MQ 7.5 authorization exception

0
votes

I am getting the following exception when I am trying to connect to MQ 7.5 from Java.

Please check if the supplied username and password are correct on the QueueManager to which you are connecting.
        at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:521)
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:221)
        at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:425)
        at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6902)
        at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6277)
        at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:285)
        at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6233)
        at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6262)
.
.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209)
        ... 9 more

I found this solution:

http://www-01.ibm.com/support/docview.wss?uid=swg21577137

but altering authorization of queue manager via rumqsc by:

ALTER QMGR CHLAUTH(DISABLED)

does not work. I am still getting the exception even after restarting the queue manager and the listener as well.

Any help would be much appreciated.

2
javaibm-mqmq
Please update your question with the error message shown in the queue manager AMQERR01.LOG file, so that we can help point to the explicit cause. - Morag Hughson

2 Answers

0
votes

You could use the MQS_REPORT_NOAUTH or MQSAUTHERRORS setting to get more info about the authority failure and what access is failing.

0
votes

So you are having a security issue and your first thought is to turn off security!!!!!!! OMG.

First off, turn security back on:

ALTER QMGR CHLAUTH(ENABLED)

If you are using 'mqm' or a blank UserID - bad, very bad idea!!

Next, have your application connect to the queue manager with a UserID and Password known to the operating system where the queue manager is running.

Then, add the CHLAUTH rule to allow your UserID to connect (via runmqsc):

SET CHLAUTH('ABC.SVRCONN') TYPE(USERMAP) CLNTUSER('stepasite') MCAUSER('stepasite')

Finally, use setmqaut to apply the appropriate permission for the UserID but do it for the group rather than by UserID. Issue the MQSC command 'refresh security', so that the queue manager will pick up the changes. i.e.

setmqaut -m {QM_NAME} -t qmgr -g {GROUP} +connect +inq +dsp
setmqaut -m {QM_NAME} -n MY.Q.** -t queue -g {GROUP} +put +get +inq +dsp
  • The 1st setmqaut command allows your group to connect to the queue manager.
  • The 2nd setmqaut command allows your group to get/put messages to all queues that begin with 'MY.Q.' (and yes, use 2 asterisks in the setmqaut command)

Setting MQ permissions is really easy if you take the time to read the MQ documentation. Here is setmqaut description in the MQ Knowledge Center.