Search code examples
ibm-mq

IBM-MQ on openshift POD, how to connect with default uid

I am getting below error when I am trying to connect to IBM-MQ deployed on openshift. Here I am trying to use user id of container: 1000440000.

SET CHLAUTH(QM1_AMIT.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') MCAUSER('1000440000')

----- amqzmgr0.c : 2996 -------------------------------------------------------
03/27/23 14:31:35 - Process(2970521.4) User(1000440000) Program(amqrmppa)
                    Host(amit-ibm-mq-0) Installation(Installation1)
                    VRMF(9.2.3.0) QMgr(QM1_AMIT)
                    Time(2023-03-27T14:31:35.436Z)
                    RemoteHost(10.104.14.15)
                    CommentInsert1(QM1_AMIT.SVRCONN)
                    CommentInsert2(10.104.14.15)
                    CommentInsert3(MCAUSER(1000440000) CLNTUSER(1000440000))
                   
AMQ9776E: Channel was blocked by userid

EXPLANATION:
The inbound channel 'QM1_AMIT.SVRCONN' was blocked from address '10.104.14.15'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(1000440000)
CLNTUSER(1000440000)'.

Display output of CHLAUTH:

dis chlauth(*) all
     1 : dis chlauth(*) all
AMQ8878I: Display channel authentication record details.
   CHLAUTH(QM1_AMIT.SVRCONN)               TYPE(ADDRESSMAP)
   DESCR( )                                CUSTOM( )
   ADDRESS(*)                              MCAUSER(1000440000)
   USERSRC(MAP)                            CHCKCLNT(ASQMGR)
   ALTDATE(2023-03-27)                     ALTTIME(14.31.05)
AMQ8878I: Display channel authentication record details.
   CHLAUTH(SYSTEM.ADMIN.SVRCONN)           TYPE(ADDRESSMAP)
   DESCR(Default rule to allow MQ Explorer access)
   CUSTOM( )                               ADDRESS(*)
   USERSRC(CHANNEL)                        CHCKCLNT(ASQMGR)
   ALTDATE(2023-03-27)                     ALTTIME(14.30.31)
AMQ8878I: Display channel authentication record details.
   CHLAUTH(SYSTEM.*)                       TYPE(ADDRESSMAP)
   DESCR(Default rule to disable all SYSTEM channels)
   CUSTOM( )                               ADDRESS(*)
   USERSRC(NOACCESS)                       WARN(NO)
   ALTDATE(2023-03-27)                     ALTTIME(14.30.31)
AMQ8878I: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   DESCR(Default rule to disallow privileged users)
   CUSTOM( )                            
   USERLIST(*MQADMIN)                      WARN(NO)
   ALTDATE(2023-03-27)                     ALTTIME(14.30.31)

Is there any mechanism by which I can use the users of container to connect IBM-MQ from java client or any other way to skip the user.

Regards, Amit M

Solution

  • If I understand correctly your queue manager is running in the container and runs under a user 1000440000. You have specified a ADDRESSMAP rule to set the MCAUSER to 1000440000. In this case since 1000440000 is what the queue manager runs under it is the user with full MQ Admin rights. The default BLOCKUSER rule blocks all admin users and is causing your channel blocked error.

    There is a feature in 9.3 LTS (9.2.1 CD) which allows you to use arbitrary users and provide low privileged access which is better than giving them full access. Usually you would want some authentication of the incoming connection above and beyond the IP address. You could use a certificate. You could configure the queue manger to use LDAP and provide a username and password.

    This blog by Mark Taylor describes the feature. More flexibility for user management in MQ