How to authenticate remote MQ machine, Error when trying to connect - ibm-mq

Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
I am using same version of MQ in both machines and when I try to connect the above error occurs using Windows machines for connection.

1st, make sure you are NOT using a SYSTEM.* channel. Create a channel for your application.
2nd, add the appropriate permissions (via setmqaut) to allow the UserId to connect to the queue manager and access the queues.

IBM Support Technote "WMQ 7.1 / 7.5 / 8.0 / 9.0 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 or JMSWMQ2013 when using client connection as an MQ Administrator" has a good write up on diagnosing and resolving this issue.
If you want more specific help, to start with please provide the following details by editing and adding them to your question. Adding them as comments does not help much since the number of characters are limited and you have no way to format them in a comment.
Version of IBM MQ installed on client and queue manager
Errors in the queue manager's AMQERR01.LOG that happen at the same time as the error you receive.
SVRCONN channel name that you are connecting too.

Related

Spring Boot connecting to IBM MQ Cloud

I'm trying to send a message to a IBM MQ queue from my spring boot service. I could send/receive the message from the IBM MQ installed on my laptop.
However when I replaced the configuration to connect to the IBM MQ Cloud, this is not working
Configuration is as follows:
getting the following error
Note:
I could telnet into the host & port
I tried with the following for Username & Password
With APIKey & App Name
My IBM Username & Password
It seems to be a known issue:
The connection may be broken for a number of different reasons. The 2009 return code indicates that something prevented a successful connection to the Queue Manager. The most common causes for this are the following are:
A firewall that is terminating the connection
An IOException that causes the socket to be closed
An explicit action to cause the socket to be closed by one end
The queue manager is offline
The maximum number of channels allowed by the queue manager are open
A configuration problem in the Queue Connection Factory (QCF)
Can you please try suggestions from here
Usually, the most common reason for Error Code 2009: MQRC_CONECTION_BROKEN is that your JMS client opens up multiple connections to the queue and they remain unclosed even though they're not being used. You then eventually run out of channels. You can increase the channel size to more than double of what is required.
Check your FFST log file generated by IBM MQ classes for JMS. It gives you detailed info on connections/errors:
First Failure Support Technology ( FFST ) files

Windows Server MQ client interact with Unix MQ server

I am doing lot of analysis for a new Java MQ client requirement got some doubts. Currently in the Unix system Queues Queue manager all created where MQ server is running.
In order to run Java MQ client we are going to install MQ client on other Unix Solaris system. Mean while we had one windows server where MQ client installed before going to MQ client installation on unix System need to clear my clarifications.
Since I am new MQ.
Can we run Java MQ client from windows server to connect MQ server unix system(Queues,Queuue Manager)
If yes what need for this to connect Windows Server to unix Solaris
The code is compiled with MQ libraries
Is any error will come to face.
It would be great if you provide steps or solution.
Yes, you can run the Java MQ client from any machine to connect to a queue manager on any other machine. The MQ Clients (Java, 'C' or .NET version) all support any platform to any platform combinations, and all support any MQ version to any MQ version. So for example, you can have a V8 Client on Windows connecting to a V9 Queue manager on Unix. Equally you can have a V9 Client on Windows connection to a V8 Queue manager on Unix, i.e. any to any version can be upwards or downwards.
In order to connect a client to a queue manager, you will need the client libraries on the client machine, in your case the Java client.
You will also need to ensure that your queue manager has a TCP/IP listener running and that you know the port number.
You will need a channel definition on the queue manager of a type called SVRCONN, and know the name of it. e.g.
DEFINE CHANNEL(MQGEM.SVRCONN) CHLTYPE(SVRCONN) DESCR('Channel for my client application to connect to')
In order for your Java client to connect to the queue manager it will need to use
The channel name
The host name of the machine where the queue manager is running
The port number of the TCP/IP listener
If you face any errors, they may be related to connectivity, because your application is connected by the network to the queue manager. Remember to pay attention to any return codes you get from MQ, they will be in the form of 4 digits, e.g. 2059. For Java you should ensure you get hold of the linked exception. It may also be useful to look in the error log of the queue manager too.
You may also face security errors if this is your first use of IBM MQ. The queue manager is locked down by default so that remote applications cannot simply connect in and do damage (e.g. delete important messages from other applications!). There are a number of posts on here that describe these errors and their solutions. Best advise, get the MQRC code (4-digits) and the AMQERR01.LOG error message from the queue manager. Armed with this information you should be able to describe and diagnose any error situations you encounter.

