MQ

 View Only

  • 1.  Security error

    Posted Wed November 17, 2021 09:57 AM

     Receiving error attempting to collect statistical data on one of my test MQ managers:

    Completion code 2 Reason code 2035 MQRC_NOT_AUTHORIZED opening queue SYSTEM.ADMIN.STATISTICS.QUEUE


  • 2.  RE: Security error

    Posted Wed November 17, 2021 10:08 AM
    Can you check in the AMQERR01.LOG for the queue manager for a more detailed error message? There should be one that will give more detail about which user it is and which particular authority they don't have.

    ------------------------------
    Matthew Whitehead
    ------------------------------

    Original Message


  • 3.  RE: Security error

    Posted Wed November 17, 2021 10:44 AM
    I did pull this out of the log, I am using my p_sminix account to access the queue manager on MQ Explorer, but is is flagging my other account which is not defined for this queue manager:

    AMQ9557E: Queue Manager User ID initialization failed for 'sminix'.

    EXPLANATION:
    The call to initialize the User ID 'sminix' failed with CompCode 2 and Reason
    2035. If an MQCSP block was used, the User ID in the MQCSP block was
    'p_sminix'. If a userID flow was used, the User ID in the UID header was
    'sminix' and any CHLAUTH rules applied prior to user adoption were evaluated
    case-sensitively against this value.


  • 4.  RE: Security error

    Posted Wed November 17, 2021 03:47 PM
    I think I know what the issue is but trying to fix it, I think it has something to do with the channel and the MCA userid, which has my id sminix attached to it:

    I need to assign the proper userid to the channel, currently the channel will not start, it goes inactive.

    This is our test MQ server, not critical but would like to get it started.


  • 5.  RE: Security error

    Posted Thu November 18, 2021 05:23 AM
    So it sounds like you're trying to connect as p_sminix but the combination (or absence) of CHLAUTH rules means you are picking up the MCAUSER from the channel which is set to sminix.

    There is a useful page in the IBM Documentation on the interactions between CHLAUTH and CONNAUTH, and how these result in the MQ identity you actually end up as:

    https://www.ibm.com/docs/en/ibm-mq/9.2?topic=records-interaction-chlauth-connauth

    If you haven't got CHLAUTH enabled, or you don't have any CHLAUTH rules which map your client user, IP address, or TLS certificate to a specific user (p_sminix in your case) then the connection will be made using the MCAUSER field from the channel. So you could:

    1. Set the channel's MCAUSER field to p_sminix, or
    2. Define a USERMAP, ADDRESSMAP or SSLPEERMAP CHLAUTH rule with the MCAUSER field of the CHLAUTH rule set to p_sminix

    Note that in a production environment you may want to set the MCAUSER field of the channel to something with low or zero privileges (such as 'nobody' on Unix) and then use CHLAUTH rules to individually map connecting applications to more privileged users.

    ------------------------------
    Matthew Whitehead
    ------------------------------

    Original Message


  • 6.  RE: Security error

    Posted Thu November 18, 2021 10:16 AM
    Thanks for the input, I changed the channel to use the sminix id, and the channel started fine. Need to read up a little more regarding setting up channels!

    I was having issues connecting to the queue manager remotely using MQ Explorer, but now I cam.