Question
You create a new queue manager in WebSphere MQ 7.1 or 7.5 or later and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035:
2035 MQRC_NOT_AUTHORIZED
The MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.
Cause
You created a new queue manager in MQ 7.1 or in 7.5 or later. The default value for the new feature introduced in 7.1, "Channel Authentication Records" (CHLAUTH) is ENABLED. You can see the value by using runmqsc:
$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(ENABLED)
By default, the following 3 channel authentication records are generated when a new queue manager is created in 7.1 or upgraded to 7.1:
DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
The last record blocks all remote channel access to any MQ Administrator. The effect is that non-administrative users can still connect if suitably authorized to do so, but administrative connections and anonymous connections are disallowed regardless of any Object Authority Manager (OAM) authorization settings. This means that new queue managers in V7.1 are much more secure by default than in previous versions, but with the trade off that administrative access must be explicitly defined.
+++ Additional notes:
a) If you upgraded a queue manager to MQ 7.1 this new feature is NOT enabled by default.
$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(DISABLED)
However, this new feature can be enabled by issuing the following command in runmqsc:
ALTER QMGR CHLAUTH(ENABLED)
b) You use the MQ Explorer to remotely access the newly created 7.1 queue manager and get the following errors:
Text inside the dialog box:
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
After closing the above dialog, the next one appears:
Text inside the dialog box:
An error occurred connecting to queue manager 'QM_71 on 'host.x.com(14xx)''. Are you sure that you want to show this queue manager in the folder anyway? (AMQ4027)
Severity: 10 (Warning)
Explanation: A connection could not be made to the specified remote queue manager.
Response: Ensure that the named queue manager is running on the host and port specified, and has a channel corresponding to the specified name. Ensure that you have the authority to connect to the remote queue manager, and ensure that the network is running. Select Yes if you believe that the problem can be resolved later. Select No if you want to correct the problem now and try again.
c) In the error log for the queue manager you see either the error AMQ9776 or AMQ9777, followed by AMQ9999
c.1) AMQ9776: Channel was blocked by userid
EXPLANATION: The inbound channel 'SYSTEM.ADMIN.SVRCONN' was blocked from address
'9.49.x.x' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(rivera) CLNTUSER(rivera)'.
ACTION: Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records.
c.2) AMQ9777: Channel was blocked
EXPLANATION:The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '127.0.0.1'
because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER()'.
ACTION: Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records.
c.3) Either of the above errors is followed by:
AMQ9999: Channel 'SYSTEM.ADMIN.SVRCONN' to host 'x (9.49.x.x)' ended abnormally.
Answer
1) If this is a production queue manager, then you could stop trying to use a userid that is an MQ Administrator and instead, use a non-administrator userid to access the queue manager.
2) If you really want the MQ Administrator to be able to access the queue manager via client channels, you could do one of the following actions.
2.a) You can add the following two Channel Authentication Records discussed in the following presentation:
What's New in WebSphere MQ v7.1 Security?
T.Rob Wyatt
Page 10: User ID blocking
The first rule blocks administrative users and the MCAUSER "nobody" (which prevents someone from creating a user ID "nobody" and putting it into an authorized group).
$ runmqsc QmgrName
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')
The second rule provides a reduced blacklist for SYSTEM.ADMIN channels that allows administrators to use these. It is assumed here that some other CHLAUTH rule such as an SSLPEERMAP has validated the administrator’s connection or than an exit has done so.
SET CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')
The above rules apply to SYSTEM.ADMIN.SVRCONN which is used by the MQ Explorer.
If you are using another user-defined channel, such as MY.ADMIN.SVRCONN, then you need to add the following two records:
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody')
Note: it is not advisable to use SYSTEM.DEF.* channels for active connections. The system default channels are the objects from which all user-defined channels inherit properties. The recommended practice is that SYSTEM.DEF.* and SYSTEM.AUTO.* channels should NOT be configured to be usable.
2.b) This is a variation of (2.a) but allowing the MQ Administrator to only use a particular host.
The first rule blocks MCAUSER "nobody".
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody')
The second rule removes all access to SYSTEM.ADMIN.SVRCONN ...
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
... and the third rule adds an entry for the server that needs access.
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(9.27.4x.7y) USERSRC(CHANNEL)
2.c) Disable the Channel Authentication Records feature:
ALTER QMGR CHLAUTH(DISABLED)
WARNING: Disabling this new feature is not recommended for MQ 7.1 production queue managers due to security implications.
Note that disabling CHLAUTH results in a policy that accepts administrative connections by default. The administrative effort to lock down administrative access with CHLAUTH(DISABLED) is much greater than to do so with CHLAUTH(ENABLED). It is therefore recommended to leave CHLAUTH(ENABLED) and use the other security features of WebSphere MQ V7.1 to authenticate administrator connections.
