AMQ5540, AMQ5541 and AMQ5542, application did not supply a user ID and password, 2035 mqrc_not_authorized

Technote (troubleshooting)
Problem (Abstract)

As an MQ administrator you create a new queue Manager in WebSphere MQ version 8.0.
You can access the Queue Manager by using WebSphere MQ Explorer or MQ client applications in bindings mode.

You is aware of the default behavior for the channel authentication records in which an MQ administrator cannot remotely Access the Queue Manager. To gain access a administrator can either set the Queue Manager attribute Chlauth to DISABLED, or add the appropriate rec Ords to allow remote access. This behavior are documented in the following technote:
http://www.ibm.com/support/docview.wss?uid=swg21577137
WMQ 7.1/7.5 Queue Manager RC 2035 mqrc_not_authorized or AMQ4036 when using the client connection as an MQ Administrator

You try to remotely access the Queue Manager as a MQ administrator and you get the return code 2035 mqrc_not_authorized.
You expected this issue with the channel authentication records had been addressed.

Symptom

To find out more details, view of the error log for the queue Manager.

There is 3 errors:

6/6/2014 06:33:10-process (7512.22) User (Rivera) program (Amqzlaa0.exe) Host (host_a) installation (Installation3) VRMF (8.0.0.0) QMgr (QM_ANG8)
amq5540:application ' Sphere Mq\bin64\amqsputc.exe ' did not supply a user ID and password
explanation:the Queue Manager is configured to require a user ID and password, but none was supplied.
Action:ensure that the application provides a valid user ID and password, or change the queue Manager configuration T o OPTIONAL to allow applications to connect which has not supplied a user ID and password.

----- 

6/6/2014 06:33:10-process (7512.22) User (Rivera) program (Amqzlaa0.exe) Host (host_a) installation (Installation3) VRMF (8.0.0.0) QMgr (QM_ANG8)
Amq5541:the failed authentication check was caused by the queue manager
Connauth chckclnt (reqdadm) configuration.
explanation:the User ID ' Rivera ' and its password were checked because the user ID is privileged and the queue manage R Connection Authority (Connauth) configuration refers to an authentication information (AUTHINFO) object named ' SYSTEM. DEFAULT. AUTHINFO. Idpwos ' with CHCKCLNT (REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.
Action:refer to the previous error for more information. Ensure a password is specified by the client application and that the password are correct for the user ID. The authentication configuration of the Queue Manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. To avoid the authentication check, can either with an unprivileged user ID or amend the authentication configuration of The queue Manager. You can amend the CHCKCLNT attribute in the Chlauth record, but if you should generally don't allow unauthenticated remote ACCE SS.

------------------

6/6/2014 06:33:10-process (16728.4) User (Rivera) program (Amqrmppa.exe) Host (host_a) installation (Installation3) VRMF (8.0.0.0) QMgr (QM_ANG8)
amq9557:queue Manager User ID initialization failed for ' Rivera '.
Explanation:the call to initialize the User ID ' Rivera ' failed with Compcode 2 and Reason 2035.
action:correct the error and try again.

Cause

In MQ 8.0, a new function was introduced that requires MQ administrators using remote access to supply the UserID and PASSW Ord. When the UserID and password was not supplied or the password is incorrect, then the following error is displayed (the Err Or AMQ5542 is very similar):

Amq5541:the failed authentication check was caused by the queue manager
Connauth chckclnt (reqdadm) configuration.
explanation:the User ID ' Rivera ' and its password were checked because the user ID is privileged and the queue manage R Connection Authority (Connauth) configuration refers to an authentication information (AUTHINFO) object named ' SYSTEM. DEFAULT. AUTHINFO. Idpwos ' with CHCKCLNT (REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.

The errors indicate the following:

1) The Queue Manager has a connection authority attribute Called:connauth
And the value for this attribute Is:system. DEFAULT. AUTHINFO. Idpwos

Display Qmgr Connauth
9:display qmgr Connauth
amq8408:display Queue Manager details.
qmname (qm_80)
Connauth (SYSTEM. DEFAULT. AUTHINFO. IDPWOS)

2) The Authoinfo object has a value of reqdadm for the attribute chckclnt.
MQ administrators is required to provide a userid and password in this instance.

