IBM MQ 调用失败,compcode '2' ('MQCC_FAILED') 原因 '2035' ('MQRC_NOT_AUTHORIZED')
[英]IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')
问题描述
I'm having a hard time trying to connect to my institution's MQ v9.
我在尝试连接到我机构的 MQ v9 时遇到了困难。
I was provided connectivity info by the MQ team:- MQ 团队为我提供了连接信息:-
String hostName = '...'
int port = ...
String queueManager = '...'
String channel = '...'
String userId = 'ABC123'
String password = '...'
Given the following code...鉴于以下代码...
JmsConnectionFactory cf = JmsFactoryFactory.
getInstance(WMQConstants.WMQ_PROVIDER).
createConnectionFactory()
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, hostName)
cf.setIntProperty(WMQConstants.WMQ_PORT, port)
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, channel)
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT)
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, queueManager)
cf.setStringProperty(WMQConstants.USERID, userId)
cf.setStringProperty(WMQConstants.PASSWORD, password)
// tried with both `true` and `false`... same error
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true)
Connection connection = cf.createConnection()
connection.start()
connection.close()
... I'm getting this error:- ...我收到此错误:-
Exception in thread "main" com.ibm.msg.client.jms.DetailedJMSSecurityException:
JMSWMQ2013: The security authentication was not valid
that was supplied for queue manager '...' with connection
mode 'Client' and host name '...'.
Please check if the supplied username and password
are correct on the queue manager to which you are
connecting.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM
MQ call failed with compcode '2' ('MQCC_FAILED') reason
'2035' ('MQRC_NOT_AUTHORIZED').
I was told by the MQ team that the log has something like this:- MQ 团队告诉我,日志中有这样的内容:-
----- amqzfuca.c : 4527 -------------------------------------------------------
04/17/2019 10:32:20 AM - Process(10468.40757) User(...) Program(...)
Host(...) Installation(Installation1)
VRMF(9.1.0.1) QMgr(...)
Time(2019-04-17T15:32:20.542Z)
RemoteHost(...)
CommentInsert1(...)
CommentInsert2(...)
CommentInsert3(CLNTUSER(XYZ) ADDRESS(...))
AMQ9777E: Channel was blocked
EXPLANATION:
The inbound channel '...' was blocked from address '...'
because the active values of the channel matched a record
configured with USERSRC(NOACCESS). The active values of the channel were
'CLNTUSER(XYZ) ADDRESS(...)'.
... and it fails because it's using the wrong credential to connect. ...它失败了,因为它使用了错误的凭据进行连接。
While I passed in a different credential (user ID: ABC123), the MQ log sees the user ID I used to log into my machine (user ID: XYZ).当我传入不同的凭据(用户 ID:ABC123)时,MQ 日志会看到我用来登录我的机器的用户 ID(用户 ID:XYZ)。
Why does the credential I explicitly passed in get omitted?为什么我显式传入的凭据会被省略? How do I fix this?我该如何解决?
I'm using this dependency:我正在使用此依赖项:
<dependency>
<groupId>com.ibm.mq</groupId>
<artifactId>com.ibm.mq.allclient</artifactId>
<version>9.1.2.0</version>
</dependency>
I'm not using IBM JRE... more precisely, I'm using Oracle JDK 1.8 on my Mac, if that helps.我没有使用 IBM JRE ......更准确地说,我在我的 Mac 上使用 Oracle JDK 1.8,如果有帮助的话。
Thank you.谢谢你。
UPDATE 2019-04-22更新 2019-04-22
I was able to get more accurate logs from MQ team now since I'm trying too many things at the same time.我现在能够从 MQ 团队获得更准确的日志,因为我同时尝试了太多事情。
If I set USER_AUTHENTICATION_MQCSP to true , then my machine's user ID (XYZ) is passed in.如果我将USER_AUTHENTICATION_MQCSP设置为true ,则传入我机器的用户 ID (XYZ)。
If I set USER_AUTHENTICATION_MQCSP to false , then I'm getting different error message now:-如果我将USER_AUTHENTICATION_MQCSP设置为false ,那么我现在会收到不同的错误消息:-
04/22/2019 01:19:49 PM - Process(1147099.9759) User(...) Program(...)
Host(rofesb911a) Installation(Installation1)
VRMF(9.1.0.1) QMgr(...)
Time(2019-04-22T18:19:49.323Z)
RemoteHost(...)
CommentInsert1(wa03598)
CommentInsert2(REQUIRED)
CommentInsert3(MCAUSER(ABC123) CLNTUSER(ABC123) ADDRESS(...))
AMQ9790I: The failed authentication check was caused by a CHLAUTH record with
CHCKCLNT(REQUIRED).
