Hi Team,

I want to bring to your attention an issue that I have encountered with our virtual machines. I have two Windows VMs, VM1 and VM2, where VM1 is configured for IBM MQ 9.4.2 and VM2 is for the IBM ACE V13 Integration node. The message flow deployed on VM2 connects to the queue on VM1 via a client using the server connection channel, host, and port.

Both VM1 and VM2 are running services using the same domain account username (Working fine with a different domain account). However, when the MQ input node attempts to establish the connection, the following error has been spotted on the Queue manager log.

I would appreciate it if you could take a look at the issue and provide your insights on how we can resolve it. Thank you for your assistance.

MQSC Commands:

DEFINE CHANNEL(ESB.BLKALDN.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) DESCR('Server connection for ESB Server') REPLACESET AUTHREC OBJTYPE(QMGR) PRINCIPAL('Svc_Middleware@APAC') AUTHADD(ALL)SET AUTHREC PROFILE('*') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET CHLAUTH('ESB.BLKALDN.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)SET CHLAUTH(ESB.BLKALDN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('172.19.2.93') USERSRC(CHANNEL) ACTION(ADD)REFRESH SECURITY TYPE(CONNAUTH)

Error:

03/06/2025 15:57:25 - Process(6292.2) User(Svc_Middleware) Program(amqrmppa.exe)Host(CMNRMQDV01) Installation(v9420)VRMF(9.4.2.0) QMgr(MYMQ)Time(2025-06-03T05:57:25.041Z)RemoteHost(172.19.2.93)CommentInsert1(ESB.BLKALDN.SVRCONN)CommentInsert2(172.19.2.93)CommentInsert3(MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02))AMQ9776E: Channel was blocked by useridEXPLANATION:The inbound channel 'ESB.BLKALDN.SVRCONN' was blocked from address'172.19.2.93' because the active values of the channel were mapped to a useridwhich should be blocked. The active values of the channel were'MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02)'.ACTION:Contact the systems administrator, who should examine the channelauthentication records to ensure that the correct settings have beenconfigured. The ALTER QMGR CHLAUTH switch is used to control whether channelauthentication records are used. The command DISPLAY CHLAUTH can be used toquery the channel authentication records.

Hi Thanga,

The explanation in the error message tells you what has happened. The channel was blocked because the active values of the channel were mapped to a userid which should be blocked.

In the configuration that you have shown us, there are no CHLAUTH rules for blocking userids (that would be TYPE(BLOCKUSER), however I suspect you haven't shown us everything. By default there is a TYPE(BLOCKUSER) rule that blocks all privileged users:

AMQ8878I: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   DESCR(Default rule to disallow privileged users)
   CUSTOM( )
   USERLIST(*MQADMIN)                      WARN(NO)

You can however, easily discover EXACTLY which CHLAUTH rule blocked you by entering the following command (as described by this post).

DISPLAY CHLAUTH(ESB.BLKALDN.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('172.19.2.93') CLNTUSER('Svc_Middleware')

I suspect you will discover that the answer is the above default rule and that your client side presented userid, Svc_Middleware, is a privileged one.

However, it is odd that you are adding authorities to it in your configuration if it is privileged since that would be unnecessary.

You have also shown that you are using CONNAUTH from the refresh command, but have not shown us any configuration for that, nor suggested that your application is sending in a userid and password.

So there is a lot we don't know about your setup, but the above DISPLAY command is certainly your first step.

Cheers,
Morag

Hi Team,

I want to bring to your attention an issue that I have encountered with our virtual machines. I have two Windows VMs, VM1 and VM2, where VM1 is configured for IBM MQ 9.4.2 and VM2 is for the IBM ACE V13 Integration node. The message flow deployed on VM2 connects to the queue on VM1 via a client using the server connection channel, host, and port.

Both VM1 and VM2 are running services using the same domain account username (Working fine with a different domain account). However, when the MQ input node attempts to establish the connection, the following error has been spotted on the Queue manager log.

I would appreciate it if you could take a look at the issue and provide your insights on how we can resolve it. Thank you for your assistance.

MQSC Commands:

DEFINE CHANNEL(ESB.BLKALDN.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) DESCR('Server connection for ESB Server') REPLACESET AUTHREC OBJTYPE(QMGR) PRINCIPAL('Svc_Middleware@APAC') AUTHADD(ALL)SET AUTHREC PROFILE('*') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET CHLAUTH('ESB.BLKALDN.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)SET CHLAUTH(ESB.BLKALDN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('172.19.2.93') USERSRC(CHANNEL) ACTION(ADD)REFRESH SECURITY TYPE(CONNAUTH)

Error:

03/06/2025 15:57:25 - Process(6292.2) User(Svc_Middleware) Program(amqrmppa.exe)Host(CMNRMQDV01) Installation(v9420)VRMF(9.4.2.0) QMgr(MYMQ)Time(2025-06-03T05:57:25.041Z)RemoteHost(172.19.2.93)CommentInsert1(ESB.BLKALDN.SVRCONN)CommentInsert2(172.19.2.93)CommentInsert3(MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02))AMQ9776E: Channel was blocked by useridEXPLANATION:The inbound channel 'ESB.BLKALDN.SVRCONN' was blocked from address'172.19.2.93' because the active values of the channel were mapped to a useridwhich should be blocked. The active values of the channel were'MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02)'.ACTION:Contact the systems administrator, who should examine the channelauthentication records to ensure that the correct settings have beenconfigured. The ALTER QMGR CHLAUTH switch is used to control whether channelauthentication records are used. The command DISPLAY CHLAUTH can be used toquery the channel authentication records.

