MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.

Hi Eric,

The reason code 2035 (MQRC_NOT_AUTHORIZED) covers a number of possibilities which are not articulated to the client - it just gets told "no - for security reasons". This is standard practice not to give out the reasons for a security failure to the entity making the attempt, for what are hopefully obvious reasons. Your comment about "The error also says to verify the username/password which we have verified," suggests to me that this is a JMS application, because that particular interface includes a hint that your 2035 error might have been because your password was wrong when it displays the exception to you.

While the application cannot glean further details on its own, as the administrator of the queue manager, however, you can discover all the exact details of the security failure by viewing the queue manager's AMQERR01.LOG file and reading the error messages written to that file.

You may see errors associated with any of the following issues as a result of a 2035 reason code:

• CHLAUTH rules blocking your client application
• CONNAUTH password validation failures
• Missing authorizations, including showing exactly what was missing to allow it to be easily rectified with a SET AUTHREC (or setmqaut) command.

If I had to guess, from your question text, I would guess it might be the first of those three, simply because you have not mentioned anything about CHLAUTH, and because you have a setmqaut command granted your 'usertest' user id the ability to issue administrative commands on a channel definition of the name ' QMName.customer.IN" which is not something a client connected application would need.

However, guessing is not useful - viewing the AMQERR01.LOG is the thing to do here to find out exactly what is going on.

Cheers,
Morag

MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.

MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.

Thank you both for your help.  I'm a 20+ year Oracle DBA given the task of managing our MQ's in prod, test and dev and I'm trying to understand everything by looking at what already exists and when tasked to create new users/channels/queues/authorizations I'm trying to compare to existing setups but clearly missing things.  Is there a set of steps out there that go from user creation all the way to having the user/channel/queue/authorization commands?  I'll check the AMQERR01.LOG but it usually just shows the error message I've already described.  I'll update here with more info asap.

MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.

Hi Eric,

If I could only give you one piece of advice in your journey to learn to manage MQ, it would be to remember the location of the AMQERR01.LOG and to always check whenever you have any issue. It will most certainly give you more information than you currently have about your failure, including everything you need to fix the problem. You have not actually shown us an error message in your earlier thread, just a reason code (2035), but application side errors are often paired with much more information on the queue manager side. Hopefully when you look in your AMQERR01.LOG file for this problem you will see what I mean.

As to some resources to help, take a look at some of these:-

• Configuring a queue manager to accept client connections on Multiplatforms
• Getting going without turning off IBM MQ Security
• A non-privileged MQ administrator
• I'm being blocked by CHLAUTH – how can I work out why?
• CHLAUTH – Allow some privileged admins

Cheers,
Morag

Thank you both for your help.  I'm a 20+ year Oracle DBA given the task of managing our MQ's in prod, test and dev and I'm trying to understand everything by looking at what already exists and when tasked to create new users/channels/queues/authorizations I'm trying to compare to existing setups but clearly missing things.  Is there a set of steps out there that go from user creation all the way to having the user/channel/queue/authorization commands?  I'll check the AMQERR01.LOG but it usually just shows the error message I've already described.  I'll update here with more info asap.

MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.

Thank you for all your help!  

I have verified the following values on our prod, test and dev MQs.
CHLAUTH(DISABLED) and CHCKCLNT(REQDADM)
This MQ will be replacing our existing Test MQ, patched to 9.3.0.20 LTS
It looks like in addition to the local user 'mqm' there is also a group 'mqclient' used on all MQs.
All users/customers related to the MQ are members of the 'mqclient' group (not mqm).

Here are the steps I've taken as of this morning, so ignore the steps in the original post:

Create SVRCONN channel and QL using MCAUSER()
========================================
# groupadd anrtest
# groupadd mqclient
# useradd -g anrtest anrtest
# usermod -a -G mqclient anrtest
** set the password for user anrtest

DEFINE CHANNEL('QMESBMGMA.ANR.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from ANR to QMESBMGMA') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('anrtest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

DEFINE QLOCAL('US.GOV.DOD.AF.IL.TEST.ANR.QL') ACCTQ(QMGR) BOQNAME(' ') BOTHRESH(0) CLUSNL(' ') CLUSTER(' ') CLCHNAME(' ') CLWLPRTY(0) CLWLRANK(0) CLWLUSEQ(QMGR) CUSTOM(' ') DEFBIND(OPEN) DEFPRTY(0) DEFPSIST(NO) DEFPRESP(SYNC) DEFREADA(NO) DEFSOPT(SHARED) DESCR('Test queue for ANR') DISTL(NO) GET(ENABLED) HARDENBO IMGRCOVQ(QMGR) INITQ(' ') MAXDEPTH(5000) MAXMSGL(4194304) MAXFSIZE(DEFAULT) MONQ(QMGR) MSGDLVSQ(PRIORITY) NOTRIGGER NPMCLASS(NORMAL) PROCESS(' ') PUT(ENABLED) PROPCTL(V6COMPAT) QDEPTHHI(80) QDEPTHLO(20) QDPHIEV(DISABLED) QDPLOEV(DISABLED) QDPMAXEV(ENABLED) QSVCIEV(NONE) QSVCINT(999999999) RETINTVL(999999999) SCOPE(QMGR) SHARE STATQ(QMGR) STREAMQ(' ') STRMQOS(BESTEF) TRIGDATA(' ') TRIGDPTH(1) TRIGMPRI(0) TRIGTYPE(FIRST) USAGE(NORMAL) REPLACE

set authrec objtype(QMGR) principal('anrtest') authadd(connect, inq)
setmqaut -m QMESBMGMA -n US.GOV.DOD.AF.IL.TEST.ANR.QL -t queue -g mqclient +put +get +browse +inq
set authrec profile('US.GOV.DOD.AF.IL.TEST.ANR.QL') objtype(QUEUE) principal('anrtest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m QMESBMGMA -n QMESBMGMA.ANR.IN -t channel -g anrtest +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMESBMGMA -n QMESBMGMA.ANR.IN -t channel -g mqclient +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMESBMGMA -n QMESBMGMA.ANR.IN -t channel -g mqm +chg +dlt +dsp +ctrl +ctrlx  (may not be needed, mqm should have rights)

