MQ

 View Only
  • 1.  error AMQ8135E: Not authorized

    Posted Tue May 30, 2023 10:04 AM
    Edited by Andres Parada Mon December 04, 2023 12:23 PM

    Hi,

    I'm trying to setup a MQ Server and a MQ Client in 2 different docker container (ubuntu based) but it seems there is an autentication problem. The 2 containers are in the same Docker network and I can ping one from the other. 

    Server side

    I installed the following packages : 
    MQServer/ibmmq-runtime_9.3.0.0_amd64.deb
    MQServer/ibmmq-gskit_9.3.0.0_amd64.deb
    MQServer/ibmmq-server_9.3.0.0_amd64.deb

    created the user : 

    itx_uid=2002
    groupadd --system --gid ${itx_uid} itx
    useradd --system --uid ${itx_uid} --gid ${itx_uid} itx
    echo "itx:pwd" | chpasswd


    Created the queue manager

    crtmqm -lc -lf 4096 -lp 32 -ls 5 QMGR_Name
    
    strmqm QMGR_Name
    
    runmqsc QMGR_Name < /usr/local/bin/QMGR_Config.mqsc

    I used the following MQSC commands in the file QMGR_Config.mqsc : 

    DEFINE LISTENER('LISTENER.TCP.1414') TRPTYPE(TCP) CONTROL(QMGR) PORT(1414) REPLACE
    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') DESCR('ITX Client Connections') REPLACE
    
    ALTER QMGR CHLAUTH(DISABLED)
    
    ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
    REFRESH SECURITY TYPE(CONNAUTH)
    
    DEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACE
    DEFINE QALIAS('QUEUE_NAME') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME') PUT(ENABLED) REPLACE
    DEFINE QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACE
    DEFINE QALIAS('QUEUE_NAME_ERR') TARGET('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME_ERR') PUT(ENABLED) REPLACE
    
    START LISTENER('LISTENER.TCP.1414')


    Setup the authentication for the user itx :

    setmqaut -m QMGR_Name -t qmgr -g itx +connect +inq
    setmqaut -m QMGR_Name -t queue -n QUEUE_NAME -g itx +put
    setmqaut -m QMGR_Name -t queue -n QUEUE_NAME_ERR -g itx +put


    When running these commands I can see all the objects :

    runmqsc QMGR_Name
    
    DISPLAY QMGR
    DISPLAY QLOCAL('QMGR_Name.QUEUE.LOCAL.QUEUE_NAME')
    DISPLAY QALIAS('QUEUE_NAME')

    I can connect with itx user using the following command (entering password when prompted) but when executing the MQSC commands I get the error "AMQ8135E: Not authorized."

    runmqsc -u itx QMGR_Name


    Client side 

    I installed these packages :
    MQ-Client/ibmmq-runtime_9.3.1.0_amd64.deb
    MQ-Client/ibmmq-gskit_9.3.1.0_amd64.deb
    MQ-Client/ibmmq-client_9.3.1.0_amd64.deb


    I exported the MQSERVER variable :

    export MQSERVER="CHANNEL.NAME/TCP/mq-server(1414)"

    I get the error "AMQ8135E: Not authorized." when trying to connect to the queue manager : 

    runmqsc -u itx QMGR_Name
    or
    runmqsc -u itx -c QMGR_Name

    (entering password defined in MQ Server container when prompted)

    I wanted to follow this tutorial but I couldn't find mqcli or usercreate command on the MQ Server installation (even after installing the client package).

    https://www.ibm.com/docs/en/mq-appliance/9.1?topic=client-setting-up-queue-manager-accept-connections


    Does anyone would have an idea of what is going wrong with my setup?


    Best Regards,
    Thomas



    ------------------------------
    Thomas Lucas
    ------------------------------



  • 2.  RE: error AMQ8135E: Not authorized

    IBM Champion
    Posted Wed May 31, 2023 01:30 AM

    Hi Thomas,

    Due to some historical reasons (I think related to zOS) runmqsc converts all text to upper case unless it is quoted.

    When you define the channel, you need to put the MCAUSER in quotes (technically apostrophes) so that it will be recognised as itx, and not ITX.
    Rather than:

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER(itx) DESCR('ITX Client Connections') REPLACE

    Your definition should be:

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') DESCR('ITX Client Connections') REPLACE

    I marked the changed attribute in bold.

    You don't need to quote the value when it appears on unix command lines or similar. Only when you use it in runmqsc.

    Regards,



    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-22
    ------------------------------



  • 3.  RE: error AMQ8135E: Not authorized

    Posted Wed May 31, 2023 06:07 PM

    Hi Thomas,

    I suggest you rerun the DEFINE CHANNEL command and put single quotes around the MCAUSER attribute value.

    DEFINE CHANNEL (CHANNEL.NAME) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('itx') +
    DESCR('ITX Client Connections') REPLACE

    If you are then still not able to connect, please review this article:

       SET CHLAUTH  https://www.ibm.com/docs/en/ibm-mq/8.0?topic=commands-set-chlauth  

      



    ------------------------------
    ----------------------------------------------------------------------
    David Awerbuch
    MQ admin, MQ developer, MQ firefighter, real firefighter.
    ------------------------------



  • 4.  RE: error AMQ8135E: Not authorized

    Posted Mon January 15, 2024 08:05 AM

    Hi Niel and David,

    Thanks for your answer! I edited the original message with the quotes for 

    MCAUSER('itx')

    But it didn't change anything to my problem. I'm still looking for a solution on my side.

    Best Regards,

    Thomas



    ------------------------------
    Thomas Lucas
    ------------------------------



  • 5.  RE: error AMQ8135E: Not authorized

    IBM Champion
    Posted Mon January 15, 2024 04:14 PM

    Hi Thomas,

    I don't see anywhere where you have granted your itx user any of the permissions it would need to issue MQSC commands. It doesn't have put access to the SYSTEM.COMMAND.ADMIN.QUEUE, nor various accesses to make a reply queue, nor any dsp access on the objects you might be displaying.  

    Use your queue manager error log to see exactly what I'd needed by reviewing the complaint each time it fails until you have granted all that is required. 

    Cheers,

    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 6.  RE: error AMQ8135E: Not authorized
    Best Answer

    IBM Champion
    Posted Mon January 15, 2024 09:54 PM

    My previous reply was written in a hurry and didn't really provide much detail about how to go about doing what I suggested you do.

    I've thought it might be worth writing up this process once or twice before, so your question prompted me to do that. So here's a blog post containing the mechanism for using the queue manager error log to find and fix authority errors.

    Worked Example: Solving MQRC_NOT_AUTHORIZED

    Please don't hesitate to feedback on it. I hope it is useful to you.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 7.  RE: error AMQ8135E: Not authorized

    Posted Thu February 08, 2024 05:40 AM

    Thanks Morag,

    I found the error logs (that you mention on your reply and on your blog) on my MQ server : /var/mqm/qmgrs/QUEUE_MNGR_NAME/errors where I found all the rights that were missing.

    there were indeed some missing rights on the queues SYSTEM.ADMIN.COMMAND.QUEUE  and  SYSTEM.MQSC.REPLY.QUEUE

    I solved all my issues :).

    Thanks for your help!

    Best Regards,

    Thomas



    ------------------------------
    Thomas Lucas
    ------------------------------