Bootstrap FreeKB - IBM MQ - Resolve "AMQ9557E Queue Manager User ID initialization failed"
IBM MQ - Resolve "AMQ9557E Queue Manager User ID initialization failed"
Updated:   |  IBM MQ articles

Let's say something like this is in the IBM MQ error log.

----- amqzfula.c : 3165 -------------------------------------------------------
12/06/2022 10:44:17 PM - Process(4696.851316) User(mqm) Program(amqrmppa)
                    Host(server1.example.com) Installation(Installation1)
                    VRMF(9.1.0.10) QMgr(MANAGER01)
                    Time(2022-12-07T04:44:17.799Z)
                    ArithInsert1(2) ArithInsert2(2035)
                    CommentInsert1(john.doe)
                    CommentInsert2(jane.doe)
                    CommentInsert3(john.doe)
                   
AMQ9557E: Queue Manager User ID initialization failed for 'john.doe'.

EXPLANATION:
The call to initialize the User ID 'john.doe' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was
'jane.doe'. If a userID flow was used, the User ID in the UID header was
'john.doe' and any CHLAUTH rules applied prior to user adoption were evaluated
case-sensitively against this value.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2298 -------------------------------------------------------

 

MQCSP vs User ID Flow / Compatibility Mode

There are two "modes":

  • MQCSP
  • User ID Flow / Compatibility Mode

Notice in this example that there are two IDs, john.doe and jane.doe and the Queue Manager User ID initialization failed for john.doe which means that john.doe was user to authenticate to IBM MQ.CommentInsert1 and CommentInsert3 are almost always the User ID that is running the application (john.doe in this example) and CommentInsert2 (jane.doe in this example) is almost always the user ID the application is providing to IBM MQ for authentication. For example, if the application attempting to connect to IBM MQ is running on WebSphere and the WebSphere application server is being run as john.doe, then CommentInsert1 and CommentInsert3 should be john.doe.

  • In MQCSP mode, the user that is running the application that is attempting to authenticate to IBM MQ is the user that should be used when attempting to authenticate to IBM MQ. This is almost always the user listed in CommentInsert1 and CommentInsert3.
  • In User ID Flow / Compatibility Mode, the user being provided by the application is the user that should be used when attempting to authenticate to IBM MQ. This is almost always the user listed in CommentInsert2.

It is noteworthy that in IBM lingo, you may see something like "the user running the extension process". This basically means the user that is running the application that is attempting to authenticate to IBM MQ, which is almost always CommentInsert1 and CommentInsert3.

For example, let's say the following Java class is being used to authenticate to IBM MQ. Notice in this example that username jane.doe is being used to authenticate to IBM MQ.

import java.util.Hashtable;
import com.ibm.mq.MQException;
import com.ibm.mq.MQQueueManager;
import com.ibm.mq.constants.MQConstants;
public class Main {

  private static final String HOST       = "10.11.12.13";
  private static final String QMGR       = "my_queue_manager";
  private static final String CHANNEL    = "my_channel";
  private static final String USERNAME   = "jane.doe";
  private static final String myPASSWORD = "itsasecret";
  private static final int PORT          = 12345;

  public static void main(String[] args) throws MQException {

    Hashtable<String, Object> properties = new Hashtable<String, Object>();
    properties.put(MQConstants.HOST_NAME_PROPERTY, HOST);
    properties.put(MQConstants.PORT_PROPERTY, PORT); 
    properties.put(MQConstants.CHANNEL_PROPERTY, CHANNEL); 
    properties.put(MQConstants.USER_ID_PROPERTY, USERNAME);
    properties.put(MQConstants.PASSWORD_PROPERTY, myPASSWORD);

    try {
      MQQueueManager queueManagerConnection = new MQQueueManager("MANAGER01", properties);
      if (queueManagerConnection.isConnected()) {
        System.out.println("Successfully connected to CHANNEL01");
      }
      else {
        System.out.println("Failed to connect to CHANNEL01");
      }
      System.out.println(queueManagerConnection);
      queueManagerConnection.disconnect();
      System.out.println("Successfully disconnected from queue manager MANAGER01");
    } catch (MQException e) {
      e.printStackTrace();
    }
  }
}

 

ADOPTCTX and CHLAUTH

If channel authentication is disabled and ADOPTCTX is disabled then the user running the application that is attempting to authenticate to IBM MQ should be the user that is used to authenticate to IBM MQ. The DIS QMGR ALL command can be used to determine if channel authentication is disabled. In this example, CHLAUTH is DISABLED.