Can't connect Websphere MQ Queue Manager

I'm a beginner on WebSphere MQ, I was working on MQ 6 and it was working fine, but now I've installed MQ 7.1 and when I try to create a new Queue Manager I can do it But it can't connect and it gives me the following error :
Do you have any idea about that? Thank you :)
You can look up any WebSphere MQ error code if either the WebSphere MQ Client or Server are installed using the mqrc command. In this case:
C:\Users\MUSR_MQADMIN>mqrc 2059
2059 0x0000080b MQRC_Q_MGR_NOT_AVAILABLE
The 2059 usually indicates that the listener is not running or the queue manager is down. There's a different error code if the listener is running and the QMgr name is wrong and another one if the connection is made to the right QMgr but the channel name is wrong. Sometimes you can get a 2059 if the channel was closed at the server side by an exit but since you didn't mention any exits, I'm assuming in this case that its listener problem.
Hopefully by now you are defining a listener object rather than using inetd or the runmqlsr command. Defining an object and setting it to start and stop under QMgr control is the most reliable way to configure it.
Once you get past the 2059, you should be aware that as of WMQ V7.1, the queue managers are secure by default and won't accept any remote client connections unless you explicitly authorize them. This is the opposite of the behavior of V6 where on a newly defined queue manager running a listener, anyone with a TCP route to it could administer it and remotely execute OS code as the mqm user. So I expect that the next problem you run into will be 2035 errors.
I've been told this means more work for the WMQ administrator. The only case in which that's true is if the V6 or earlier queue manager had been configured without security. If the tasks to secure a V7.0 QMgr are compared to the tasks to provision access on a v7.1 and higher QMgr are compared, provisioning access turnds out to be easier. However if you liked the V7.0 behavior, you can always alter the QMgr to disable CHLAUTH rules. Needless to say, leaving security enabled is highly encouraged.
To debug security errors, alter the QMgr to enable authorization events using the runmqsc command ALTER QMGR AUTHOREV(ENABLED). Next, download and install SupportPac MS0P into WebSphere MQ Explorer. Then when you do get a security error, use WebSphere MQ Explorer to look at the queue. Right-click on the queue and select the option to parse the event messages. This will tell you in excruciating detail all the information you need to debug the authorization error.
Finally, if you wish to read up on the new security features, go to t-rob.net/links and look at the conference presentations there. There are also some articles indexed if you scroll down.
In the screen-shot, I see hostname "127.0.0.1" and port # 1414. If it is a local queue manager then connect directly to it.
Also, each queue manager MUST use a unique port number. If you had it working with WMQ v6 queue manager, is this the same queue manager? If not, then make sure each queue manager uses a different port number (i.e. 1415, 1416, etc...)
I got same problem. but i resolved this by :
1. created a listener manually (define lstr(lstr1) port(xxxx) control(qmgr)
2. setmqaut mcauser('mqm').