Display Authinfo (SYSTEM. DEFAULT. AUTHINFO. IDPWOS)
10:display authinfo (SYSTEM. DEFAULT. AUTHINFO. IDPWOS)
Amq8566:display authentication information details.
AUTHINFO (SYSTEM. DEFAULT. AUTHINFO. IDPWOS)
authtype (Idpwos) adoptctx (NO)
DESCR () chckclnt (REQDADM)
Chcklocl (OPTIONAL) faildlay (1)
altdate (2014-07-24) alttime (10.49.19)

Resolving the problem

There is several ways to address the situation and the following 5 scenarios addressed:

Scenario A) MQ samples:provide the user and password to the MQ client application
Scenario B) Modify Queue Manager to avoid requiring password from MQ administrators
Scenario C) MQ explorer-when connecting to remote queue managers
Scenario D) How to specify the Userid/password if using the RFHUTILC utility from the SupportPac IH03
Scenario E) application Programming for authentication and password (C, Java, JMS)

The rest of this note provides more details on each of the scenarios.

+ + + Scenario A) MQ samples:provide the user and password to the MQ client application

In MQ 8.0, the sample programs has been modified to use the environment variable mqsamp_user_id, which if set, prompts th e user for a password. The password is entered in plaintext and not obscured by asterisks).

BROWSE:AMQSBCGC, AMQSBCG
PUT:AMQSPUTC, Amqsput
GET:AMQSGETC, Amqsget

See the MQ 8.0 product Documentation:

WebSphere MQ 8.0.0 > WebSphere MQ > Developing Applications > Developing MQI Applications with WebSphere MQ > Sample WebSphere MQ Procedural Programs > Sample procedural programs (platforms except z/OS) > The Put Sample progra Ms>running the Put sample programs
Running the Put sample programs
These programs also use an environment variable named mqsamp_user_id which should is set to the USER ID to being used for con Nection authentication. When the "is" set, the program would prompt for a password to accompany the user ID.

Example Run:

$ export Mqsamp_user_id=rivera
$ AMQSPUTC Q1 qm_80
Sample AMQSPUT0 Start
Enter Password:mypassword
target queue is Q1
Test
Sample AMQSPUT0 End


+ + + Scenario B) Modify Queue Manager to avoid requiring password from MQ administrators

Modify the queue Manager to alter the new function of the attribute chckclnt for the Connauth from Reqdadm to OPTIONAL or To NONE.

As explained in the "Cause" sections, in WebSphere MQ 8.0 a new function are introduced, which requires MQ administrators to Supply the UserID and password for remote access, or a error message is generated.

It is possible for the MQ administrator to use the RUNMQSC command to change the AUTHINFO "SYSTEM. DEFAULT. AUTHINFO. Idpwos ", for the value of the attribute chckclnt from Reqdadm to OPTIONAL (or to NONE). This change would allow users access without providing a userid/password.

ALTER AUTHINFO (SYSTEM. DEFAULT. AUTHINFO. IDPWOS) authtype (IDPWOS) chckclnt (OPTIONAL)

REFRESH SECURITY TYPE (Connauth)

If you don't issue the above REFRESH command, then you'll need to restart the queue manager.


+ + + Scenario C) MQ explorer-when connecting to remote queue managers

When using an MQ Explorer 8.0, ensure that is using the Fix Pack 8.0.0.2 or later, due to the APAR IT04736 in which the pass Word was passed incorrectly, causing a security error:
it04736:ms0t WMQ 8.0.0.1 EXPLORER REPORTS authentication ERRORS when attempting to authenticate A USERNAME and PASSWORD
It is fixed in 8.0.0.2

When adding a remote queue manager to the MQ Explorer, one of the Setup dialog windows is called:
Specify user identification details

By default, the UserID and the password is not a stored for this connection to the remote Queue Manager.
Notice The following checkbox has a not been activated:
Enable user identification



Activate the checkbox for "Enable user identification".
You'll see that the Userid field becomes active:



You cannot enter a password because the field was not available.
You'll need to enable the feature to save passwords on the Preference page, by clicking the "Passwords Preferences page" Link.




Click on "Save Passwords to File"
By the the-the-this-is, the default file name.
C:\Users\IBM_ADMIN\IBM\WebSphereMQ\workspace-Installation1\.metadata\.plugins\com.ibm.mq.explorer.ui\WMQ_ Passwords.xml



Click OK to close the Preferences page.
In the Specify User Identification Details window, click the button "Enter password" and enter your password.
You'll see a pops up dialog where you can enter the password.




Click Finish. WebSphere MQ Explorer would send the UserID and password when connecting to the remote Queue Manager.

