Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

invalid security authentication supplied for MQQueueManager

389 views
Skip to first unread message

zarina....@ca.com

unread,
May 10, 2005, 12:20:34 PM5/10/05
to
I am using WAS 5.1.1.3 . I am using hte embedded messaging server. i turned on Global Security an i see the following error .
Would anyone know what i need to do ? I am new to this stuff.

[5/10/05 10:50:32:682 EDT] 5ee6a6 MDBListenerIm W WMSG0019E: Unable to start MDB Listener SubscriberMessageEJB, JMSDestination com.netegrity.ims.msg.queue : javax.jms.JMSSecurityException: MQJMS2013: invalid security authentication supplied for MQQueueManager
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2223)
at com.ibm.mq.jms.MQConnection.createQMXA(MQConnection.java:1654)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:97)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:54)
at com.ibm.mq.jms.MQXAQueueConnection.<init>(MQXAQueueConnection.java:46)
at com.ibm.mq.jms.MQXAQueueConnectionFactory.createXAQueueConnection(MQXAQueueConnectionFactory.java:63)
at com.ibm.ejs.jms.JMSManagedQueueConnection.createConnection(JMSManagedQueueConnection.java:118)
at com.ibm.ejs.jms.JMSManagedConnection.<init>(JMSManagedConnection.java:189)
at com.ibm.ejs.jms.JMSManagedQueueConnection.<init>(JMSManagedQueueConnection.java:66)
at com.ibm.ejs.jms.WSJMSManagedQueueConnectionFactory.createManagedConnection(WSJMSManagedQueueConnectionFactory.java:92)
at com.ibm.ejs.jms.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:503)
at com.ibm.ejs.j2c.poolmanager.FreePool.createManagedConnectionWithMCWrapper(FreePool.java:1331)
at com.ibm.ejs.j2c.poolmanager.FreePool.createOrWaitForConnection(FreePool.java:1132)
at com.ibm.ejs.j2c.poolmanager.PoolManager.reserve(PoolManager.java:1747)
at com.ibm.ejs.j2c.ConnectionManager.allocateMCWrapper(ConnectionManager.java:711)
at com.ibm.ejs.j2c.ConnectionManager.allocateConnection(ConnectionManager.java:464)
at com.ibm.ejs.jms.JMSQueueConnectionFactoryHandle.createQueueConnection(JMSQueueConnectionFactoryHandle.java:80)
at com.ibm.ejs.jms.listener.MDBListenerImpl.createResources(MDBListenerImpl.java:308)
at com.ibm.ejs.jms.listener.MDBListenerImpl.internalStart(MDBListenerImpl.java:588)
at com.ibm.ejs.jms.listener.MDBListenerImpl.restart(MDBListenerImpl.java:562)
at com.ibm.ejs.jms.listener.MDBListenerImpl.alarm(MDBListenerImpl.java:880)
at com.ibm.ejs.util.am._Alarm.run(_Alarm.java:80)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:912)
---- Begin backtrace for Nested Throwables
com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE027: Queue manager security exit rejected connection with error code 23
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:242)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:276)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:296)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:80)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:171)

Paul Ilechko

unread,
May 10, 2005, 5:55:57 PM5/10/05
to
zarina....@ca.com wrote:

> I am using WAS 5.1.1.3 . I am using hte embedded messaging server. i turned on Global Security an i see the following error .
> Would anyone know what i need to do ? I am new to this stuff.

you probably need to set up a container-managed authentication alias on
the JMS connection factory - look in the info center for details.

zarina....@ca.com

unread,
May 10, 2005, 6:19:47 PM5/10/05
to
i am using component managed authentication. i set the component-managed authentication alias to root and it worked for me. also i have set my user registry to local OS
i am using solaris and root is a part of my MQM group

Paul Ilechko

unread,
May 11, 2005, 6:40:34 PM5/11/05
to
zarina....@ca.com wrote:

> i am using component managed authentication. i set the component-managed authentication alias to root and it worked for me. also i have set my user registry to local OS
> i am using solaris and root is a part of my MQM group

so do you still have a problem?

(BTW, I really would not recommend using root for this)

santos...@gmail.com

unread,
May 12, 2005, 1:39:57 AM5/12/05
to
What user you are trying to start and stop. Is it root?? If it is not root you will have to delete and create to mq manager agin. if you are starting the server as root , then add root to group mqm and mqbrkrs.

zarina....@ca.com

unread,
May 12, 2005, 10:05:48 AM5/12/05
to
no i dont have the problem any more after created a component-managed auth alias with root .
i understand using root is not the best approach.
whay would you suggest be the best way of doing this.
should i use another user with limited privilidges..
awaiting your reply

zarina....@ca.com

unread,
May 12, 2005, 10:11:04 AM5/12/05
to
i am using root to start and stop the server . why do you say so . is it that the user i use to create my component managed auth alias should be the same user with which i stop and start the server. why do i have to create the mq manager again
can you point me to some documentation where i can learn more about this

any help will be greatly appereciated

Paul Ilechko

unread,
May 12, 2005, 2:41:22 PM5/12/05
to
zarina....@ca.com wrote:

yes, you should use another user with the privileges needed.

santos...@gmail.com

unread,
May 13, 2005, 1:27:47 AM5/13/05
to
Check this part of document found in the info center. This will help you to run WAS from non root user and then your problem should be also resolved.