EXPLANATION:
The user ID 'ABC123' and its password were checked because the inbound
connection matched a channel authentication record with CHCKCLNT(REQUIRED).
The active values of the channel were 'MCAUSER(ABC123) CLNTUSER(ABC123)
ADDRESS(...)'. The MATCH(RUNCHECK) mode of the DISPLAY CHLAUTH
MQSC command can be used to identify the relevant CHLAUTH record.
The good news is it's seeing the correct user ID (ABC123), but I was told the password is invalid.好消息是它看到了正确的用户 ID (ABC123),但我被告知密码无效。 I don't believe it was a password problem because I was able to use that same credential to access other protected web services.我不认为这是密码问题,因为我能够使用相同的凭据访问其他受保护的 Web 服务。
1 个解决方案
解决方案1
2 已采纳 2019-04-18 10:31:14
Your MQ team have given you the credentials to use (ie user id and password) so I would assume that they have turned on user id and password checking on the queue manager.您的 MQ 团队已为您提供了要使用的凭据(即用户 ID 和密码),因此我假设他们已在队列管理器上启用用户 ID 和密码检查。
Queue Manager is not using ADOPTCTX(YES)队列管理器未使用 ADOPTCTX(YES)
ADOPTCTX(YES) is a setting on the queue manager that indicates that once user id and password have been verified as being correct, the user id (in your case "ABC123") should then be used for all further security checks (eg am I allowed to use this queue). ADOPTCTX(YES) 是队列管理器上的一个设置,表示一旦用户 ID 和密码被验证为正确,用户 ID(在您的情况下为“ABC123”)就应该用于所有进一步的安全检查(例如我是允许使用此队列)。 If this setting is NO, then after the password validation is complete, it will actually use the client machine logged on user id which is also sent up to the queue manager (in your case "XYZ").如果此设置为 NO,则在密码验证完成后,它将实际使用客户端计算机登录的用户 ID,该用户 ID 也被发送到队列管理器(在您的情况下为“XYZ”)。 It seems likely that this is the case on your queue manager.您的队列管理器似乎就是这种情况。
USER_AUTHENTICATION_MQCSP mode USER_AUTHENTICATION_MQCSP 模式
There are actually two ways that a user id and password can be sent from a Java client application to the queue manager.实际上有两种方法可以将用户标识和密码从 Java 客户端应用程序发送到队列管理器。
- The first (decades old) was in use prior to IBM MQ V8, and used a restricted length flow (12 chars max each field) that was originally there for DOS SNA clients to send the two fields to the QMgr.第一个(几十年前)在 IBM MQ V8 之前使用,并使用限制长度的流(每个字段最多 12 个字符),最初用于 DOS SNA 客户端将两个字段发送到 QMgr。 This flow across the network was also the way the client logged on user id got sent to the queue manager, and so only one could be sent.这种通过网络的流也是客户端登录用户 ID 被发送到队列管理器的方式,因此只能发送一个。
- The newer one, added in MQ V6, and made more useful with password checking natively in the queue manager in MQ V8, was the MQCSP structure, which allowed for variable length user id and password fields. MQ V6 中添加的较新的一个是 MQCSP 结构,它允许可变长度的用户 ID 和密码字段,它在 MQ V8 的队列管理器中本地进行密码检查时变得更加有用。 This was a different network flow from the one that sends the client logged on user id, and so both are sent to the queue manager.这是与发送客户端登录用户 ID 的网络流不同的网络流,因此两者都被发送到队列管理器。
When you set USER_AUTHENTICATION_MQCSP to true, you were telling the Java client to use the second mode.当您将USER_AUTHENTICATION_MQCSP设置为 true 时,您是在告诉 Java 客户端使用第二种模式。 This gives the opportunity to be tripped up by the ADOPTCTX(NO) setting.这提供了被 ADOPTCTX(NO) 设置跳闸的机会。 If you set it to false, the only user id that makes it to the queue manager is ABC123 (in your example) and will likely give you a different, perhaps successful result.如果您将其设置为 false,则进入队列管理器的唯一用户 ID 是 ABC123(在您的示例中),并且可能会给您一个不同的,也许是成功的结果。
Try your application with USER_AUTHENTICATION_MQCSP set to false, and when it works, advise your MQ team that they should use ADOPTCTX(YES) which is also now the default value, then you can switch back to USER_AUTHENTICATION_MQCSP set to true.在USER_AUTHENTICATION_MQCSP设置为 false 的情况下尝试您的应用程序,当它工作时,建议您的 MQ 团队他们应该使用 ADOPTCTX(YES),这也是现在的默认值,然后您可以切换回USER_AUTHENTICATION_MQCSP设置为 true。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.