Develop Reference

Why do I get MQJE001: Completion Code '2', Reason '2035' after upgrading from java client 6.0.2.2 to 9.3.1.0?

I work on a Java application which uses com.ibm.mqjms version 6.0.2.2. I just upgraded to com.ibm.mq.allclient version 9.3.1.0.
After the upgrade, all attempts to put a message on the queue results the following error :
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2035'.
The error message given by queue manager is :
AMQ9557E: Queue Manager User ID initialization failed for '[username]'.
EXPLANATION:
The call to initialize the User ID '[username]' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a
userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.
I've tried to add the following in the java application to disable MQCSP, but this did not help.
Hashtable props = new Hashtable();
props.put(MQConstants.USER_ID_PROPERTY, false);
props.put(MQConstants.PASSWORD_PROPERTY, false);
props.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, Boolean.FALSE);
this.queueManager = new MQQueueManager(getManager(), props);
What can I do to troubleshoot this issue? Since the issue only exists with the more recent version of the MQ java client, I'd think the issue is caused by the client?
AMQERR01.LOG
2023-01-03 13:28:41 - Process(2838.71) User(mqm) Program(amqrmppa)
Host([HOSTNAME]) Installation(Installation1)
VRMF(9.2.5.0) QMgr(TSTMQ01)
Time(2023-01-03T12:28:41.959Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1([USERNAME])
AMQ9557E: Queue Manager User ID initialization failed for '[USERNAME]'.
EXPLANATION:
The call to initialize the User ID '[USERNAME]' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a
userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.

To get the prior v6 behavior set the java system property user.name to an empty value, for example on the command line add this:
-Duser.name=
or in your program add this:
System.setProperty("user.name", "")
Background:
The IBM MQ classes for Java and IBM MQ classes for JMS are the only libraries where IBM allows you to set the username that is passed to MQ in the protocol field called RemoteUserIdentifier. This has been in place since the Java and JMS classes were released. IBM has stated this is because a java app does not have direct access to the user the process runs under only the java system property user.name which will be filled in by the JVM with a username but can be overridden as a java system property. On the other hand C, C++, .NET and XMS MQ client APIs all pass the user that the process is running as in the RemoteUserIdentifier field and you cannot override this and specify an arbitrary value.
Java and JMS also were the only APIs to allow you to specify a password value and this would be sent to the queue manager in the RemotePassword field. The RemoteUserIdentifier/RemotePassword fields are part of the MQCD (MQ channel defination) that the client sends to the queue manager when connecting.
Prior to v8 the queue manager had no built in functionality to authenticate any username or password value that was provided, you would need a security exit to get any additional validation. If you configure your MQ SVRCONN channel to allow connections as any ID with no protection (Blank MCAUSER and no security exits or SSLCIPH/SSLPEER to restrict access, then anyone can write a simple Java or JMS MQ application to assert any user value and get access to what that user would have access to on MQ, even without java someone with admin rights on there own desktop or server can just create a local user with the right name and run a C program and get similar access. It is never a good idea to accept an arbitrary asserted ID without some form of validation.
Prior to CHLAUTH which was added in MQ v7.1 the default configuration of a new queue manger was to allow the asserted id to be administrative unless you protected against this, this could be as simple as passing the value "mqm" to a linux queue manager or simply passing a blank value, if the MCAUSER was also blank on the SVRCONN channel the channel would run under the authority of the process running the listener which would be the "mqm" user.
With 7.1 and higher a new queue manager is created by default with CHLAUTH(ENABLED) and a few default CHLAUTH rules, one restricts access to all channels that start with "SYSTEM" and another denies connections to SVRCONN channels from any user MQ determines has administrative authority. Note that if a queue manager was created at a version prior to 7.1, then later upgraded to 7.1 or higher the default is to leave CHLAUTH(DISABLED), so unless you alter it to set it to ENABLED at some point you do not have these protections.
On the Java/JMS client side prior to 7.1, if you did not set the username a blank value would be passed in the RemoteUserIdentifier, after 7.1, if you do not set the username then the client defaults to sending the value of the java system property user.name, if you do set the username it is still sent in favor to the user.name value.
Since MQ v7.0 non-java APIs have had the ability to send an additional structure to the queue manager during the channel connection called the MQCSP which has fields for a username and password and AuthenticationType, but similar to what I said about RemoteUserIdentifier/RemotePassword prior to v8 there was no built in functionality to actually authenticate or do anything with these values, you would need to use a security exit to get this functionality. Note the MQCSP.AuthenticationType field has two possible values, MQCSP_AUTH_NONE (indicating that you do not want authentication performed) or MQCSP_AUTH_USER_ID_AND_PWD (indicate that you want authentication performed).
Since MQ v8.0 the Java and JMS APIs now also have the ability to send the username and password values in the MQCSP instead of the MQCD RemoteUserIdentifier/RemotePassword fields, but for all versions of MQ v8.0, MQ v9.0.0.x (LTS) and 9.0.x (CD), 9.1.0.x (LTS), and 9.1.x (CD) the default is to send the username and password in compatibility mode still using the RemoteUserIdentifier/RemotePassword fields of the MQCD. To have Java and JMS use the MQCSP, you have to specifically set a property. When the specified username and password is sent in the MQCSP the RemoteUserIdentifier is filled in with the java system property user.name by default. Note that in 9.3 it seems the default is now send the username and password in the MQCSP structure instead of in compatibility mode.
At v8.0 and later the queue manager now has the feature called CONNAUTH which can authenticate a username and password that is sent via either MQCSP or RemoteUserIdentifier/RemotePassword. There are various configuration options around how this is configured, but by default at v8 or later if a username and password (note the password could be empty in this case) are sent to the queue manager and MQCSP.AuthenticationType is set to MQCSP_AUTH_USER_ID_AND_PWD, they will be validated to be correct, and if an administrative user is sent to the queue manager it must provide a password and be correct.
For Java/JMS APIs, if no MQCSP is sent by the client but RemoteUserIdentifier and RemotePassword both have a value, the queue manager will build a MQCSP with MQCSP.AuthenticationType set to MQCSP_AUTH_USER_ID_AND_PWD and validate it the same way, note in this case if RemotePassword is empty a MQCSP structure is not built.
Conclusion:
Based on the description of how you state that the Java app with v6 jars is functioning, this means that anyone that has access to connect the MQ listener port of your queue manager can specify any username that has access to MQ including the queue manager admin user. It would be much better to send a username and password that will be validated, or use client TLS certificates to assert identity (When combined with setting the channels SSLPEER and a MCAUSER (or a CHLAUTH SSLPEERMAP rule) you can greatly restrict who can connect to your channel, and you eliminate the ability for them to assert any arbitrary username.