Running Application Servers from a non-root user

By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user ID to run all Application Server processes. However, you can run all Application Server processes under the same non-root user and user group. This task describes how to run an Application Server process from a non-root user.

Before you begin

If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the Application Server to run as root. Refer to Local operating system user registries for details.
Why and when to perform this task

For the following steps, assume that:
was1 is the user to run the Application Server
mqm is the primary user group for user was1
wasgroup is another user group for user was1
mqm and mqbrkrs are user groups associated with the Java Message Service (JMS) provider that WebSphere Application Server provides
wasnode is the node name
server1 is the Application Server
/opt/WebSphere/Appserver is the installation root
To configure an Application Server to run as non-root, complete the following steps.

Steps for this task

Log on to the Application Server system as the root user.
Create the user ID was1 with a primary user group of wasgroup.
The user ID, was1, is an example. You can name the user something else. The user group, mqm, is one of the required user groups for the JMS provider that WebSphere Application Server provides. Do not change this name.
If you are using the JMS provider that WebSphere Application Server provides, add was1 to groups mqm and mqbrkrs.
The user group, mqbrkrs, is one of the required user groups for the WebSphere messaging provider. Do not change this name.

The user group, wasgroup, is an example. You can name this user group something else.

Log off and back on as root.
Start server1 as root.
Run the startServer.sh script from the /bin directory of the installation root:
startServer.sh server1Specify user and group ID values for the Run As User and Run As Group settings for a server:
Start the administrative console.
Go to the Process execution page of the administrative console.
You must define all three properties in the following table. Click Servers > Application Servers > server1 > Process Definition > Process Execution and change all of the following values:Property Value
Run As User was1
Run As Group wasgroup
UMASK 002

Click OK.
Save the configuration.
Stop the Application Server.
Use the stopServer.sh script from the /bin directory of the installation root:
stopServer.sh server1Change file permissions as the root user.
The following example assumes that the installation root directory of the WebSphere Application Server is /opt/WebSphere/AppServer:

chgrp wasgroup /opt/WebSphere
chgrp wasgroup /opt/WebSphere/AppServer
chgrp -R wasgroup /opt/WebSphere/AppServer/config
chgrp -R wasgroup /opt/WebSphere/AppServer/logs
chgrp -R wasgroup /opt/WebSphere/AppServer/properties
chgrp -R wasgroup /opt/WebSphere/AppServer/wstemp
chgrp -R wasgroup /opt/WebSphere/AppServer/installedApps
chgrp -R wasgroup /opt/WebSphere/AppServer/temp
chgrp -R wasgroup /opt/WebSphere/AppServer/tranlog
chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape
chgrp -R wasgroup /opt/WebSphere/AppServer/bin/DefaultDB
chmod g+wr /opt/WebSphere
chmod g+wr /opt/WebSphere/AppServer
chmod -R g+wr /opt/WebSphere/AppServer/config
chmod -R g+wr /opt/WebSphere/AppServer/logs
chmod -R g+wr /opt/WebSphere/AppServer/properties
chmod -R g+wr /opt/WebSphere/AppServer/wstemp
chmod -R g+wr /opt/WebSphere/AppServer/installedApps
chmod -R g+wr /opt/WebSphere/AppServer/temp
chmod -R g+wr /opt/WebSphere/AppServer/tranlog
chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
chmod -R g+wr /opt/WebSphere/AppServer/bin/DefaultDB
If you are running the JMS provider that WebSphere Application Server provides, delete the default queue manager for the Application Server.
Run the deletemq.sh script as root from the /bin directory of the installation root directory. For example, assuming that the node name is wasnode:
deletemq.sh wasnode wasnode server1Log on to the Application Server system as was1.
If you are running the JMS provider that WebSphere Application Server provides, create the queue manager and the broker for the JMS provider that WebSphere Application Server provides.
Run the createmq.sh script as was1 from the /bin directory of the installation root. For example, assuming that the node name is wasnode:
createmq.sh /opt/WebSphere/AppServer wasnode wasnode server1Start server1 as was1.
Run the startServer.sh script from the /bin directory of the installation root:
startServer.sh server1If running the JMS provider that WebSphere Application Server provides, verify that the MQ queue is running.
Run the dspmq command from the /bin directory of the installation root:
dspmqThe name of the queue is WAS_wasnode_server1 because the JMS provider that WebSphere Application Server provides is running on server1.

If creating another server with a different user ID, follow this procedure again for the new user ID and server name.
The two user IDs must share the same group, wasgroup.

Results

You can start an Application Server from a non-root user.

Sunit Patke

unread,
May 13, 2005, 10:28:41 AM5/13/05
to
To be able to connect to MQ the id has to be part of mqm group or root. In
your case you can create an id for your application use, make it part of mqm
group and then define it in a J2C Authentication Data entry.

Sunit

<zarina....@ca.com> wrote in message
news:313050494.1115906779...@ltsgwas007.sby.ibm.com...

zarina....@ca.com

unread,
May 17, 2005, 9:54:04 AM5/17/05
to
I did just that. I created a user and made this user a part of the mqm group. then i created a J2C Authentication Data entry and set this on my conection factories..
Everything worked like a charm.
Just wanted to say Thanks to all of you for your valuable input on this issue.
0 new messages