+ + + Scenario D) How to specify the Userid/password when using the RFHUTILC utility from the SupportPac IH03

Ih03:websphere Message broker-message Display, Test & performance Utilities

Set the Mqserver variable:
Set Mqserver=system. Def. Svrconn/tcp/hostname (1414)

Run the GUI in client mode:
C:\MQ-SupportPac\IH03 rfhutil>
Rfhutilc

You can specify the Userid/password to being used by this GUI by clicking the Set Conn Id button.



You'll see the Set Connection Parameters window.

You can enter your "User ID" and "Password".
ATTENTION!!! You must activate the checkbox: ' Use CSP '




Click OK.

Then you can proceed to access the Queue Manager and perform tasks, such as getting messages from a queue.

+ + Scenario E) application Programming for authentication and password (C, Java, JMS)
.
See Chapter 3 from the following free Redbook:

IBM MQ V8 Features and Enhancements (published 02-oct-2014)

+ Begin Excerpt

Chapter 3. User authentication (page 39)

3.5 Application Programming for authentication

The programming interfaces for setting the user ID and password information to applications depend on which API the applic Ation is using.

3.5.1 MQI (C code)

For a application developer using MQI, the only change which is needed was to use the correct parameters when connecting to The queue Manager. In the procedural languages such as C, this means using the MQCONNX verb instead of MQCONN, and filling in the MQCSP struc Ture.
Example 3-2 on page shows a fragment of C code used to connect to a queue manager.

Example 3-2 Authenticating a connection using C

char *qmname = "QM1";
char *userid = "RBMQID1";
char *password = "Passw0rd";
Mqcno CNO = {Mqcno_default};
mqcsp CSP = {Mqcsp_default};
...
CNO. Securityparmsptr = &csp;
CNO. Version = mqcno_version_5;
CSP. AuthenticationType = mqcsp_auth_user_id_and_pwd;
CSP. Cspuser idptr = Userid;
CSP. Cspuser idlength = strlen (Userid);
CSP. Csppasswordptr = Password;
CSP. Csppasswordlength = strlen (CSP. CSPPASSWORDPTR);
Mqconnx (Qmname, &cno, &hcon, &compcode, &creason);

For the object-oriented languages, such as the Java classes, properties is set before connecting to the queue Manager.
Example 3-3 shows a fragment of Java code used to connect to a queue manager.
The Mqenvironment class can also be used instead of the hash table.

Example 3-3 Authenticating a connection using Java

String qmname = "QM1";
String Userid = "Rbmqid1";
String Password = "Passw0rd";
Hashtable h = new Hashtable ();
h.put (Mqconstants.user_id_property, Userid);
h.put (Mqconstants.password_property, PASSWORD);
H.put (Mqconstants.use_mqcsp_authentication_property, true);
Mqqueuemanager qMgr = new Mqqueuemanager (qmname,h);

3.6 JMS and XMS

A form of the JMS (and hence XMS) connection methods takes user ID and password parameters, as in the following example:

Connectionfactory.createconnection (Userid,password)

No further changes is needed.

+ END Excerpt

Location of the MQ V8 samples for Java and JMS this show how to handle passwords:

+ JMS

Windows:c:\program Files\ibm\websphere mq\tools\jms\samples\
Unix:/opt/mqm/samp/jms/samples

File:JmsProducer.java
Java statements related to the handling of UserID and password:

* Usage:
* jmsproducer-m queuemanagername-d destinationname [-H host-p port-l Channel] [-u user-w PassWord]
...
private static String user = null;
private static String password = null;
...
if (user! = null) {
Cf.setstringproperty (wmqconstants.userid, user);
Cf.setstringproperty (Wmqconstants.password, PASSWORD);
Cf.setbooleanproperty (WMQCONSTANTS.USER_AUTHENTICATION_MQCSP, true);
        }


+ Java (not JMS)

Windows:c:\program Files\ibm\websphere Mq\tools\wmqjava\samples
Unix:/opt/mqm/samp/wmqjava/samples

File:MQIVP.java:
Java statements related to the handling of UserID and password:

private String user = null;
private String password = null;
...
user = GetParameter (+, null);
if (user! = null) {
properties.put (Mqconstants.user_id_property, USER);
Properties.put (Mqconstants.use_mqcsp_authentication_property, true);
Password = getparameter (+, null);
properties.put (Mqconstants.password_property, PASSWORD);
    }

+ + + END + + +

AMQ5540, AMQ5541 and AMQ5542, application did not supply a user ID and password, 2035 mqrc_not_authorized