AMQ5540, AMQ5541 and AMQ5542, application did not supply a user ID and password, 2035 MQRC_NOT_AUTHORIZED

Technote (troubleshooting)

Problem(Abstract)

As an MQ administrator you create a new queue manager in WebSphere MQ version 8.0.
You can access the queue manager by using WebSphere MQ Explorer or MQ client applications in bindings mode.

You are aware of the default behavior for the channel authentication records in which an MQ administrator cannot remotely access the queue manager. To gain access an administrator can either set the queue manager attribute CHLAUTH to DISABLED, or add the appropriate records to allow remote access. This behavior is documented in the following technote:
http://www.ibm.com/support/docview.wss?uid=swg21577137
WMQ 7.1 / 7.5 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 when using client connection as an MQ Administrator

You try to remotely access the queue manager as an MQ administrator and you get the return code 2035 MQRC_NOT_AUTHORIZED.
You expected that the issue with the channel authentication records had been addressed.

Symptom

To find out more details, view the error log for the queue manager.

There are 3 errors:

6/6/2014 06:33:10 - Process(7512.22) User(rivera) Program(amqzlaa0.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8)
AMQ5540: Application 'Sphere MQ\bin64\amqsputc.exe' did not supply a user ID and password
EXPLANATION:The queue manager is configured to require a user ID and password, but none was supplied.
ACTION: Ensure that the application provides a valid user ID and password, or change the queue manager configuration to OPTIONAL to allow applications to connect which have not supplied a user ID and password. 

----- 

6/6/2014 06:33:10 - Process(7512.22) User(rivera) Program(amqzlaa0.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8)
AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION: The user ID 'rivera' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.
ACTION: Refer to the previous error for more information. Ensure that a password is specified by the client application and that the password is correct for the user ID. The authentication configuration of the queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. To avoid the authentication check, you can either use an unprivileged user ID or amend the authentication configuration of the queue manager. You can amend the CHCKCLNT attribute in the CHLAUTH record, but you should generally not allow unauthenticated remote access. 

------------------

6/6/2014 06:33:10 - Process(16728.4) User(rivera) Program(amqrmppa.exe) Host(HOST_A) Installation(Installation3) VRMF(8.0.0.0) QMgr(QM_ANG8) 
AMQ9557: Queue Manager User ID initialization failed for 'rivera'.
EXPLANATION: The call to initialize the User ID 'rivera' failed with CompCode 2 and Reason 2035.
ACTION: Correct the error and try again.

Cause

In MQ 8.0, a new function is introduced that requires MQ administrators using remote access to supply the userid and password. When the userid and password are not supplied or the password is incorrect, then the following error is displayed (the error AMQ5542 is very similar):

AMQ5541: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION: The user ID 'rivera' and its password were checked because the user ID is privileged and the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKCLNT(REQDADM). This message accompanies a previous error to clarify the reason for the user ID and password check.

The errors indicate the following:

1) The queue manager has a connection authority attribute called: CONNAUTH
and the value for this attribute is: SYSTEM.DEFAULT.AUTHINFO.IDPWOS

display qmgr CONNAUTH
     9 : display qmgr CONNAUTH
AMQ8408: Display Queue Manager details.
   QMNAME(QM_80)
   CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

2) The authoinfo object has a value of REQDADM for the attribute CHCKCLNT. 
MQ administrators are required to provide a userid and password in this instance.

display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
    10 : display authinfo(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
   DESCR( )                                CHCKCLNT(REQDADM)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   ALTDATE(2014-07-24)                     ALTTIME(10.49.19)

Resolving the problem

There are several ways to address the situation and the following 5 scenarios addressed:

Scenario A) MQ samples: Provide the user and password to the MQ client application
Scenario B) Modify queue manager to avoid requiring password from MQ administrators
Scenario C) MQ Explorer - when connecting to remote queue managers
Scenario D) How to specify the userid/password when using the rfhutilc utility from the SupportPac IH03
Scenario E) Application programming for authentication and password (C, Java, JMS)

The rest of this note provides more details on each of the scenarios.

+++ Scenario A) MQ samples: Provide the user and password to the MQ client application

In MQ 8.0, the sample programs have been modified to use the environment variable MQSAMP_USER_ID, which if set, prompts the user for a password. The password is entered in plaintext and not obscured by asterisks).

Browse: amqsbcgc, amqsbcg
Put: amqsputc, amqsput
Get: amqsgetc, amqsget

See the MQ 8.0 product documentation:

WebSphere MQ 8.0.0 > WebSphere MQ > Developing applications > Developing MQI applications with WebSphere MQ > Sample WebSphere MQ procedural programs > Sample procedural programs (platforms except z/OS) > The Put sample programs>Running the Put sample programs
Running the Put sample programs
These programs also use an environment variable named MQSAMP_USER_ID which should be set to the user ID to be used for connection authentication. When this is set, the program will prompt for a password to accompany that user ID.

Example run:

$ export MQSAMP_USER_ID=rivera
$ amqsputc Q1 QM_80
Sample AMQSPUT0 start
Enter password: mypassword
target queue is Q1
test
Sample AMQSPUT0 end

+++ Scenario B) Modify queue manager to avoid requiring password from MQ administrators

Modify the queue manager to alter the new function of the attribute CHCKCLNT for the CONNAUTH from REQDADM to OPTIONAL or to NONE.

As explained in the "Cause" section, in WebSphere MQ 8.0 a new function is introduced, which requires MQ administrators to supply the userid and password for remote access, or an error message is generated.

