MQ

  • 1.  2035' ('MQRC_NOT_AUTHORIZED').

    IBM Select
    Posted Fri October 01, 2021 09:23 AM

    Hi  ,
    I have created one user for client application  (Mulesoft) and make member of mqm group .I have created one server channel  
    So mule application connect to queue manager via server channel and put the message in MQ Queue .we have run below command and also disable the authentication .

    ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) REFRESH SECURITY TYPE(CONNAUTH)
    ALTER CHL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('NOAUTH').
    Now mule application try to connect the queue manager they got below error.
    please advice me what i have to do any further configuration so mule application will connect to queue manager.
    org.mule.runtime.api.connection.ConnectionException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. org.mule.runtime.api.connection.ConnectionException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. Caused by: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QWCOV9JMPLB01_QMGR' with connection mode 'Client' and host name '172.19.59.167(1416)'. Please check if the supplied username and password are correct on the queue manager to which you are connecting. For further information, review the queue manager error logs and the Securing IBM MQ topic within IBM Knowledge Center.
    Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203) ... 102 more

    MQ log : I try to connect through RFH util with use CSP

    ----- cmqxrsrv.c : 2580 -------------------------------------------------------

    9/30/2021 07:52:53 - Process(7772.455) User(HjUser) Program(amqzlaa0.exe)

                          Host(QWCOV9JMPLB01) Installation(Installation1)

                          VRMF(9.2.1.0) QMgr(QWCOV9JMPLB01_QMGR)

                          Time(2021-09-30T14:52:53.533Z)

                          CommentInsert1(hjusermule@na)

                          CommentInsert2(QWCOV9JMPLB01_QMGR [qmgr])

                          CommentInsert3(connect)

                        

    AMQ8077W: Entity 'hjusermule@na' has insufficient authority to access object

    QWCOV9JMPLB01_QMGR [qmgr].

     

    EXPLANATION:

    The specified entity is not authorized to access the required object. The

    following requested permissions are unauthorized: connect

    ACTION:

    Ensure that the correct level of authority has been set for this entity against

    the required object, or ensure that the entity is a member of a privileged

    group.

    ----- amqzfubn.c : 1265 -------------------------------------------------------

    9/30/2021 07:52:53 - Process(1744.438) User(HjUser) Program(amqrmppa.exe)

                          Host(QWCOV9JMPLB01) Installation(Installation1)

                          VRMF(9.2.1.0) QMgr(QWCOV9JMPLB01_QMGR)

                          Time(2021-09-30T14:52:53.533Z)

                          ArithInsert1(2) ArithInsert2(2035)

                          CommentInsert1(HjuserMule)

                        

    AMQ9557E: Queue Manager User ID initialization failed for 'HjuserMule'.


    ------------------------------
    Brajendra Kumar
    ------------------------------


  • 2.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    Posted Fri October 01, 2021 10:13 AM
    I'm not 100% sure if this is the cause of the current error, but the default channel authentication rules prevent users with administrative privileges from connecting to SYSTEM.* channels. So the user you are connecting as, being a member of the mqm group, would be prevented from using the SYSTEM.DEF.SVRCONN channel.

    You could see if that's the cause of the problem by temporarily creating a new channel called MY.SVRCONN with the same configuration as SYSTEM.DEF.SVRCONN. The CHLAUTH rules won't apply the same policy to that channel. If that works, then you can decide whether you really want the application to connect as an admin (in which case you could use your own channel) or to authorise the user only to certain actions (in which case you could remove them from the mqm group and continue using SYSTEM.DEF.SVRCONN.

    ------------------------------
    Matthew Whitehead
    ------------------------------



  • 3.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    Posted Mon October 04, 2021 04:11 AM
    Hi Brajenrda,
    this message:

    Entity 'hjusermule@na' has insufficient authority to access object

    QWCOV9JMPLB01_QMGR [qmgr].

     

    EXPLANATION:

    The specified entity is not authorized to access the required object. The

    following requested permissions are unauthorized: connect

    is telling you that you haven't given hjusermule connect authority to the "Queue Manager". You need to allow the user to connect to the queue manager and then the other objects as well i.e. queue.

