Resolving problem: JAAS login module not called by the telemetry service

Find out if your JAAS login module is not being called by the telemetry (MQXR) service, and configure JAAS to correct the problem.

Before you begin

You have modified WMQ installation directory\mqxr\samples\samples\LoginModule.java to create your own authentication class WMQ installation directory\mqxr\samples\samples\LoginModule.class. Alternatively, you have written your own JAAS authentication classes and placed them in a directory of your choosing. After some initial testing with the telemetry (MQXR) service, you suspect that your authentication class is not being called by the telemetry (MQXR) service.

Note: Guard against the possibility that your authentication classes might be overwritten by maintenance being applied to IBM® MQ. Use your own path for authentication classes, rather than a path within the IBM MQ directory tree.

About this task

The task uses a scenario to illustrate how to resolve the problem. In the scenario, a package called security.jaas contains a JAAS authentication class called JAASLogin.class. It is stored in the path C:\WMQTelemetryApps\security\jaas. Refer to Telemetry channel JAAS configuration and AuthCallback MQXR class for help in configuring JAAS for IBM MQ Telemetry. The example, Example JAAS configuration is a sample configuration.

Procedure

  1. Look in mqxr.log for an exception thrown by javax.security.auth.login.LoginException.

    See Server-side logs for the path to mqxr.log, and Figure 6 for an example of the exception listed in the log.

  2. Correct your JAAS configuration by comparing it with the worked example in Example JAAS configuration.
  3. Replace your login class by the sample JAASLoginModule, after refactoring it into your authentication package and deploy it using the same path. Switch the value of loggedIn between true and false.

    If the problem goes away when loggedIn is true, and appears the same when loggedIn is false, the problem lies in your login class.

  4. Check whether the problem is with authorization rather than authentication.
    1. Change the telemetry channel definition to perform authorization checking using a fixed user ID. Select a user ID that is a member of the mqm group.
    2. Rerun the client application.

      If the problem disappears, the solution lies with the user ID being passed for authorization. What is the user name being passed? Print it to file from your login module. Check its access permissions using IBM MQ Explorer, or dspmqauth.

Example JAAS configuration

Use the New telemetry channel wizard, in IBM MQ Explorer, to configure a telemetry channel.

The JAAS configuration file has a stanza named JAASConfig that names the Java class security.jaas.JAASLogin, which JAAS is to use to authenticate clients.

Figure 1. WMQ Installation directory\data\qmgrs\qMgrName\mqxr\jaas.config

JAASConfig {
  security.jaas.JAASLogin required debug=true;
};

When SYSTEM.MQTT.SERVICE starts, it adds the path in Figure 2 to its classpath.

Figure 2. WMQ Installation directory\data\qmgrs\qMgrName\service.env

CLASSPATH=C:\WMQTelemtryApps;

Figure 3 shows the additional path in Figure 2 added to the classpath that is set up for the telemetry (MQXR) service.

Figure 3. Classpath output from runMQXRService.bat

CLASSPATH=;C:\IBM\MQ\Program\mqxr\bin\\..\lib\MQXRListener.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\lib\WMQCommonServices.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\lib\objectManager.utils.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\lib\com.ibm.micro.xr.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\..\java\lib\com.ibm.mq.jmqi.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\..\java\lib\com.ibm.mqjms.jar;
C:\IBM\MQ\Program\mqxr\bin\\..\..\java\lib\com.ibm.mq.jar;
C:\WMQTelemtryApps;

The output in Figure 4 shows that the telemetry (MQXR) service has started.

Figure 4. WMQ Installation directory\data\qmgrs\qMgrName\errors\ 

21/05/2010 15:32:12 [main] com.ibm.mq.MQXRService.MQXRPropertiesFile
AMQXR2011I: Property com.ibm.mq.MQXR.channel/JAASMCAUser value
com.ibm.mq.MQXR.Port=1884;
com.ibm.mq.MQXR.JAASConfig=JAASConfig;
com.ibm.mq.MQXR.UserName=Admin;
com.ibm.mq.MQXR.StartWithMQXRService=true

When the client application connects to the JAAS channel, if com.ibm.mq.MQXR.JAASConfig=JAASWrongConfig does not match the name of a JAAS stanza in the jaas.config file, the connection fails, and the client throws an exception with a return code of 0; see Figure 5. The second exception, Client is not connected (32104), was thrown because the client attempted to disconnect when it was not connected.

Figure 5. Exception thrown when connecting to the Eclipse Paho sample

Connecting to tcp://localhost:1883 with client ID SampleJavaV3_publish
reason 5
msg Not authorized to connect
loc Not authorized to connect
cause null
excep Not authorized to connect (5)
Not authorized to connect (5)
        at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
        at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:885)
        at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:118)
        at java.lang.Thread.run(Thread.java:809)

mqxr.log contains additional output shown in Figure 5.

The error is detected by JAAS which throws javax.security.auth.login.LoginException with the cause No LoginModules configured for JAAS. It could be caused, as in Figure 6, by a bad configuration name. It might also be the result of other problems JAAS has encountered loading the JAAS configuration.

If no exception is reported by JAAS, JAAS has successfully loaded the security.jaas.JAASLogin class named in the JAASConfig stanza.

Figure 6. Error loading JAAS configuration

15/06/15 13:49:28.337  
AMQXR2050E: Unable to load JAAS config:MQXRWrongConfig. 
The following exception occurred javax.security.auth.login.LoginException: 
No LoginModules configured for MQXRWrongConfig