AMQ8408I: Display Queue Manager details.
   QMNAME(MANAGER1)                        ACCTCONO(DISABLED)
   ACCTINT(60)                             ACCTMQI(OFF)
   ACCTQ(OFF)                              ACTIVREC(MSG)
   ACTVCONO(DISABLED)                      ACTVTRC(OFF)
   ADVCAP(ENABLED)                         ALTDATE(2024-04-15)
   ALTTIME(13.57.58)                       AMQPCAP(YES)
   AUTHOREV(ENABLED)                       CCSID(819)
   CERTLABL(MANAGER1)                      CERTVPOL(ANY)
   CHAD(DISABLED)                          CHADEV(ENABLED)
   CHADEXIT( )                             CHLEV(ENABLED)
   CHLAUTH(DISABLED)                       CLWLDATA( )
   CLWLEXIT( )                             CLWLLEN(100)
   CLWLMRUC(999999999)                     CLWLUSEQ(LOCAL)
   CMDEV(DISABLED)                         CMDLEVEL(930)
   COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE)    CONFIGEV(ENABLED)
   CONNAUTH(MANAGER1.LDAP.AUTHINFO)        CRDATE(2018-04-11)
   CRTIME(17.41.33)                        CUSTOM( )

 

And ADOPTCTX is NO (disabled).

  AUTHINFO(MANAGER1.LDAP.AUTHINFO)    AUTHTYPE(IDPWLDAP)
  ADOPTCTX(NO)                        DESCR( )
  CONNAME(ldap.example.com)           CHCKCLNT(REQUIRED)
  CHCKLOCL(OPTIONAL)                  CLASSGRP( )
  CLASSUSR( )                         FAILDLAY(1)
  FINDGRP( )                          BASEDNG( )
  BASEDNU(ou=mq,ou=appmgmt,ou=svcs,o=acme)
  LDAPUSER(CN=admin,ou=mgmt,ou=svcs,o=acme)
  LDAPPWD(********************************)
  SHORTUSR(cn)                        GRPFIELD( )
  USRFIELD(cn)                        AUTHORMD(SEARCHGRP)
  NESTGRP(NO)                         SECCOMM(NO)
  ALTDATE(2018-04-24)                 ALTTIME(09.14.29)

 

MQ resource adapter

It is noteworthy that WebSphere version 9.0.5.18 uses version 9.1.0.17 of the MQ resource adapter whereas WebSphere version 9.0.5.23 uses version 9.0.5.22 of the MQ resource adapter. With version 9.1.0.17 of the MQ resource adapter, by default, authentication is done using User ID Flow / Compatibility Mode. With version 9.0.5.22 of the MQ resource adapter, by default, authentication is done using MQCSP. This can be why you may start seeing the error in the example above on WebSphere version 9.0.5.23.

 

Override options

There are a few options that can be used to force the authentication to be done using MQCSP or User ID Flow / Compatibility Mode.

  • MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY
  • JmsConstants.USER_AUTHENTICATION_MQCSP
  • Property com.ibm.mq.cfg.jmqi.useMQCSPauthentication

For example, here is an example Java class with MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY set to true.

import java.util.Hashtable;
import com.ibm.mq.MQException;
import com.ibm.mq.MQQueueManager;
import com.ibm.mq.constants.MQConstants;
public class Main {

  private static final String HOST       = "your ibm mq server or cluster hostname";
  private static final String QMGR       = "your ibm mq queue_manager";
  private static final String CHANNEL    = "your ibm mq channel";
  private static final String USERNAME   = "your ibm mq username";
  private static final String myPASSWORD = "your ibm mq password";
  private static final int PORT          = your ibm mq queue manager port;

  public static void main(String[] args) throws MQException {

    Hashtable<String, Object> properties = new Hashtable<String, Object>();
    properties.put(MQConstants.HOST_NAME_PROPERTY, HOST);
    properties.put(MQConstants.PORT_PROPERTY, PORT); 
    properties.put(MQConstants.CHANNEL_PROPERTY, CHANNEL); 
    properties.put(MQConstants.USER_ID_PROPERTY, USERNAME);
    properties.put(MQConstants.PASSWORD_PROPERTY, myPASSWORD);
    properties.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);

    try {
      MQQueueManager queueManagerConnection = new MQQueueManager("MANAGER01", properties);
      if (queueManagerConnection.isConnected()) {
        System.out.println("Successfully connected to CHANNEL01");
      }
      else {
        System.out.println("Failed to connect to CHANNEL01");
      }
      System.out.println(queueManagerConnection);
      queueManagerConnection.disconnect();
      System.out.println("Successfully disconnected from queue manager MANAGER01");
    } catch (MQException e) {
      e.printStackTrace();
    }
  }
}

 

If the app that is attempting to connect to IBM MQ is running in a WebSphere Application Server, generic JVM argument -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=T can be used so that all apps in the JVM use MQCSP to authenticate to IBM MQ.

More details here => https://www.ibm.com/docs/en/ibm-mq/9.2?topic=authentication-connection-java-client

-Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=T

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 282c43 in the box below so that we can be sure you are a human.