AMQ9504: A protocol error was detected for channel

I'm unable to connect remotely from WebSphere Application Server with Queue Manager at WebSphere MQ. Anyhow it get connected to Queue Manager from WAS that is installed on same machine. I'm using version 7.5 of WebSphere MQ and version 7.0 of WebSphere Application Server.
While attempting to connect WAS remotely to Queue Manager following error messages were logged.
Error Message from WebSphere MQ:
1/30/2013 21:12:09 - Process(3624.6) User(MUSR_MQADMIN)
Program(amqrmppa.exe)
Host(KHILT-269) Installation(Installation1)
VRMF(7.5.0.0) QMgr(QM.TEST)
AMQ9504: A protocol error was detected for channel 'TEST_CHANNEL'. EXPLANATION: During communications with the
remote queue manager, the channel program detected a protocol error.
The failure type was 11 with associated data of 0. ACTION: Contact the
systems administrator who should examine the error logs to determine
the cause of the failure.
Error Message at WebSphere Application Server:
A connection could not be made to WebSphere MQ for the following
reason: CC=2;RC=2009
As it can be seen from logs, I have created Queue Manager as QM.TEST and channel as TEST_CHANNEL. The listener port defined for the Queue Manager is 1417 along with protocol TCP.
I did lot of google but didn't find any appropriate solution. I appreciate any help in this regard.
Thanks in adv, KAmeer
I had a similar issue where I have WAS 7 and WMQ 7.5. I was able to make a connection to my existing WMQ 7.0 QM but not my new WMQ 7.5 QM. Apparently there was a change to the WMQ components bundled with WAS 7 after the initial release 7.0.0.0. After updating the resource adapter I was able to make a successfull connection to both queue managers.
The queue manager generates protocol error and terminates the connection immediately when it receives unexpected TSH flow from the client. As a result the client receives 2009 error. Technically, low level MQ client will be able communicate with higher version MQ queue manager and vice versa unless there are known restrictions and/or there is a MQ defect/APAR. The error message indicates the queue manager is running at MQ 7500 and this is MQ base 7.5 version. It is recommended upgrading the queue manager to the latest fixpack available to rule out any known problems. You could also try disabling shared conversion on the SVRCONN(i.e. setting SHARECNV to 0) channel and check whether it workarounds the problem until the problem is resolved.
Open a PMR with IBM as this sounds like a bug.
the cause for this is mq 7 client cannot talk to mq 7.5, the client needs to use mq 7.5 jar files
I had this problem. In my case was the mq library that was doing an MQGET with an infinite loop, so the lib was locked on the mqget while i called the kill and generated an event and tried to disconnect while the get was still running. As the mqget does not support unlocking via signal, i had to change the code to not stay infinite on get and add some flags on the kill command so the app could detect that it was time to die, when it returned from the get.

MQ client connect to remote MQ server have insufficient authority

Now I use the websphere MQ client connect to remote MQ Server(7.0 version) using c#, and occurs a problem of authority,Which is the user running the MQ client application have insufficient authority to access qmgr.Then I use the 'setmqaut' command to grand the user sufficient authority and it works.
I think it's not very convenient and must be a better way.May via adding user's IP in MQ Server? But I have no idea how to do it.
Any suggestions would be greatly appreciated.
Thanks
WebSphere MQ does not perform any authentication. Local applications are authenticated by the operating system and so their ID can be trusted. (By definition, if you cannot trust the local OS authentication then the entire server is compromised.) Just as with local connections, WMQ trusts that the ID connecting remotely is genuine. It is up to the WMQ administrator to determine what level of authentication to employ. In WMQ v7 there are two choices - authenticate with SSL/TLS channels, or use a channel exit to authenticate.
In either case, it is the channel's MCAUSER value that decides what ID is used for authorization. If the MCAUSER is left blank then the channel will use the user ID that the client sends. In your case you received a 2035 error because the client sent an ID that was not in the administrative (mqm) group. Had your client sent the ID 'mqm' (or on Windows 'MUSR_MQADMIN'), the connection would have succeeded. If your program is Java or JMS, the ability to select the ID presented is part of the API. Just tell the QMgr who you want to be.
If you are willing to allow remote connections to execute OS commands on the server, then just put the administrative ID in the channel's MCAUSER. (For example, MCAUSER('mqm') on UNIX/Linux or typically MCAUSER('MUSR_MQADMIN') for Windows.) However, be aware that remote users with admin rights can remotely execute arbitrary OS command-line code using the QMgr. This is a feature of WMQ and not a bug, hence we NEVER recommend this in Production. In fact, I personally recommend that development environments enable security. Waiting until Production to figure out how to authenticate connections and what authorizations are needed often leads to unnecessary deployment delays.
If you want to use IP filtering to mitigate that threat, you can either move to WMQ v7.1 which includes this feature natively, or use an exit such as BlockIP2. Either of these solutions will allow you to create rules that filter incoming connection requests by IP address, user ID, etc.
Note that on a v7.0 QMgr all the channels are unprotected by default. So even if you filter incoming requests on one channel, if the others are left in their default state, anyone can still connect and execute commands as the administrator. For a comprehensive review of all this, please take a look at the Hardening WebSphere MQ presentation at t-rob.net. Scroll down to the v7.0 presentations.

Resources