It is possible for the MQ administrator to use the runmqsc command to change the AUTHINFO "SYSTEM.DEFAULT.AUTHINFO.IDPWOS", for the value of the attribute CHCKCLNT from REQDADM to OPTIONAL (or to NONE). This change will allow users access without providing a userid/password.

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)

REFRESH SECURITY TYPE(CONNAUTH)

If you do not issue the above REFRESH command, then you will need to restart the queue manager.

+++ Scenario C) MQ Explorer - when connecting to remote queue managers

When using MQ Explorer 8.0, ensure that you are using Fix Pack 8.0.0.2 or later, due to the APAR IT04736 in which the password was passed incorrectly, causing a security error:
IT04736: MS0T WMQ 8.0.0.1 EXPLORER REPORTS AUTHENTICATION ERRORS WHEN ATTEMPTING TO AUTHENTICATE A USERNAME AND PASSWORD 
It was fixed in 8.0.0.2

When adding a remote queue manager to the MQ Explorer, one of the setup dialog windows is called:
Specify user identification details

By default, the userid and the password are not stored for this connection to the remote queue manager.
Notice that the following checkbox has not been activated:
Enable user identification

Activate the checkbox for "Enable user identification".
You will see that the Userid field becomes active:

You cannot enter a password because the field is not available.
You will need to enable the feature to save passwords in the Preference page, by clicking the "Passwords Preferences Page" link.

Click on "Save passwords to file"
By the way, this is the default file name.
C:\Users\IBM_ADMIN\IBM\WebSphereMQ\workspace-Installation1\.metadata\.plugins\com.ibm.mq.explorer.ui\WMQ_Passwords.xml

Click OK to close the Preferences page.
In the Specify user identification details window, click on the button "Enter password" and enter your password.
You will see a pop up dialog where you can enter the password.

Click Finish. WebSphere MQ Explorer will send the userid and password when connecting to the remote queue manager.

+++ Scenario D) How to specify the userid/password when using the rfhutilc utility from the SupportPac IH03

IH03: WebSphere Message Broker - Message display, test & performance utilities

Set the MQSERVER variable:
set MQSERVER=SYSTEM.DEF.SVRCONN/TCP/hostname(1414)

Run the GUI in client mode:
C:\MQ-SupportPac\IH03 rfhutil>
rfhutilc

You can specify the userid/password to be used by this GUI by clicking the Set Conn Id button.

You will see the Set Connection Parameters window.

You can enter your "User id" and "Password".
ATTENTION!!! You MUST activate the checkbox: "Use CSP"

Click OK.

Then you can proceed to access the queue manager and perform tasks, such as getting messages from a queue.

+++ Scenario E) Application programming for authentication and password (C, Java, JMS)
.
See Chapter 3 from the following free redbook:

IBM MQ V8 Features and Enhancements (published 02-Oct-2014)

+ begin excerpt

Chapter 3. User authentication (page 39)

3.5 Application programming for authentication

The programming interfaces for setting the user ID and password information to applications depend on which API the application is using.

3.5.1 MQI (C code)

For an application developer using MQI, the only change that is needed is to use the correct parameters when connecting to the queue manager. In the procedural languages such as C, this means using the MQCONNX verb instead of MQCONN, and filling in the MQCSP structure. 
Example 3-2 on page 40 shows a fragment of C code used to connect to a queue manager.

Example 3-2 Authenticating a connection using C

char *QMName = “QM1”;
char *Userid = “rbmqid1”;
char *Password = “passw0rd”;
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
...
cno.SecurityParmsPtr = &csp;
cno.Version = MQCNO_VERSION_5;
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.CSPPasswordLength = strlen(csp.CSPPasswordPtr);
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);

For the object-oriented languages, such as the Java classes, properties are set before connecting to the queue manager. 
Example 3-3 shows a fragment of Java code used to connect to a queue manager. 
The MQEnvironment class can also be used instead of the hash table.

Example 3-3 Authenticating a connection using Java

String QMNAme = “QM1”;
String Userid = “rbmqid1”;
String Password = “passw0rd”;
Hashtable h = new Hashtable();
h.put(MQConstants.USER_ID_PROPERTY, Userid);
h.put(MQConstants.PASSWORD_PROPERTY, Password);
h.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
MQQueueManager qMgr = new MQQueueManager(QMName,h);

3.6 JMS and XMS

A form of the JMS (and hence XMS) connection methods takes user ID and password parameters, as in the following example:

connectionFactory.createConnection(Userid,Password)

No further changes are needed.

+ end excerpt

Location of MQ V8 samples for Java and JMS that show how to handle passwords:

+ JMS

Windows: C:\Program Files\IBM\WebSphere MQ\Tools\jms\samples\
Unix: /opt/mqm/samp/jms/samples

File: JmsProducer.java
Java Statements related to the handling of userid and password:

* Usage:
 * JmsProducer -m queueManagerName -d destinationName [-h host -p port -l channel] [-u user -w passWord]
...
  private static String user = null;
  private static String password = null;
...
      if (user != null) {
          cf.setStringProperty(WMQConstants.USERID, user);
          cf.setStringProperty(WMQConstants.PASSWORD, password);
          cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
        }

+ Java (not JMS)

Windows: C:\Program Files\IBM\WebSphere MQ\Tools\wmqjava\samples
Unix: /opt/mqm/samp/wmqjava/samples

File: MQIVP.java: 
Java Statements related to the handling of userid and password:

  private String user = null;
  private String password = null;
...
    user = getParameter(64, null);
    if (user != null) {
      properties.put(MQConstants.USER_ID_PROPERTY, user);
      properties.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
      password = getParameter(65, null);
      properties.put(MQConstants.PASSWORD_PROPERTY, password);
    }

+++ end +++