    Also, you say that you've disabled authentication - you haven't. [CHCKCLNT(OPTIONAL)]. This mode means that authentication IS checked if a passwd is sent.

     hope that helps
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 4.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    IBM Select
    Posted Mon October 04, 2021 04:20 AM
    thank you very John .
    Mule application connect to queue manager via hjusermule and password.
    I have shared mule application team
    userid :hjusermule
    password
    Queue manager name
    port 
    server channel and queue name where mule application put the message.
    Please advice me what command i have to run or what exact  configuration i have to do it.
    thanks and Regards
    Brajendra

    ------------------------------
    Brajendra Kumar
    ------------------------------



  • 5.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    Posted Mon October 04, 2021 04:39 AM
    To allow hjusermule to connect to the QM:
    setmqaut -m <Queue Manager Name> -t qmgr -p "hjusermule" +connect
    (TIP: if you do this using MQ explorer then it gives you the command to run on the command line)

    And, if you want to completely disable authentication (something I would NOT advise) you need to use CHCKCLNT(NONE)(https://www.ibm.com/docs/en/ibm-mq/9.0?topic=authentication-connection-configuration)

    Also - I would recommend you remove mule from the mqm group. You are giving that user MQ admin authority - not a good idea.

    best regards,
    john.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 6.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    IBM Select
    Posted Mon October 04, 2021 04:58 AM
    Thank you very much for prompt response .

    To allow hjusermule to connect to the QM:
    setmqaut -m <Queue Manager Name> -t qmgr -p "hjusermule" +connect --done sir
    (TIP: if you do this using MQ explorer then it gives you the command to run on the command line)

    And, if you want to completely disable authentication (something I would NOT advise) you need to use CHCKCLNT(NONE)(IBM Docs    
    Ibm remove preview
    IBM Docs
    IBM Documentation.
    View this on Ibm >
    www.ibm.com/docsir still i leave it optional s/en/ibm-mq/... ----
    Also - I would recommend you remove mule from the mqm group. You are giving that user MQ admin authority - not a good idea. --done sir 
    still i didn't change it CHCKCLNT(OPTIONAL)  .is it ok ?i have given userid and password to third party client application .
    John I got one more issue . mule application is not able to connect the queue manager .Mule app got below error.
    I have made changes in qm.ini
    TCP:

    TCP:

    KeepAlive=Yes ---as per my understanding it is MuleSoft issue .we can configure tcp in qm.ini.
    i haven't configure qm.ini in below .do i need to add it in TCP or not.

       SndBuffSize=0

       RcvBuffSize=0

       RcvSndBuffSize=0

       RcvRcvBuffSize=0

       ClntSndBuffSize=0

       ClntRcvBuffSize=0

       SvrSndBuffSize=0

       SvrRcvBuffSize=0

       KeepAlive= YES

       Connect_Timeout= 0

    mulesoft log

    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ1107: A problem with this connection has occurred.
    {"timestamp":"2021-08-25T11:56:23,989","level":"WARN","thread":"JMSCCThreadPoolWorker-5","loggerName":"org.mule.jms.commons.internal.connection.IBMJmsCachingConnectionFactory","message":"Could not close shared JMS Connection"}
    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0019: Failed to disconnect from queue manager 'MHLXAMQD_QMGR' using connection mode '1' and host name '172.18.64.156(1414)'.

     

    Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2009' ('MQRC_CONNECTION_BROKEN').
    at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203) ~[com.ibm.mq.allclient-9.1.1.0.jar:9.1.1.0 - p911-L181121.DE]
    ... 14 more




    ------------------------------
    Brajendra Kumar
    ------------------------------



  • 7.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    Posted Mon October 04, 2021 04:45 AM

    Hi Brajendra,

    Q1) You say that you have created a user ID which is a member of the mqm group. Is that the user id "hjusermule@na" which is shown in your error message? Is the "@na" part a truncated domain, or is that the whole thing?

    Q2) Can you display the group membership of the user id "hjusermule@na"

    Q3) You say that you have "disable the authentication". Do you mean that you have set CHLAUTH to DISABLED? That is, the "authentication" that you have disabled is only the Channel Authentication and not the Connection Authentication (CONNAUTH) which you then show us commands for?

    Q4) What happens if the connection is made with a deliberately incorrect password for that user ID? This is a very good way to test your Connection Authentication set up is working.

