IBM Websphere MQ Not authorised error AMQ8135 - ibm-mq

I have a dev server running IBM Websphere MQ 7.5. The issue is that users while trying to run runmqsc command getting following error :
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
As I went through IBM Documentation, all user who are part of MQM group should be able to run this.
Also I found that all non-domain accounts, ie local accounts who are part of MQM group are able to run commands. But somehow domain accounts are not working, even when they are part of MQM group. I also added these accounts to domain mqm group, still no luck.
I tried running REFRESH SECURITY Command, still no luck.
If anyone can provide some insight in to this , it would be great.
And yes I am a total noob in IBM Websphere.

Not sure if this helps in your case, but i tried below steps and it worked for me.
Right click then Properties on MQSeriesServices from Services
Change the logon to "Local System Account".
Restart the service.
Note: Assuming that MQM is added to user groups.

You can try supplying user/password in the runmqsc command running runmqsc -u user1.

Cause
In this case the permissions for the runmqsc binary were not correct..
Resolving the problem
The permissions for the runmqsc binary must be:
AIX:
-r-sr-s--- 1 mqm mqm sssss MMM DD YYYY /usr/mqm/bin/runmqsc
Others:
-r-sr-s--- 1 mqm mqm sssss MMM DD YYYY /opt/mqm/bin/runmqsc
Reset the permissions of the runmqsc binary in your system to the correct value.

Related

Ibm MQ - MQCONNX ended with reason code 2035

I'm setting an Mq server for learning purposes, which I call it QM1. So, I try aiming at the queue by typing in cmd:
amqsputc DEV.QUEUE.1 QM1
After asking for my password, it returns: MQCONNX ended with reason code 2035
I have set my local user and Win 10 group and after shuffling trhough MQ 9 documentation, here is my workaround attempts:
setmqaut -m QM1 -t qmgr -p app +connect (app is my user)
Included app tn my mqm group.
It still returns code 2035

Error 2035 ('MQRC_NOT_AUTHORIZED') from HermesJMS to MQ8

I am accessing an MQ8 server using HermesJms.
The latter has the following configuration:
However, when I am trying to "Discover" via the relevant option provided by Hermes, I get an 2035 with the following message appearing on the queue manager error logs:
AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.
EXPLANATION:
The call to initialize the User ID 'pkaramol' failed with CompCode 2 and Reason
2035.
Note that pkaramol is my local OS user I am logged in as, in the linux machine running Hermes.
Questions:
1) Why I get the following error despite the fact that I have disabled both CHLAUTH and CONNAUTH:
ALTER QMGR CHLAUTH(DISABLED) CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)
2) Why is the server perceiving pkaramol as the user trying to access the queue manager, although I am explicitly providing mquser in both ClientID and user fields of HermesJMS?
I cannot find much documentation on HermesJMS, but through some trial and error I found out that it does not honor the User and Password settings if you click Discover, it will always send the user you are logged in as to the queue manager, this is why you do not see the user mquser. Because you are running it as the user pkaramol which does not exist on the server where your queue manager is running you receive the following error:
AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.
I also found that to perform the discover it opens a temporary dynamic queue using the model queue SYSTEM.DEFAULT.MODEL.QUEUE and puts PCF messages to the SYSTEM.ADMIN.COMMAND.QUEUE. In addition for it to discover any queue details you must have at minimum +inq and +dsp on the queues.
In your comment you stated you added the user pkaramol to the server and put it in the mqm group. While this is a quick way to get this to work, it does provide that user full MQ Admin access. You could provide your actual user with the following permissions and still be able to Discover all of the objects on the queue manager. Please replace the word group below with a group your user is a member of on the server:
setmqaut -m DMSQM -t qmgr -g group +connect +inq +dsp
setmqaut -m DMSQM -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g group +inq +put +dsp
setmqaut -m DMSQM -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g group +get +dsp
setmqaut -m DMSQM -n '**' -t queue -g group +inq +dsp
I also noted that once you have queues populated either through Discover or manually adding them, it will use the User that you specified.
Note that with CHLAUTH and CONNAUTH disabled the queue manager is taking whatever user is presented and using it. You could leave CONNAUTH enabled and specify a valid user and password and MQ would authenticate it.
Another option since Discover does not honor the User setting would be to set a MCAUSER on the SVRCONN channel of mquser.
You need to give the UserId 'pkaramol' permission to access the queue manager and the queues via the setmqaut command.

