You said in your initial question that you had made the user ID a member of the mqm group. Can you please confirm that is the case. I don't see where it says that in your output. If the user ID is not a member of the mqm group then that explains why it does not have authority and you will have to grant it the required authorities as John showed you in his answer. If you do want it to be a member of the mqm group then it will have authority to do everything, but it does seem that you have not managed to do that step?
Original Message:
Sent: Mon October 04, 2021 06:01 AM
From: Brajendra Kumar
Subject: 2035' ('MQRC_NOT_AUTHORIZED').
Thanks Morag Hughson.
Q1) You say that you have created a user ID which is a member of the mqm group. Is that the user id "hjusermule@na" which is shown in your error message? Is the "@na" part a truncated domain, or is that the whole thing?
A:NA is domain name
Can you display the group membership of the user id "hjusermule@na"
NET USER HjuserMule /domain
<o:p></o:p>
REFRESH SECURITY TYPE(AUTHSERV)
You say that you have "disable the authentication". Do you mean that you have set CHLAUTH to DISABLED?
That is, the "authentication" that you have disabled is only the Channel Authentication and not the Connection Authentication (CONNAUTH) which you then show us commands for?
A:I have disabled channel authentication( CHLAUTH )
What happens if the connection is made with a deliberately incorrect password for that user ID? This is a very good way to test your Connection Authentication set up is working.
A:client app won't connect to queue manager if user or password is wrong.
DISPLAY QMGR CONNAUTH
DISPLAY AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ALL
I am facing connectivity error from client side (mulesoft application)
I have made changes in qm.ini
KeepAlive=Yes ---as per my understanding it is MuleSoft issue .we can configure tcp in qm.ini.
i haven't configure qm.ini in below .do i need to add i below part in TCP or not.<o:p></o:p>
SndBuffSize=0<o:p></o:p>
RcvBuffSize=0<o:p></o:p>
RcvSndBuffSize=0<o:p></o:p>
RcvRcvBuffSize=0<o:p></o:p>
ClntSndBuffSize=0<o:p></o:p>
ClntRcvBuffSize=0<o:p></o:p>
SvrSndBuffSize=0<o:p></o:p>
SvrRcvBuffSize=0<o:p></o:p>
KeepAlive= YES<o:p></o:p>
Connect_Timeout= 0
mulesoft log
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ1107: A problem with this connection has occurred.
{"timestamp":"2021-08-25T11:56:23,989","level":"WARN","thread":"JMSCCThreadPoolWorker-5","loggerName":"org.mule.jms.commons.internal.connection.IBMJmsCachingConnectionFactory","message":"Could not close shared JMS Connection"}
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0019: Failed to disconnect from queue manager 'MHLXAMQD_QMGR' using connection mode '1' and host name '172.18.64.156(1414)'.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2009' ('MQRC_CONNECTION_BROKEN').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203) ~[com.ibm.mq.allclient-9.1.1.0.jar:9.1.1.0 - p911-L181121.DE]
... 14 more
<o:p></o:p>
<o:p></o:p>
<o:p></o:p>
------------------------------
Brajendra Kumar
Original Message:
Sent: Mon October 04, 2021 04:45 AM
From: Morag Hughson
Subject: 2035' ('MQRC_NOT_AUTHORIZED').
Hi Brajendra,
Q1) You say that you have created a user ID which is a member of the mqm group. Is that the user id "hjusermule@na" which is shown in your error message? Is the "@na" part a truncated domain, or is that the whole thing?
Q2) Can you display the group membership of the user id "hjusermule@na"
Q3) You say that you have "disable the authentication". Do you mean that you have set CHLAUTH to DISABLED? That is, the "authentication" that you have disabled is only the Channel Authentication and not the Connection Authentication (CONNAUTH) which you then show us commands for?
Q4) What happens if the connection is made with a deliberately incorrect password for that user ID? This is a very good way to test your Connection Authentication set up is working.
Q5) Could you show us the full settings for Connection Authentication, which is pertinent here since your application is connecting using a user ID and password. Could you issue the following commands and show us the output.
DISPLAY QMGR CONNAUTH
DISPLAY AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ALL
Let me explain why I am asking you these questions. What should happen is the following:-
- Application connects using user id hjusermule and password.
- Queue manager checks whether the user id and password combination are correct since you have the CHCKCLNT(OPTIONAL) setting. This means check the password if it is provided, but don't mandate a password if it is not provided.
- The Queue manager applies the validated password to the MCAUSER of the channel, if you have the ADOPTCTX(YES) setting. You haven't shown us this, hence my Q5) but since you don't have errors mentioning NOAUTH which is your hard-coded MCAUSER, I assume you have it set.
- Authority checks are done using the MCAUSER that the channel is running with. Since we see the authority checks mentioning hjusermule in some format, this also makes it likely that ADOPTCTX is set to YES. You have told us that hjusermule is in the mqm group, but the authority checks appear to refute that statement, since an mqm group member will not fail an authority check. Hence my Q2). Did you remember to issue REFRESH SECURITY TYPE(AUTHSERV) after you changed the group membership of the user id?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Fri October 01, 2021 09:23 AM
From: Brajendra Kumar
Subject: 2035' ('MQRC_NOT_AUTHORIZED').
Hi ,
I have created one user for client application (Mulesoft) and make member of mqm group .I have created one server channel
So mule application connect to queue manager via server channel and put the message in MQ Queue .we have run below command and also disable the authentication .
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) REFRESH SECURITY TYPE(CONNAUTH)
ALTER CHL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('NOAUTH').
Now mule application try to connect the queue manager they got below error.
please advice me what i have to do any further configuration so mule application will connect to queue manager.
org.mule.runtime.api.connection.ConnectionException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. org.mule.runtime.api.connection.ConnectionException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. Caused by: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. Please check if the supplied username and password are correct on the queue manager to which you are connecting. For further information, review the queue manager error logs and the Securing IBM MQ topic within IBM Knowledge Center.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203) ... 102 more
MQ log : I try to connect through RFH util with use CSP----- cmqxrsrv.c : 2580 -------------------------------------------------------
9/30/2021 07:52:53 - Process(7772.455) User(HjUser) Program(amqzlaa0.exe)
Host(QWCOV9JMPLB01) Installation(Installation1)
VRMF(9.2.1.0) QMgr(QWCOV9JMPLB01_QMGR)
Time(2021-09-30T14:52:53.533Z)
CommentInsert1(hjusermule@na)
CommentInsert2(QWCOV9JMPLB01_QMGR [qmgr])
CommentInsert3(connect)
AMQ8077W: Entity 'hjusermule@na' has insufficient authority to access object
QWCOV9JMPLB01_QMGR [qmgr].
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubn.c : 1265 -------------------------------------------------------
9/30/2021 07:52:53 - Process(1744.438) User(HjUser) Program(amqrmppa.exe)
Host(QWCOV9JMPLB01) Installation(Installation1)
VRMF(9.2.1.0) QMgr(QWCOV9JMPLB01_QMGR)
Time(2021-09-30T14:52:53.533Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1(HjuserMule)
AMQ9557E: Queue Manager User ID initialization failed for 'HjuserMule'.
------------------------------
Brajendra Kumar
------------------------------