    Q5) Could you show us the full settings for Connection Authentication, which is pertinent here since your application is connecting using a user ID and password. Could you issue the following commands and show us the output.

    DISPLAY QMGR CONNAUTH
    DISPLAY AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ALL

    Let me explain why I am asking you these questions. What should happen is the following:-

    • Application connects using user id hjusermule and password.
    • Queue manager checks whether the user id and password combination are correct since you have the CHCKCLNT(OPTIONAL) setting. This means check the password if it is provided, but don't mandate a password if it is not provided.
    • The Queue manager applies the validated password to the MCAUSER of the channel, if you have the ADOPTCTX(YES) setting. You haven't shown us this, hence my Q5) but since you don't have errors mentioning NOAUTH which is your hard-coded MCAUSER, I assume you have it set.
    • Authority checks are done using the MCAUSER that the channel is running with. Since we see the authority checks mentioning hjusermule in some format, this also makes it likely that ADOPTCTX is set to YES. You have told us that hjusermule is in the mqm group, but the authority checks appear to refute that statement, since an mqm group member will not fail an authority check. Hence my Q2). Did you remember to issue REFRESH SECURITY TYPE(AUTHSERV) after you changed the group membership of the user id?
    Cheers,
    Morag


    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 8.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    IBM Select
    Posted Mon October 04, 2021 06:01 AM
    Thanks Morag Hughson.

    Q1) You say that you have created a user ID which is a member of the mqm group. Is that the user id "hjusermule@na" which is shown in your error message? Is the "@na" part a truncated domain, or is that the whole thing? 
    A:NA is domain name

    Can you display the group membership of the user id "hjusermule@na"
    NET USER HjuserMule /domain



    REFRESH SECURITY TYPE(AUTHSERV)

    You say that you have "disable the authentication". Do you mean that you have set CHLAUTH to DISABLED? 
    That is, the "authentication" that you have disabled is only the Channel Authentication and not the Connection Authentication (CONNAUTH) which you then show us commands for?
    A:I have disabled channel authentication( CHLAUTH )

    What happens if the connection is made with a deliberately incorrect password for that user ID? This is a very good way to test your Connection Authentication set up is working.
    A:client app won't connect to queue manager if user or password is wrong.

    DISPLAY QMGR CONNAUTH

    DISPLAY AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ALL


    I am facing connectivity error from client side (mulesoft application) 

    I have made changes in qm.ini

    KeepAlive=Yes ---as per my understanding it is MuleSoft issue .we can configure tcp in qm.ini.
    i haven't configure qm.ini in below .do i need to add i below part  in TCP or not.

       SndBuffSize=0

       RcvBuffSize=0

       RcvSndBuffSize=0

       RcvRcvBuffSize=0

       ClntSndBuffSize=0

       ClntRcvBuffSize=0

       SvrSndBuffSize=0

       SvrRcvBuffSize=0

       KeepAlive= YES

       Connect_Timeout= 0

    mulesoft log

    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ1107: A problem with this connection has occurred.
    {"timestamp":"2021-08-25T11:56:23,989","level":"WARN","thread":"JMSCCThreadPoolWorker-5","loggerName":"org.mule.jms.commons.internal.connection.IBMJmsCachingConnectionFactory","message":"Could not close shared JMS Connection"}
    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0019: Failed to disconnect from queue manager
    'MHLXAMQD_QMGR' using connection mode '1' and host name '172.18.64.156(1414)'.

     

    Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2009' ('MQRC_CONNECTION_BROKEN').
    at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203) ~[com.ibm.mq.allclient-9.1.1.0.jar:9.1.1.0 - p911-L181121.DE]
    ... 14 more










    ------------------------------
    Brajendra Kumar
    ------------------------------



  • 9.  RE: 2035' ('MQRC_NOT_AUTHORIZED').

    Posted Mon October 04, 2021 08:23 AM

    You said in your initial question that you had made the user ID a member of the mqm group. Can you please confirm that is the case. I don't see where it says that in your output. If the user ID is not a member of the mqm group then that explains why it does not have authority and you will have to grant it the required authorities as John showed you in his answer. If you do want it to be a member of the mqm group then it will have authority to do everything, but it does seem that you have not managed to do that step?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------