MQ

 View Only

  • 1.  error AMQ8135E: Not authorized

    Posted Tue May 30, 2023 10:04 AM
    Edited by Andres Parada 2 days ago

    Hi,

    I'm trying to setup a MQ Server and a MQ Client in 2 different docker container (ubuntu based) but it seems there is an autentication problem. The 2 containers are in the same Docker network and I can ping one from the other. 

    Server side

    I installed the following packages : 
    MQServer/ibmmq-runtime_9.3.0.0_amd64.deb
    MQServer/ibmmq-gskit_9.3.0.0_amd64.deb
    MQServer/ibmmq-server_9.3.0.0_amd64.deb

    created the user : 

    itx_uid=2002
groupadd --system --gid ${itx_uid} itx
useradd --system --uid ${itx_uid} --gid ${itx_uid} itx
echo "itx:pwd" | chpasswd


    Created the queue manager

    crtmqm -lc -lf 4096 -lp 32 -ls 5 QMGR_Name

strmqm QMGR_Name

runmqsc QMGR_Name < /usr/local/bin/QMGR_Config.mqsc

    I used the following MQSC commands in the file QMGR_Config.mqsc : 

    DEFINE LISTENER('LISTENER.TCP.1414') TRPTYPE(TCP) CONTROL(QMGR) PORT(1414) REPLACE
DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') DESCR('ITX Client Connections') REPLACE

ALTER QMGR CHLAUTH(DISABLED)

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
REFRESH SECURITY TYPE(CONNAUTH)

DEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACE
DEFINE QALIAS('QUEUE_NAME') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACE
DEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACE
DEFINE QALIAS('QUEUE_NAME_ERR') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACE

START LISTENER('LISTENER.TCP.1414')


    Setup the authentication for the user itx :

    setmqaut -m QMGR_Name -t qmgr -g itx +connect +inq
setmqaut -m QMGR_Name -t queue -n QUEUE_NAME -g itx +put
setmqaut -m QMGR_Name -t queue -n QUEUE_NAME_ERR -g itx +put


    When running these commands I can see all the objects :

    runmqsc QMGR_Name

DISPLAY QMGR
DISPLAY QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME')
DISPLAY QALIAS('QUEUE_NAME')

    I can connect with itx user using the following command (entering password when prompted) but when executing the MQSC commands I get the error "AMQ8135E: Not authorized."

    runmqsc -u itx QMGR_Name


    Client side 

    I installed these packages :
    MQ-Client/ibmmq-runtime_9.3.1.0_amd64.deb
    MQ-Client/ibmmq-gskit_9.3.1.0_amd64.deb
    MQ-Client/ibmmq-client_9.3.1.0_amd64.deb


    I exported the MQSERVER variable :

    export MQSERVER="CHANNEL.NAME/TCP/mq-server(1414)"

    I get the error "AMQ8135E: Not authorized." when trying to connect to the queue manager : 

    runmqsc -u itx QMGR_Name
or
runmqsc -u itx -c QMGR_Name

    (entering password defined in MQ Server container when prompted)

    I wanted to follow this tutorial but I couldn't find mqcli or usercreate command on the MQ Server installation (even after installing the client package).

    https://www.ibm.com/docs/en/mq-appliance/9.1?topic=client-setting-up-queue-manager-accept-connections


    Does anyone would have an idea of what is going wrong with my setup?


    Best Regards,
    Thomas



    ------------------------------
    Thomas Lucas
    ------------------------------



  • 2.  RE: error AMQ8135E: Not authorized

    IBM Champion
    Posted Wed May 31, 2023 01:30 AM

    Hi Thomas,

    Due to some historical reasons (I think related to zOS) runmqsc converts all text to upper case unless it is quoted.

    When you define the channel, you need to put the MCAUSER in quotes (technically apostrophes) so that it will be recognised as itx, and not ITX.
    Rather than:

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER(itx) DESCR('ITX Client Connections') REPLACE

    Your definition should be:

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') DESCR('ITX Client Connections') REPLACE

    I marked the changed attribute in bold.

    You don't need to quote the value when it appears on unix command lines or similar. Only when you use it in runmqsc.

    Regards,



    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-22
    ------------------------------

    Original Message


  • 3.  RE: error AMQ8135E: Not authorized

    Posted Wed May 31, 2023 06:07 PM

    Hi Thomas,

    I suggest you rerun the DEFINE CHANNEL command and put single quotes around the MCAUSER attribute value.

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') +
    DESCR('ITX Client Connections') REPLACE

    If you are then still not able to connect, please review this article:

       SET CHLAUTH  https://www.ibm.com/docs/en/ibm-mq/8.0?topic=commands-set-chlauth  

      



    ------------------------------
    ----------------------------------------------------------------------
    David Awerbuch
    MQ admin, MQ developer, MQ firefighter, real firefighter.
    ------------------------------

    Original Message