Monday, 22 January 2018

IBM Integration Bus - Wrangling permissions to the Web UI

Having built an IBM Integration Bus (IIB) 9 environment, with IBM MQ 8, I was trying ( and failing ) to access the Web UI on: -


I was instead seeing: -


The logged-on user ID does not have the required permissions to access data or broker resources in the web user interface. See your broker administrator to set up the required permissions.

I realised that I'd not yet set up a user/password, which I thus did: -

mqsiwebuseradmin IB9NODE -c -u wmbadmin1 -r wmbadmin1 -a wmbadmin1pw

Alas, this failed with: -

BIP1046E: Unable to connect with the queue manager (The user 'wmbadmin' is not authorized to connect to queue manager 'IB9QMGR' (MQ reason code 2035 while trying to connect)). 

The utility encountered a problem while attempting to connect to the queue manager to put a message to the broker's request queue. 

Ensure that the correct connection parameters have been supplied to the utility. Also ensure that the queue manager is running and that the current user is able to access the queues beginning SYSTEM.BROKER. If this error text includes an MQ reason code, look up the meaning behind the error in the Application Programming Reference guide and proceed as appropriate.

and, in the MQ Queue Manager logs: -

tail -f /var/mqm/qmgrs/IB9QMGR/errors/AMQERR01.LOG

...
22/01/18 20:28:37 - Process(67445.35) User(wmbadmin) Program(amqzlaa0)
                    Host(bpm86.uk.ibm.com) Installation(Installation2)
                    VRMF(8.0.0.0) QMgr(IB9QMGR)
                   
AMQ5534: User ID 'wmbadmin' authentication failed

EXPLANATION:
The user ID and password supplied by 'mqsiwebuseradmi' could not be
authenticated.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4242 -------------------------------------------------------
22/01/18 20:28:37 - Process(67445.35) User(wmbadmin) Program(amqzlaa0)
                    Host(bpm86.uk.ibm.com) Installation(Installation2)
                    VRMF(8.0.0.0) QMgr(IB9QMGR)
                   
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKLOCL(OPTIONAL) configuration.

EXPLANATION:
The user ID 'wmbadmin' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKLOCL(OPTIONAL). 

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information. 

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server. 

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call. 

To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
———————————————————————————————————————


I've seen, and reported upon, this before: -


I validated the CHCKCLNT setting: -

runmqsc IB9QMGR

display qmgr connauth

   QMNAME(IB9QMGR)                      
   CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


display AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
   DESCR( )                                CHCKCLNT(REQDADM)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   ALTDATE(2018-01-22)                     ALTTIME(20.26.21)


and then updated it: -

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(NONE)    

REFRESH SECURITY TYPE(CONNAUTH)

This time around, the mqsiwebuseradmin command worked as expected: -

mqsiwebuseradmin IB9NODE -c -u wmbadmin1 -r wmbadmin1 -a wmbadmin1pw

BIP8071I: Successful command completion.

and I was able to access the Web UI: -


which is nice :-)

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...