Hi Morag,

First and foremost, thank you for your feedback, and I apologize for the delay in my response.

I ran the command you provided, and below are the outputs.

DISPLAY CHLAUTH(ESB.BLKALDN.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('172.19.2.93') CLNTUSER('Svc_Middleware)     1 : DISPLAY CHLAUTH(ESB.BLKALDN.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('172.19.2.93') CLNTUSER('Svc_Middleware')AMQ8878I: Display channel authentication record details.   CHLAUTH(*)                              TYPE(BLOCKUSER)   DESCR(Default rule to disallow privileged users)   CUSTOM( )   USERLIST(*MQADMIN)                      WARN(NO)   ALTDATE(2025-06-03)                     ALTTIME(17.38.07)

I realize I may not have clearly articulated my requirements, so I wanted to provide further clarification. My intention is to allow the remote IP and remote service user, Svc_Middleware, to establish a connection to the queue manager via the server connection channel ESB.BLKALDN.SVRCONN. Additionally, there is no need for username and password authentication for this connection.

The script I mentioned earlier works perfectly if the MQ service user is different from the application service user, where as in my scenario, the application user and IBM MQ service ser are the same, which is Svc_Middleware. Kindly disregard the command REFRESH SECURITY TYPE(CONNAUTH) as it was incorrectly copied in my previous post.

Thank you once again for your assistance, and I appreciate your further response on this.

Thanga

Hi Thanga,

The explanation in the error message tells you what has happened. The channel was blocked because the active values of the channel were mapped to a userid which should be blocked.

In the configuration that you have shown us, there are no CHLAUTH rules for blocking userids (that would be TYPE(BLOCKUSER), however I suspect you haven't shown us everything. By default there is a TYPE(BLOCKUSER) rule that blocks all privileged users:

AMQ8878I: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   DESCR(Default rule to disallow privileged users)
   CUSTOM( )
   USERLIST(*MQADMIN)                      WARN(NO)

You can however, easily discover EXACTLY which CHLAUTH rule blocked you by entering the following command (as described by this post).

DISPLAY CHLAUTH(ESB.BLKALDN.SVRCONN) MATCH(RUNCHECK) ALL ADDRESS('172.19.2.93') CLNTUSER('Svc_Middleware')

I suspect you will discover that the answer is the above default rule and that your client side presented userid, Svc_Middleware, is a privileged one.

However, it is odd that you are adding authorities to it in your configuration if it is privileged since that would be unnecessary.

You have also shown that you are using CONNAUTH from the refresh command, but have not shown us any configuration for that, nor suggested that your application is sending in a userid and password.

So there is a lot we don't know about your setup, but the above DISPLAY command is certainly your first step.

Cheers,
Morag

Hi Team,

I want to bring to your attention an issue that I have encountered with our virtual machines. I have two Windows VMs, VM1 and VM2, where VM1 is configured for IBM MQ 9.4.2 and VM2 is for the IBM ACE V13 Integration node. The message flow deployed on VM2 connects to the queue on VM1 via a client using the server connection channel, host, and port.

Both VM1 and VM2 are running services using the same domain account username (Working fine with a different domain account). However, when the MQ input node attempts to establish the connection, the following error has been spotted on the Queue manager log.

I would appreciate it if you could take a look at the issue and provide your insights on how we can resolve it. Thank you for your assistance.

MQSC Commands:

DEFINE CHANNEL(ESB.BLKALDN.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) DESCR('Server connection for ESB Server') REPLACESET AUTHREC OBJTYPE(QMGR) PRINCIPAL('Svc_Middleware@APAC') AUTHADD(ALL)SET AUTHREC PROFILE('*') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('Svc_Middleware@apac') AUTHADD(ALL)SET CHLAUTH('ESB.BLKALDN.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)SET CHLAUTH(ESB.BLKALDN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('172.19.2.93') USERSRC(CHANNEL) ACTION(ADD)REFRESH SECURITY TYPE(CONNAUTH)

Error:

03/06/2025 15:57:25 - Process(6292.2) User(Svc_Middleware) Program(amqrmppa.exe)Host(CMNRMQDV01) Installation(v9420)VRMF(9.4.2.0) QMgr(MYMQ)Time(2025-06-03T05:57:25.041Z)RemoteHost(172.19.2.93)CommentInsert1(ESB.BLKALDN.SVRCONN)CommentInsert2(172.19.2.93)CommentInsert3(MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02))AMQ9776E: Channel was blocked by useridEXPLANATION:The inbound channel 'ESB.BLKALDN.SVRCONN' was blocked from address'172.19.2.93' because the active values of the channel were mapped to a useridwhich should be blocked. The active values of the channel were'MCAUSER(Svc_Middleware) CLNTUSER(Svc_Middleware) ADDRESS(cmnresbdv02)'.ACTION:Contact the systems administrator, who should examine the channelauthentication records to ensure that the correct settings have beenconfigured. The ALTER QMGR CHLAUTH switch is used to control whether channelauthentication records are used. The command DISPLAY CHLAUTH can be used toquery the channel authentication records.