MQ objects creation using crtmqm command

I have installed WebSphere MQ in my laptop and able to create MQ objects through MQ explorer.
When go to command prompt and run the crtmqm from MQ home/bin . I encountered " you are not authorised to perform this operation "
- I did installed MQ with my login and same login used to create MQ also.
- tried changing run--> services.msc and modify MQ installation permissions but no luck.
MQ CLI commands can be run by the members of the mqm group, and by the members of Administrators.
If your user account isn't a member of mqm, then you will need to start cmd with the option Run as Administrator.

Kerberos Sercurity Error

I am having a problem with my server and so far couldn't find any solution for this. When I try to add a server from a server manager (windows server 2012) I can see only the kerberos security error. Both servers are in the same domain(i have tried from several servers from domain and got the same error).
The strange thing is when I unjoin the problematic server from domain and rejoin it with another name it works normally. But the problem is to make it work with existing name. Anyhelp will be highly appreciated
thanks in advance.
Late reply, but I've just encountered the same error and hope this solution proves useful to others.
Situation: I had to wipe and reinstall a virtual server on which I'd previously had to set some Service Principal Names, and some SPNs for a service account. Turns out the SPNs were still there for the old server/account and I had to remove them.
I recommend checking for and removing rogue SPNs to resolve this. Use the following commands in an elevated command prompt:
setspn -l <servername/username>
In my case I had problems with MBAM, the Bitlocker admin tool, so for example I used:
setspn -l mbam01
Which gave me the output (changed names to protect the innocent):
Registered ServicePrincipalNames for CN=MBAM01,OU=Member Servers,DC=corp,DC=domainname,DC=com:
termserv/mbam01.corp.domainname.com
termserv/mbam01
http/mbam01.corp.domainname.com
http/mbam01
HOST/MBAM01
HOST/mbam01.corp.domainname.com
This will list the SPNs associated with the server or user account. Then you remove the errant SPNs with this command:
setspn -d <listed service> <servername/username>
In my case it turned out the mbamapppool user had http/mbam01 and http/mbam01.corp.domainname.com associated with it, causing Server Manager to fail to poll the server. I removed the http/ refs from the user and then added them to the server with the following commands:
setspn -d http/mbam01 corp\mbamapppooluser
setspn -d http/mbam.corp.domainname.com corp\mbamapppooluser
setspn -s http/mbam01 mbam01
setspn -s http/mbam01.corp.domainname.com mbam01
I then refreshed Server Manager and it polled the server successfully, and the Kerberos Security Error had gone.

How to reset/change expired password for DB2 Content Manager 8.4.1

I had installed IBM DB2 Content Manager 8.4.1 months ago and now I wanted to access it to continue some more work.
But when I try to log in using System Administration Client, it tells me the password is expired. The error is:
DGL0394A: Error in ::DriverManager.getConnection;[jcc][t4][2012][11248][3.50.152]
Connection authorization failure occurred. Reason: Password expired.
ERRORCODE=-4214,SQLSTATE=28000 (STATE) : ;
[SERVER = icmnsldb, USERID = icmadmin, SQL RC = -4214, SQL STATE = 28000]
I've tried looking thru the config files, using the java update command line.. and I can't find a way to change or reset the password. I can't use System Administration Client to change the passwords, since it won't log me in to begin with. Any other method I can use to reset/change the password for a DB2 CM user?
DB2 uses the operating system to authenticate users, so you need to use the OS tools to reset the icmadmin user's password. Your post is tagged as Windows, so look for the icmadmin user in either the local machine or in the domain if your server belongs to a domain.
Just use the Client for Windows on a desktop machine and not the eClient to login. It will directly notify about a expired password and you can set the new password immediately.
I faced the same issue. I logged in as root and chaged the password for db2 user by passwd . and changed in the WAS console. It worked.
In Windows, click on start > Control Panel > User Accounts > User Accounts > Manage User Accounts.
Here, select the DB2 username and click on Reset Password.
If you are on Docker, you need to perform a docker exec into the DB2 container (Linux) and then change the password for the local user that you are trying to log in to DB2 with. In my case, the name of the user was "myuser". I changed the password by executing
passwd myuser
Note that you are root by default when you exec into the container. Else use
docker exec -u root <containerName> /bin/sh

Resources