Additional links:
http://www-01.ibm.com/support/docview.wss?uid=swg21577137
http://jubergconsulting.gowithclick.com/_blog/websphere/post/WebSphere_MQ_reason_2035_MQRC_NOT_AUTHORIZED/
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp
相关推荐
搭建Aria2解决pandownload出现的118错误:user is not authorized,附带【傻瓜版教程】,一步步跟着操作就可以搞定。
ssh-信任主机方式,建立crt连接 实现从主机A直接 SSH 到主机B,C,无需密码 在LINUX配置主机信任时,对对端机(被免口令登录机器)的目录权限和文件权限相关说明:对端机的authorized_keys改为只有当前用户读取权限...
AWS EC2实例连接配置该软件包包含EC2实例配置和启用AWS EC2 Instance Connect所需的脚本。AuthorizedKeysCommand AuthorizedKeysCommand分为三个部分: eic_run_authorized_keys是主要入口点,其余部分将在5秒的超时...
Puppet SSH 身份验证模块(ext_ssh_authorized_key) 这个 puppet 模块允许轻松管理整个基础设施中的 SSH 公钥分发。 与 Puppet 自带的原始 ssh_authorized_key 相比,它有几个优点。 允许将相同的密钥分发给同一...
仅 SCP 服务器验证: 将 id_rsa.pub 放入 /authorized_keys 目录用法: mkdir data authorized_keys cp ~/.ssh/id_rsa.pub authorized_keys docker run E -v `pwd`/data:/data -v `pwd`/authorized_keys:/authorized...
adb工具包,总共包括4个文件,分别为adb.exe,AdbWinApi.dll,AdbWinUsbApi.dll和fastboot.exe,是2013年google提供的完整版adb工具箱,可用于安卓手机解锁操作,解锁后手机就能够进行刷机啦,非常的实用。
NULL 博文链接:https://wmcxy.iteye.com/blog/1455419
授权密钥 用户的authorized_keys 文件平台无关路径解析。操作系统 keys();#=> /Users/wilmoore/.ssh/authorized_keyskeys('git');#=> /Users/git/.ssh/authorized_keys视窗 keys();#=> C:\Users\wilmoore\.ssh\...
Laravel开发-authorized-attributes Laravel的授权模型属性
The London : strictly castle trading conquered authorized votes refusals admitted Permission eventually American pilots : intends routine assault involving aimed waters launched civilian ...
角色ssh_authorized_keys Ansible Rolle用于管理和部署管理员和非管理员用户的ssh密钥组合强烈建议将此角色与用于管理用户和管理sshd配置的角色一起使用。 以下角色经过了综合测试,可以很好地工作-至少对于用户: ...
Alibaba_Nacos_Add_user_not_authorized.json Alibaba_Nacos_Default_password.json 'Alibaba Nacos 控制台默认弱口令.json' 'Alibaba Nacos 未授权访问漏洞.json' 'Apache ActiveMQ Console控制台弱口令.json' '...
从 github 团队拉取公共 ssh 密钥并将它们写入一个 authorized_keys 文件。 这有利于授予对服务器的访问权限。 安装 将此行添加到应用程序的 Gemfile 中: gem 'auth_keys' 然后执行: $ bundle 或者自己安装: ...
当我们在现在创建测试用Linux服务器或者服务器集群的时候,需要通过终端连接自己创建的服务器。 实现步骤分为2步: 1、生成SSH Key; 2、覆盖authorized_keys文件 1、生成SSH Key 我们看到生成了以上一些列文件。 ...
证书登录ssh-keygen命令生成两个文件id_rsa, id_rsa.pub mv id_rsa.pub authorized_keys
更改 ssh-keys-ansible 这是一个在.ssh添加和删除authorized_keys的小剧本。用法将一些公钥添加到keys_to_add目录中。 向keys_to_drop目录添加一些公钥创建inventory文件。ansible-playbook -i inventory update...
Analyzing concerns of people from Weblog articles
角色名称 用于配置nagios并从git存储库中为nagios进行配置配置的角色。 该角色已经准备好并与其他ansiblecoffee nagios角色插件,thruk接口,pnp4nagios等兼容。...nagios_cgi_authorized_for_configuration_infor
cp id_rsa.pub authorized_keys chmod 640 authorized_keys 添加ssh-key与github通信 将 ssh-key 复制到剪贴板 cat ~ /.ssh/id_rsa.pub 转到 ,创建一个新的 SSH 密钥并将该内容粘贴到其中 基本的 git 命令 git ...
它还包括用于对连接进行故障排除的ping工具 它会通过Github动作每晚自动更新 使用说明 1.设置您的AUTHORIZED_KEYS环境变量 AUTHORIZED_KEYS="$(cat .ssh/my_many_ssh_public_keys_in_one_file.txt)" 2.设置您的...