AMQERR01.LOG
=============
09/25/24 14:18:14 - Process(14556.501) User(mqm) Program(amqzlaa0)
                    Host(xxxxxxxxxxxxx) Installation(Installation1)
                    VRMF(9.3.0.20) QMgr(QMESBMGMA)
                    Time(2024-09-25T14:18:14.733Z)
                    CommentInsert1(anrtest)
                    CommentInsert2(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
                    CommentInsert3(CHCKCLNT(REQDADM))

AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.

EXPLANATION:
The user ID 'anrtest' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(REQDADM).

This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.

Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.

Note that if the authentication configuration specifies an LDAP user
repository, a CHCKCLNT value of REQADM is treated as equivalent to a value of
OPTIONAL.

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.

09/25/24 14:18:14 - Process(14556.500) User(mqm) Program(amqzlaa0)
                    Host(xxxxxxxxxxxxx) Installation(Installation1)
                    VRMF(9.3.0.20) QMgr(QMESBMGMA)
                    Time(2024-09-25T14:18:14.739Z)
                    CommentInsert1(anrtest)
                    CommentInsert2(org.apache.nifi.NiFi)
                    CommentInsert3(Pipe returned 2035 [FAILED])

AMQ5534E: User ID 'anrtest' authentication failed

EXPLANATION:
The user ID and password supplied by the 'org.apache.nifi.NiFi' program could
not be authenticated.
Additional information: 'Pipe returned 2035 [FAILED]'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4906 -------------------------------------------------------
09/25/24 14:18:14 - Process(14556.500) User(mqm) Program(amqzlaa0)
                    Host(xxxxxxxxxxxxx) Installation(Installation1)
                    VRMF(9.3.0.20) QMgr(QMESBMGMA)
                    Time(2024-09-25T14:18:14.739Z)
                    CommentInsert1(anrtest)
                    CommentInsert2(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
                    CommentInsert3(CHCKCLNT(REQDADM))

Hi Eric,

If I could only give you one piece of advice in your journey to learn to manage MQ, it would be to remember the location of the AMQERR01.LOG and to always check whenever you have any issue. It will most certainly give you more information than you currently have about your failure, including everything you need to fix the problem. You have not actually shown us an error message in your earlier thread, just a reason code (2035), but application side errors are often paired with much more information on the queue manager side. Hopefully when you look in your AMQERR01.LOG file for this problem you will see what I mean.

As to some resources to help, take a look at some of these:-

• Configuring a queue manager to accept client connections on Multiplatforms
• Getting going without turning off IBM MQ Security
• A non-privileged MQ administrator
• I'm being blocked by CHLAUTH – how can I work out why?
• CHLAUTH – Allow some privileged admins

Cheers,
Morag

Thank you both for your help.  I'm a 20+ year Oracle DBA given the task of managing our MQ's in prod, test and dev and I'm trying to understand everything by looking at what already exists and when tasked to create new users/channels/queues/authorizations I'm trying to compare to existing setups but clearly missing things.  Is there a set of steps out there that go from user creation all the way to having the user/channel/queue/authorization commands?  I'll check the AMQERR01.LOG but it usually just shows the error message I've already described.  I'll update here with more info asap.

MQ version 9.3.0.20 LTS, on Linux/Ubuntu

Create the user local to the MQ server:

# groupadd usertest
# useradd -g usertest usertest
** set the password for user usertest

Create the channel:

DEFINE CHANNEL('QMName.customer.IN') CHLTYPE(SVRCONN) CERTLABL(' ') COMPHDR(NONE) COMPMSG(NONE) DESCR('Test connection from nifi customer to QMName') DISCINT(0) HBINT(300) KAINT(AUTO) MAXINST(999999999) MAXINSTC(999999999) MAXMSGL(4194304) MCAUSER('usertest') MONCHL(QMGR) RCVDATA(' ') RCVEXIT(' ') SCYDATA(' ') SCYEXIT(' ') SENDDATA(' ') SENDEXIT(' ') SHARECNV(10) TRPTYPE(TCP) REPLACE

(Using existing Queue Local)

set authrec objtype(QMGR) principal('usertest') authadd(connect, inq)
set authrec profile('LocalQueueName.QL') objtype(QUEUE) principal('usertest') authadd(PUT, GET, INQ, BROWSE)
setmqaut -m ourQM -n QMName.customer.IN -t channel -g usertest +chg +dlt +dsp +ctrl +ctrlx

Part of the error message: "IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')."

The error also says to verify the username/password which we have verified.

Am I missing something like adding the user 'usertest' to group 'mqm'?  I didn't think I needed to do that unless I wanted to grant admin to the 'usertest' which I do not.  Any help appreciated.