set MCA user id in MQ 7 on a channel

Im trying to set MCA user id in MQ explorer 7 on a channel .
where do I get the value of the MCA ??

The value you put in that field is the ID that will be used by the application connecting via the channel. That is a complex security issue which needs to be determined by your company. MQ channels need to be configured so they are secure and do not allow unwanted access.

When you create the channel, you should see the option to add MCA. Otherwise, if you are trying to add it afterwards, if you right click on the channel names you should be able to select the channel properties and update the MCA field.

Web Sphere 7.5 Add user

How can i add new user to my queue in WebSphere 7.5 MQ Explorer?
I have a 90 day trial version and I don't have a administrator console :/ I don't know why...
I would like to connect to a queue that is placed on my server, but I can't connect with Administrator account.

First off, go get the non-expiring version for which the product name is MQ Advanced for Developers. As of this writing, it is available in v7.5 and v8.0 and it is free. If you want support, IBM will let you throw money at them for that but the full-function, non-expiring product is free.
MQ now ships secure by default. When you first create a queue manager it rejects administrative connections over client channels. It would allow non-admin channels over SYSTEM.ADMIN.SVRCONN except that until you explicitly authorize them non-administrators have no rights on the QMgr.
(As of v8.0, the QMgr is also set by default to require ID and password but you needen't worry about this with MQ v7.5.)
If you are using a Linux or Windows QMgr and can start MQ Explorer on the host where the QMgr is installed, connect to the QMgr using bindings mode rather than a channel. If you are using an administrative user ID (one in the mqm group or on Windows also the Administrators group) then bindings mode will work.
If you must connect over a client channel, you will need to set up MQ to allow your administrative connection and/or low-privileged user connections. You can do this by disabling the CHLAUTH rules but that approach is strongly discouraged. Much better to learn how MQ security works than to disable it.
You can also define new CHLAUTH rules that permit the connection. The default CHLAUTH rules look like this:
dis CHLAUTH(*) all
1 : dis CHLAUTH(*) all
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*MQADMIN)
WARN(NO) ALTDATE(2015-05-28)
ALTTIME(15.10.02)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(CHANNEL) CHCKCLNT(ASQMGR)
ALTDATE(2015-05-28) ALTTIME(15.10.02)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
DESCR(Default rule to disable all SYSTEM channels)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
ALTDATE(2015-05-28) ALTTIME(15.10.02)
Note that the first rule says to block admin users on any channel. You can add a new rule that says to block some non-admin user on the channel you want to use for administrators.
runmqsc MYQMGRNAME
DEFINE CHL(MY.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('*NOACCESS') REPLACE
DEFINE CHLAUTH(MY.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(127.0.0.1) USERSRC(CHANNEL)
DEFINE CHLAUTH(MY.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST('*NOBODY')
The DEF CHL command defines a new channel for administrators, and sets the MCAUSER to a value that insures that channel won't start.
The first CHLAUTH rule tells MQ to replace the bad MCAUSER with the one from the connection request provided the request comes from 127.0.0.1 and only for MY.ADMIN.SVRCONN. Fill in your own IP address here. Preferably instead use a certificate instead of an IP address to authenticate the connection.
The second CHLAUTH rule is a bit tricky. There is no 'ALLOW USERS' rule so we have to use a rule of type TYPE(BLOCKUSER). But when we block users we have to provide a non-empty list of them. What we need is a CHLAUTH rule where the channel name is more specific than the default one and with a USERLIST value that does not contain *MQADMIN or your actual user ID. I use *NOBODY here because it makes it obvious that the intent is to not block anybody, and the value can never be an actual user ID.
Defining a channel just for admins to use is considered a Best Practice. Authenticating administrators based on the IP address or hostname is not. Once you get connected with your admin ID and get your QMgr configured, consider learning enough about MQ certificates to strongly authenticate administrator connections. And/or go to a V8.0 QMgr and client where you can log on using a password.

