IBM MQ 8.0 was EOS 30th April 2020.Click EOS notice for more details
Resolving problem: JAAS login module not called by the telemetry service
Find out if your JAAS login module is not being called by the telemetry (MQXR) service, and configure JAAS to correct the problem.
Before you begin
You have modified WMQ installation
directory\mqxr\samples\samples\LoginModule.java to create your own
authentication class WMQ installation
directory\mqxr\samples\samples\LoginModule.class. Alternatively, you have
written your own JAAS authentication classes and placed them in a directory of your choosing. After
some initial testing with the telemetry (MQXR) service, you suspect that your authentication class
is not being called by the telemetry (MQXR) service.
Note: Guard
against the possibility that your authentication classes might be
overwritten by maintenance being applied to IBM® MQ. Use your own path for authentication
classes, rather than a path within the IBM MQ directory tree.
About this task
The task uses a scenario to illustrate how to resolve the problem. In the scenario, a package
called security.jaas contains a JAAS authentication class called
JAASLogin.class. It is stored in the path
C:\WMQTelemetryApps\security\jaas. Refer to Telemetry channel JAAS configuration
and AuthCallback MQXR class for help in configuring JAAS for IBM MQ Telemetry. The example, Example JAAS configuration is a sample
configuration.
Procedure
Look in mqxr.log for an exception thrown by javax.security.auth.login.LoginException.
See Server-side logs for the path to mqxr.log, and Figure 6 for an example of the exception listed in the log.
Replace your login class by the sample JAASLoginModule, after refactoring it into your authentication package and deploy it using the same path. Switch the value of loggedIn between true and false.
If the problem goes away when loggedIn is true, and appears the same when loggedIn is false, the problem lies in your login class.
Check whether the problem is with authorization rather than authentication.
Change the telemetry channel definition to perform authorization checking using a fixed user ID. Select a user ID that is a member of the mqm group.
Rerun the client application.
If the problem disappears, the solution lies with the user ID being passed for authorization. What is the user name being passed? Print it to file from your login module. Check its access permissions using IBM MQ Explorer, or dspmqauth.
Example JAAS configuration
Use the New telemetry channel wizard, in IBM MQ Explorer, to configure a telemetry channel.
The JAAS configuration file has a stanza named JAASConfig that names the Java class security.jaas.JAASLogin, which JAAS is to use to authenticate clients.
When SYSTEM.MQTT.SERVICE starts, it adds the path in Figure 2 to its classpath.
Figure 3 shows the additional path in Figure 2 added to the classpath that is set up for the telemetry (MQXR) service.
The output in Figure 4 shows that the telemetry (MQXR) service has started.
When the client application connects to the JAAS channel, if
com.ibm.mq.MQXR.JAASConfig=JAASWrongConfig does not match the name of a JAAS stanza
in the jaas.config file, the connection fails, and the client throws an
exception with a return code of 0; see Figure 5. The second
exception, Client is not connected (32104), was thrown because the client attempted
to disconnect when it was not connected.
mqxr.log contains additional output shown in Figure 5.
The error is detected by JAAS which throws javax.security.auth.login.LoginException with the cause No LoginModules configured for JAAS. It could be caused, as in Figure 6, by a bad configuration name. It might also be the result of other problems JAAS has encountered loading the JAAS configuration.
If no exception is reported by JAAS, JAAS has successfully loaded the security.jaas.JAASLogin class named in the JAASConfig stanza.