csp with CSP user set. user=ibmmon mqhtpass: User does not exist. user=ibmmon mqhtpass: User authentication failed due to invalid user. user=ibmmon effuser=root applname=mq_prometheus csp_user=ibmmon cc=1 reason=0

This error appears even though the LDAP query for active directory is setup properly and authentication/authorization is working as expected. Other users connecting to the QM produce normal logs.

I am not sure if we are missing a step in configuration to avoid this error. If its not solvable we would appreciate a workaround to hide this error message.

Starting parameters on the exporter from yaml:

 - ./mq_prometheus -ibmmq.userid "${userid}" -ibmmq.password "${password}"    -ibmmq.ccdtUrl
          /config/go-exporter/ccdt.json   -ibmmq.queueManager QM   -ibmmq.monitoredQueues "APP.*,!SYSTEM.*,!AMQ.*,QM*" -ibmmq.monitoredChannels "SYSTEM.*,TO.*"  -ibmmq.useStatus

The ccdt.json on the exporter.

 {
      "channel": [
        {
          "name": "EXPORTER.CHANNEL",
          "clientConnection": {
            "connection": [
              {
                "host": "ibm-mq",
                "port": 1414
              }
            ],
            "queueManager": "QM"
          },
          "transmissionSecurity":
          {
            "cipherSpecification": "TLS_RSA_WITH_AES_256_GCM_SHA384",
            "certificateLabel": "ibmwebspheremqibmmon",
          },
          "type": "clientConnection"
        }
ibmmqmet commented 4 days ago

If you're getting errors from the htpasswd module, then you must have chosen to include that when building the container. Perhaps so you've got the default userids+passwords for the developer image. If you're not using the "app"/"admin" ids, then you could rebuild the container (or edit the qmgr's qm.ini file) to not use htpasswd.

Read the container repository's docs/pluggable_connauth.md file for more info about that option.

Note that the 9.4 version of the container has restructured how the default user/passwords are handled.