The MQ Explorer doesn't allow changes to the O/S, so you'll have to create the user in the O/S by other means first.
However, if your user ID exists then you can use MQ Explorer to grant that user access to the queue. Bring up the list of queues in Explorer and then right-click on the queue whose authorities you wish to add the user to. Select Object Authorities -> Manage Authority Records... This will bring up the wizard that allows you to add a group or a user to the queue.
You will also need to allow that user to connect to the queue manager I suspect?

WebSphereMQ + Centos 7

I try to install WebSphere MQ v8 on Centos 7... I did have no problem instaling the server and test it. When I try to configure client every is OK until I try to put a message at queue with the following command: ./amqsputc queue manager. Here part of the log file.
-------------------------------------------------------------------------------
08/01/15 13:16:17 - Process(37991.4) User(mqm) Program(amqrmppa)
Host(localhost.localdomain) Installation(Installation1)
VRMF(8.0.0.0) QMgr(my.manager)
AMQ9776: Channel was blocked by userid
EXPLANATION: The inbound channel 'CANAL1' was blocked from address
'127.0.0.1' because the active values of the channel were mapped to a
userid which should be blocked. The active values of the channel were
'MCAUSER(mqm) CLNTUSER(mqm) ADDRESS(localhost)'. ACTION: Contact the
systems administrator, who should examine the channel authentication
records to ensure that the correct settings have been configured. The
ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be
used to query the channel authentication records.
----- cmqxrmsa.c : 1257 -------------------------------------------------------
08/01/15 13:16:17 - Process(37991.4) User(mqm) Program(amqrmppa)
Host(localhost.localdomain) Installation(Installation1)
VRMF(8.0.0.0) QMgr(my.manager)
AMQ9999: Channel 'CANAL1' to host '127.0.0.1' ended abnormally.
EXPLANATION: The channel program running under process ID 37991 for
channel 'CANAL1' ended abnormally. The host name is '127.0.0.1'; in
some cases the host name cannot be determined and so is shown as
'????'. ACTION: Look at previous error messages for the channel
program in the error logs to determine the cause of the failure. Note
that this message can be excluded completely or suppressed by tuning
the "ExcludeMessage" or "SuppressMessage" attributes under the
"QMErrorLog" stanza in qm.ini. Further information can be found in the
System Administration Guide.
----- amqrmrsa.c : 925 --------------------------------------------------------
I appreciate all the help you can give me, thanks in advance.

It is very easy to troubleshoot the reasons why you have been blocked by a CHLAUTH rule. There is a blog post on it, I'm being blocked by CHLAUTH - how can I work out why?
However, I can tell you from here exactly which rule is blocking you, it is the default rule which bans remote privileged access, i.e. mqm access from client connections. If you want to have access without being privileged, read A non-privileged MQ administrator, and alternatively if you do want to allow the risky remote access from privileged users, read CHLAUTH - Allow some privileged admins

It's worth noting MQ v8 doesn't support CentOS at all, and hasn't declared support for RHEL 7 either.
http://www-969.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1350550241693&osPlatform=Linux
At time of writing MQ v8 supports the following Linux distros:
Asianux 3.0
RHEL 6
SLES 11
Ubuntu 12.04
That said, the error 'AMQ9776: Channel was blocked by userid' you pasted above show that your client is failing the channel authentication checks.
You can check this by disabling channel authentication via the following MQSC command:
'ALTER QMGR CHLAUTH(DISABLED)'
There's a good article on developerworks that explains how to work out why your connection attempt was blocked you can look at here:
https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/blocked_by_chlauth_why?lang=en

