Bootstrap FreeKB - IBM MQ - Resolve "JMSWMQ2013 The security authentication was not valid"
IBM MQ - Resolve "JMSWMQ2013 The security authentication was not valid"
Updated:   |  IBM MQ articles

Let's say the following error occurs when attempting to connect to the queue manager named MANAGER01.

JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'MANAGER01' with connection mode 'Client' and host name 'manager01.example.com(1414)'.
Please check if the supplied username and password are correct on the queue manager to which you are connecting.

 

Get user ID

If you are not sure what user ID is being used in a request, the dmpmqaut command can be used to display the users (aka principal) and groups that have been granted permissions to a queue or topic. In this example, user "JohnDoe" and group "admins" have the browse inq get put permissions to QUEUE01.

dmpmqaut -m MANAGER01 -t queue -n my.queue
. . .
profile:     QUEUE01
object type: queue
entity:      uid=JohnDoe,ou=MQ,ou=Appmgmt,ou=svcs,O=Acme
entity type: principal
authority:   get browse put inq
- - - - - - - -
profile:     QUEUE01
object type: queue
entity:      cn=admins,ou=MQ,ou=Appmgmt,ou=svcs,O=Acme
entity type: group
authority:   get browse put inq

 

LDAP

Notice entity in the dmpmqaut command is in the format of an LDAP Person Account. Use the display qmgr command to determine if the queue manager is configured to use LDAP. In this example, the queue manager named MANAGER01 is using MANAGER01.LDAP.AUTHINFO.

~]# echo "display qmgr" | runmqsc MANAGER01
CONNAUTH(MANAGER01.LDAP.AUTHINFO)

 

The display authinfo command can be used to get the hostname(s) of the LDAP systems being used, the LDAP Base Distinguished Name (DN), and the LDAP user being used for LDAP queries.

~]# echo "display authinfo ('MANAGER01.LDAP.AUTHINFO')" | runmqsc MANAGER01
AUTHTYPE(IDPWLDAP)
CONNAME(ldap1.example.com(389),ldap2.example.com(389))
BASEDNU(ou=mq,ou=appmgmt,ou=svcs,o=acme)
LDAPUSER(CN=admin,ou=mgmt,ou=svcs,o=acme)

 

The display qmstatus command can be used if the queue manager is running and connected to LDAP.

~]# echo "display qmstatus all" | runmqsc MANAGER01
STATUS(RUNNING)
LDAPCONN(CONNECTED)

 

The ldapsearch command can then be used to search for user in LDAP.

  • The -x option means to use basic authentication instead of SASL.
  • The -b option is the base LDAP distinguished name (DN)
ldapsearch -x -b ou=mq,ou=appmgmt,ou=svcs,o=acme cn=JohnDoe

 

Following is an example of what could be returned by the ldapsearch command.

dn: uid=JohnDoe,ou=People,dc=example,dc=com
uid: JohnDoe
cn: JohnDoe
sn: JohnDoe
mail: JohnDoe@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypx}asldfjalkfjaslkfavkjalkalkvjalkvjalfjadofiasoifjelemlaemlakemla
shadowLastChange: 17483
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/JohnDoe
gecos: JohnDoe

dn: cn=admins,ou=Group,dc=example,dc=com
objectClass: PosixGroup
objectClass: top
cn: admins
userPassword: {crypt}x
gidNumber: 1003
memberUid: JohnDoe

 

Display authority to the queue manager

Use the dspmqauth command to ensure the user ID has the inq and connection permissions to the queue manager.

 ~]$ dspmqaut -m MANAGER01 -t qmgr -p john.doe
Entity john.doe has the following authorizations for object MANAGER01:
        inq
        connect

 

Display authority to a topic or queue

Use the dspmqauth command to ensure the user ID has the pub and sub permission to the Topic.

~]# dspmqaut -m MANAGER01 -n TOPIC01 -t topic -p JohnDoe
Entity JohnDoe has the following authorizations for object TOPIC01: 
    pub
    sub

 

Or to the Queue.

~]# dspmqaut -m MANAGER01 -n QUEUE01 -t queue -p JohnDoe
Entity JohnDoe has the following authorizations for object QUEUE01: 
    get
    browse
    put
    inq

 

Valid username or password in Java program

When a Java application is attempting to make a connection to IBM MQ, the Java program may have an invalid username or password defined. Refer to the following articles for examples on how to make a connection to IBM MQ in a Java application.

cf.setStringProperty (WMQConstants.PASSWORD, "bogus");

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 5415dd in the box below so that we can be sure you are a human.