1

for QMGR Authentication we use PAM (Websphere MQ 9.1 on Linux

CONNAUTH(USE.PAM)

all relevant users are in the local usergroup "mqm". That works fine for all but one user.

i get the following errors for named user, when i tries to connect to the QMGR with MQ Explorer 9:

----- cmqxrsrv.c : 2390 -------------------------------------------------------
03/27/19 14:01:03 - Process(10232.155) User(mqm) Program(amqzlaa0)
                    Host(velpke.th) Installation(Installation1)
                    VRMF(9.1.0.0) QMgr(QM.QMGRENT)
                    Time(2019-03-27T13:01:03.599Z)
                    CommentInsert1(testuser)
                    CommentInsert2(MQ Explorer 9.1.0)
                    CommentInsert3(Pipe returned 7 [Authentication failure])

AMQ5534E: User ID 'testuser' authentication failed

EXPLANATION:
The user ID and password supplied by the 'MQ Explorer 9.1.0' program could not
be authenticated. 
Additional information: 'Pipe returned 7 [Authentication failure]'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4504 -------------------------------------------------------
03/27/19 14:01:03 - Process(10232.155) User(mqm) Program(amqzlaa0)
                    Host(velpke.th) Installation(Installation1)
                    VRMF(9.1.0.0) QMgr(QM.QMGRENT)
                    Time(2019-03-27T13:01:03.599Z)
                    CommentInsert1(testuser)
                    CommentInsert2(USE.PAM)
                    CommentInsert3(CHCKCLNT(REQDADM))

AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.

EXPLANATION:
The user ID 'testuser' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'USE.PAM' with CHCKCLNT(REQDADM). 

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information. 

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. 

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call. 

To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
----- amqzfuca.c : 4527 -------------------------------------------------------
03/27/19 14:01:04 - Process(10380.163) User(mqm) Program(amqrmppa)
                    Host(velpke.th) Installation(Installation1)
                    VRMF(9.1.0.0) QMgr(QM.QMGRENT)
                    Time(2019-03-27T13:01:04.599Z)
                    ArithInsert1(2) ArithInsert2(2035)
                    CommentInsert1(mqm)
                    CommentInsert2(testuser)

AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.

EXPLANATION:
The call to initialize the User ID 'mqm' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was 'testuser'.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2390 -------------------------------------------------------
(END)

The User is able to connect with SSH to the Server (which also uses PAM). He also tried copy & paste his password and tried to change his password.

I also checked with "dspmqaut", which returned correct rights.

I did not find any difference between his user and my user and the user of another colleague (both - mine and the co-workers user - work).

JoshMc
  • 184
  • 7
sebkoe
  • 47
  • 9
  • Did you resolve this? If not I will try and help. Could you edit the question and add displays of the `AUTHINFO` object, the `SVRCONN` channel, and any associated `CHLAUTH` rules please. Can you have the `testuser` login as mqm and run `/opt/mqm/bin/security/amqoampx testuser` and then type the user's password and press enter, add that output as well. Also please run `dmpmqaut -m QM.QMGRENT -t qmgr -p testuser -e` and provide that output. – JoshMc Feb 20 '20 at 14:39
  • Sorry, i did not update this issue because i forgot about it. I figured it out myself. Problem was the Password of named User. It was too long. I found out, that there is a Problem in that case. As soon as he shortend his password it worked – sebkoe Feb 21 '20 at 09:16
  • 1
    You may have encountered this [APAR IT17224: Using option 'use save password' in MQ Explorer connections fail if the password is greater than 12 characte](https://www-01.ibm.com/support/docview.wss?uid=swg1IT17224). This was fixed in MQ explorer 9.0.0.1. – JoshMc Feb 21 '20 at 11:13
  • we are already using MQ Server and MQ Explorer Version 9.1 – sebkoe Feb 21 '20 at 15:27
  • 1
    Can you confirm if you had compatibility mode selected in mq explorer for authentication? This is also limited to 12 characters in general, to send more than 12 requires not using compatibility mode. – JoshMc Feb 24 '20 at 03:33
  • i really had compatibility mode selected. Thanks! – sebkoe Feb 24 '20 at 08:28

1 Answers1

1

When MQ Explorer has compatibility mode selected, the password is limited to 12 characters. If you do not have compatibility mode selected MQ will use a MQCSP structure to send the password and you can send a password as long as 256 characters. Some references are below.


IBM MQ 9.1.0 Knowledge Center page Securing>Security overview>IBM MQ security mechanisms>Connection authentication>Connection authentication with the Java client:

Compatibility mode

Before IBM MQ Version 8.0, the Java client could send a user ID and password across the client-connection channel to the server-connection channel, and have them provided to a security exit in the RemoteUserIdentifier and RemotePassword fields of the MQCD structure. In compatibility mode, this behavior is retained.

...

Choosing authentication mode in IBM MQ Explorer

The IBM MQ Explorer is a Java application, so these two modes, compatibility mode and MQCSP authentication mode, are applicable to it as well.

On panels where user identification is provided, there is a check box to enable or disable compatibility mode:

  • From Version 9.1.0, by default, this check box is not selected. To use compatibility mode, select this check box.

IBM MQ 9.1.0 Knowledge Center page Reference>Developing applications reference>User exits, API exits, and installable services reference>Channel-exit calls and data structures>MQCD - Channel definition>Fields>RemotePassword (MQCHAR12):

The length of this field is given by MQ_PASSWORD_LENGTH.


IBM MQ 9.1.0 Knowledge Center page Reference>Developing applications reference>MQI applications reference>Constants>Constants>MQ_* (String Lengths):

+-------------------+-----+-------------+
|MQ_PASSWORD_LENGTH |  12 | X'0000000C' |
+-------------------+-----+-------------+

IBM MQ 9.1.0 Knowledge Center page Reference>Developing applications reference>MQI applications reference>Data types used in the MQI>MQCSP - Security parameters>Fields for MQCSP>CSPPasswordLength (MQLONG):

The maximum length of the password is MQ_CSP_PASSWORD_LENGTH, which is 256 characters. If the length of the password is greater than the maximum length permitted, the authentication request fails with MQRC_NOT_AUTHORIZED.

JoshMc
  • 184
  • 7