MQ

 View Only

IBM MQ Little Gem #55: Authority reporting for Display Commands

By Morag Hughson posted Fri September 16, 2022 12:13 AM

  
This is part of a series of small blog posts which will cover some of the smaller, perhaps less likely to be noticed, features of IBM MQ. Read other posts in this series.

Today I want to write about a well-hidden feature of your IBM MQ Distributed queue manager in order to help others to find it in the future. I was certain that this feature existed but was completely unable to find anything about it when I went searching. Having now been pointed to it (Thanks @David Ware) I decided to write about it so that any future people searching for it might come across this post and thus the IBM Docs that describe it. I was prompted to try and find it as a result of a question from a customer.

No Entry Sign over Viewing a Queue

The problem at hand today is the spurious quantity of event messages and error log messages that result when a user id displays a list of objects and does not have access to view all of them.

Take my user id mqgusr1 who has very little access to anything on my queue manager. If I run the following command using this user id:

DISPLAY QLOCAL(*) CURDEPTH

then I get back a very short list of queues:-

AMQ8409I: Display Queue details.
   QUEUE(MQSCX.MQGUSR1.6323ED2721A39D01)   TYPE(QLOCAL)
   CURDEPTH(0)
AMQ8409I: Display Queue details.
   QUEUE(SYSTEM.DEFAULT.LOCAL.QUEUE)       TYPE(QLOCAL)
   CURDEPTH(0)

However, my SYSTEM.ADMIN.QMGR.EVENT queue has just received 133 identical messages telling me that an MQCMD_INQUIRE_Q command by user id mqgusr1 failed for authorisation reasons. The queue name is not part of this message which is why they are identical.

[  168 bytes] Message Content
[  168 bytes] Event Header (MQCFH)
Type         :7 (Event)
Struc Length :36
Version      :1
Command      :44 (QMgr Event)
Sequence No. :1
Control      :1 (Last)
CompCode     :1 (Warning)
Reason       :2035 (Not authorized)
Parm Count   :4
[  132 bytes] String (MQCFST)
Type         :4 (String)
Struc Length :68
Parameter Id :2015 (Queue Manager Name)
CCSID        :0
String Length:48
Value        :'MQG1                                            '
[   64 bytes] Integer (MQCFIN)
Type         :3 (Integer)
Struc Length :16
Parameter Id :1020 (Reason Qualifier)
Value        :4 [0x'4'] MQRQ_CMD_NOT_AUTHORIZED
[   48 bytes] Integer (MQCFIN)
Type         :3 (Integer)
Struc Length :16
Parameter Id :1021 (Command)
Value        :13 [0x'D'] MQCMD_INQUIRE_Q
[   32 bytes] String (MQCFST)
Type         :4 (String)
Struc Length :32
Parameter Id :3025 (User Identifier)
CCSID        :0
String Length:12
Value        :'mqgusr1     '

In addition my AMQERR01.LOG contains 133 new error messages along these lines, one for each queue, which this time is named.

16/09/2022 15:30:39 - Process(13424.7) User(MUSR_MQADMIN12) Program(amqzlaa0.exe)
                      Host(GEMWIN10) Installation(925GA)
                      VRMF(9.2.5.0) QMgr(MQG1)
                      Time(2022-09-16T03:30:39.872Z)
                      CommentInsert1(mqgusr1@gemwin10)
                      CommentInsert2(Q1 [queue])
                     
AMQ8245W: Entity 'mqgusr1@gemwin10' has insufficient authority to display
object Q1 [queue].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.

Many users of IBM MQ find these error messages and event messages cause them problems, hard to see the real authorisation errors in among all this reporting about display commands.

If your answer to this is just to throw away all the event messages about display authorisation failures, and you wish you could tidy up the AMQERR01.LOG in the same way, then the setting I am about to describe is for you.

Note that this setting causes ALL display command failure reporting to be suppressed, not just those that are as a result of generic display commands. It does not change the authorisation model for display commands, it just suppresses the reporting of those failures. So, if you are not doing anything with your display authorisation failures except throwing them away, then this setting is for you.

To configure your queue manager to stop generating the above event message and error log message for ANY display command that is not authorised, you need to add the following into your queue manager's qm.ini file.

TuningParameters:
   SuppressDspAuthFail=YES

And then cycle your queue manager.

This is not a new feature. It was added at some point in V9.0.0, so all supported versions of IBM MQ on distributed platforms have this capability. You can read about it in the IBM Docs here.

If you don't want to suppress these event messages because you find value in some of them, you may find another blog post I wrote about managing them with MQEV useful.

Morag Hughson is an MQ expert. She spent 18 years in the MQ Devt organisation before taking on her current job writing MQ Technical education courses with MQGem. She also blogs for MQGem. You can connect with her here on IMWUC or on Twitter and LinkedIn.

#Little-Gem
#IBMMQ
#ChampionsCorner
0 comments
42 views

Permalink