WebSphere MQ Q Program Usage

I have a queue manager QM_TEST created using the following MQSC command:
SET AUTHREC OBJTYPE(QMGR) GROUP('mq-user') AUTHADD(INQ,DSP,CONNECT,SET,SETALL)
SET AUTHREC PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(INQ,DSP,GET)
SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(INQ,DSP,PUT)
DEFINE CHANNEL ($cname) CHLTYPE (SVRCONN) TRPTYPE (TCP) MCAUSER('tcs-mq-user') REPLACE
SET CHLAUTH($cname) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('tcs-mq-user')
DEFINE QLOCAL ($dlqname) REPLACE
SET AUTHREC PROFILE($dlqname) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(ALL)
ALTER QMGR DEADQ($dlqname) FORCE
DEFINE LISTENER ($lname) TRPTYPE (TCP) CONTROL (QMGR) PORT ($port)
START LISTENER ($lname)
I have two queues TEST1 and TEST2 created using:
DEFINE QLOCAL ($qname) GET(ENABLED) PUT(ENABLED) MAXDEPTH($maxdepth) REPLACE
SET AUTHREC PROFILE($qname) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(ALL)
I am trying to copy messages from TEST1 to TEST2 using the q program utility:
q -xb -mQM_TEST -iTEST1 -mQM_TEST -oTEST2 -p20
However I get this error:
MQSeries Q Program by Paul Clarke [ V6.0.0 Build:May 2 2012 ]
Connecting ...failed. MQCONNX on object 'QM_TEST' returned 2035 Not
authorized..
I am running WebSphere MQ v7.1. q SupportPac is installed on the server and I am executing the q command on the server. I can't figure out a way to pass the channel name TEST_CHANNEL and port number 1414, is that the issue?

The program is connecting to the QMgr in bindings mode via shared memory rather than using the SVRCONN channel. You can verify this by ALTER QMGR AUTHOREV(ENABLED) then looking at the authorization event that is produced in the QMgr event queue. If you have installed SupportPac MS0P you can right-click on the queue and select "Format event messages" to see it in human-readable format. Either way, you should see that the ID being used to connect is not tcs-mq-user but rather whatever ID you are using to run the Q program. Try:
q -lmqic -xc -iTEST1 -oTEST2 -p20
The program will prompt you for the channel details when run with -xc.
The Q program can dump queues to files but it is not designed for that. The QLoad program from SupportPac MO03 is designed for that and will capture all aspects of the message and, if you are suitably authorized, also restore them intact. This includes message ID, timestamp, etc.
Finally, a quick note about the AUTHREC statements in your post. Since you have bothered to create a low-privleged MCAUSER and set authorities for it, I presume that you would like that ID not to have administrative privileges. Please be aware that granting a user +set or +setall on the QMgr allows them to manage authorization records using WMQ Explorer or anything else that uses PCF commands. Consider restricting authorities on the QMgr to +dsp +inq +connect.
Generally, the applications don't get access to the DLQ but rather get access to an application-specific backout queue. If the app is granted access to the DLQ it is usually only to put messages there and not to get them back out. This is because the DLQ is a system-wide resource and if the QMgr is shared, the messages from multiple apps might land in the DLQ. As a security precaution, restrict delete access on that queue to administrators. This way someone cleaning up after their app can't accidentally (or otherwise) delete the messages belonging to another app.
UPDATE:
Reviewing your post, I noticed another discrepancy. I had assumed that you were getting the 2035 Authorization Error because you were connecting in bindings mode with an ID other than mqm or tcs-mq-user. After looking again, I realized that you never authorized the mq-user group to the queues you are trying to access. You authorized it to the Command Queue and the reply model which aren't used in this scenario. (WMQ Explorer uses them.) So, add the following rules:
SET AUTHREC PROFILE(TEST1) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(PUT,GET,INQ,BROWSE)
SET AUTHREC PROFILE(TEST2) OBJTYPE(QUEUE) GROUP('mq-user') AUTHADD(PUT,GET,INQ,BROWSE)
This will solve the auths problem if in fact you are connecting as tcs-mq-user.
There isn't a way to pass the channel to Q on the command line, as far as I know, but it does accept the standard MQSERVER variable. For example:
export MQSERVER="$cname/TCP/localhost($port)"
...where $cname is the channel name and $port is the port. Here's my test:
tcs-mq-user:~> export MQSERVER="TEST.SVRCONN/TCP/localhost(1414)"
tcs-mq-user:~> q -xb -iTEST1 -mQMTEST -lmqic
MQSeries Q Program by Paul Clarke [ V6.0.0 Build:May 2 2012 ]
Connecting ...connected to 'JMSDEMO'.
No more messages.
tcs-mq-user:~>
As to why its not finding the client libs, do you have them installed?
tcs-mq-user:~> rpm -qa | grep MQSeriesClient
MQSeriesClient-7.5.0-0