I found the error logs (that you mention on your reply and on your blog) on my MQ server : /var/mqm/qmgrs/QUEUE_MNGR_NAME/errors where I found all the rights that were missing.
there were indeed some missing rights on the queues SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.MQSC.REPLY.QUEUE
I solved all my issues :).
Original Message:
Sent: Mon January 15, 2024 09:53 PM
From: Morag Hughson
Subject: error AMQ8135E: Not authorized
My previous reply was written in a hurry and didn't really provide much detail about how to go about doing what I suggested you do.
I've thought it might be worth writing up this process once or twice before, so your question prompted me to do that. So here's a blog post containing the mechanism for using the queue manager error log to find and fix authority errors.
Worked Example: Solving MQRC_NOT_AUTHORIZED
Please don't hesitate to feedback on it. I hope it is useful to you.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Mon January 15, 2024 04:14 PM
From: Morag Hughson
Subject: error AMQ8135E: Not authorized
Hi Thomas,
I don't see anywhere where you have granted your itx user any of the permissions it would need to issue MQSC commands. It doesn't have put access to the SYSTEM.COMMAND.ADMIN.QUEUE, nor various accesses to make a reply queue, nor any dsp access on the objects you might be displaying.
Use your queue manager error log to see exactly what I'd needed by reviewing the complaint each time it fails until you have granted all that is required.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Tue May 30, 2023 07:04 AM
From: Thomas Lucas
Subject: error AMQ8135E: Not authorized
Hi,
I'm trying to setup a MQ Server and a MQ Client in 2 different docker container (ubuntu based) but it seems there is an autentication problem. The 2 containers are in the same Docker network and I can ping one from the other.
Server side
I installed the following packages :
MQServer/ibmmq-runtime_9.3.0.0_amd64.deb
MQServer/ibmmq-gskit_9.3.0.0_amd64.deb
MQServer/ibmmq-server_9.3.0.0_amd64.deb
created the user :
itx_uid=2002groupadd --system --gid ${itx_uid} itxuseradd --system --uid ${itx_uid} --gid ${itx_uid} itxecho "itx:pwd" | chpasswd
Created the queue manager
crtmqm -lc -lf 4096 -lp 32 -ls 5 QMGR_Namestrmqm QMGR_Namerunmqsc QMGR_Name < /usr/local/bin/QMGR_Config.mqsc
I used the following MQSC commands in the file QMGR_Config.mqsc :
DEFINE LISTENER('LISTENER.TCP.1414') TRPTYPE(TCP) CONTROL(QMGR) PORT(1414) REPLACEDEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') DESCR('ITX Client Connections') REPLACEALTER QMGR CHLAUTH(DISABLED)ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(NONE)REFRESH SECURITY TYPE(CONNAUTH)DEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACEDEFINE QALIAS('QUEUE_NAME') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACEDEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACEDEFINE QALIAS('QUEUE_NAME_ERR') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACESTART LISTENER('LISTENER.TCP.1414')
Setup the authentication for the user itx :
setmqaut -m QMGR_Name -t qmgr -g itx +connect +inqsetmqaut -m QMGR_Name -t queue -n QUEUE_NAME -g itx +putsetmqaut -m QMGR_Name -t queue -n QUEUE_NAME_ERR -g itx +put
When running these commands I can see all the objects :
runmqsc QMGR_NameDISPLAY QMGRDISPLAY QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME')DISPLAY QALIAS('QUEUE_NAME')
I can connect with itx user using the following command (entering password when prompted) but when executing the MQSC commands I get the error "AMQ8135E: Not authorized."
runmqsc -u itx QMGR_Name
Client side
I installed these packages :
MQ-Client/ibmmq-runtime_9.3.1.0_amd64.deb
MQ-Client/ibmmq-gskit_9.3.1.0_amd64.deb
MQ-Client/ibmmq-client_9.3.1.0_amd64.deb
I exported the MQSERVER variable :
export MQSERVER="CHANNEL.NAME/TCP/mq-server(1414)"
I get the error "AMQ8135E: Not authorized." when trying to connect to the queue manager :
runmqsc -u itx QMGR_Nameorrunmqsc -u itx -c QMGR_Name
(entering password defined in MQ Server container when prompted)
I wanted to follow this tutorial but I couldn't find mqcli or usercreate command on the MQ Server installation (even after installing the client package).
https://www.ibm.com/docs/en/mq-appliance/9.1?topic=client-setting-up-queue-manager-accept-connections
Does anyone would have an idea of what is going wrong with my setup?
Best Regards,
Thomas
------------------------------
Thomas Lucas
------------------------------