1

when working JMS sample code , placed in application getting below Authorization errors with MQ8 + JDk8

MQException received while attempting reconnect: Reason Code=2035
 Exception text: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2035'.

AMQERR01.LOG says

AMQ8077: Entity 'clientadmin' has insufficient authority to access object
'TLSTEST.QM'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.

AMQ9557: Queue Manager User ID initialization failed for 'clientadmin'.

EXPLANATION:
The call to initialize the User ID 'clientadmin' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.

Steps performed as below sites and commands , but dint resolve issue

http://www-01.ibm.com/support/docview.wss?uid=swg21680930
http://www-01.ibm.com/support/docview.wss?uid=swg21577137
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
REFRESH SECURITY TYPE(CONNAUTH)

ALTER QMGR CHLAUTH(DISABLED)

Resolved with Below commands

Removed 'SecurityPolicy=user' , only set Auth as below and restarted QM

setmqaut -m TLSTEST.QM -t qmgr -p clientadmin +all
setmqaut -m TLSTEST.QM -t queue -p clientadmin -n RECEIVE +all
setmqaut -m TLSTEST.QM -t queue -p clientadmin -n SEND +all

Just want to know , how i can set '+all' in all the queues in qmgr ? will set @ channel level to set for all queues in qmgr ?

Worked-Success with below commands and settings

'SecurityPolicy=user'  
    setmqaut -m TLSTEST.QM -t qmgr -p clientadmin +connect +dsp +inq
    setmqaut -m TLSTEST.QM -t queue -p clientadmin -n RECEIVE +put +get +browse +dsp +inq
    setmqaut -m TLSTEST.QM -t queue -p clientadmin -n SEND +put +get +browse +dsp +inq
MQ Beginner
  • 99
  • 1
  • 5
  • 13
  • There are two methods. 1. If you want to use -p and grant permission to a specific user you need the SecurityPolicy=user setting. 2. If you want to grant against a group the user is a member of you do not need the SecurityPolicy=user setting and can use -g against the group. What was wrong is you set the SecurityPolicy property equal to the word clientadmin, the possible values for that property are `user` or `group` with group being the default if you do not set a value. The value "user" is the literal string `user` do not replace it with the name of a specific user. – JoshMc Feb 22 '17 at 02:58
  • Bit confused on your last comment , my application needs 'clientadmin' should have privilege to access to qmgr and queues. I understand about , to give appropriate privilege using 'setmqaut' , but confused about 'SecurityPolicy=' value . Since i need to give user level access[clientadmin] , 'SecurityPolicy=clientadmin' is the right approach? – MQ Beginner Feb 22 '17 at 03:54
  • No, "SecurityPolicy=user" is the right approach. The setting is the literal four character string `user` not the name of a specific user. Once that setting is in place then the -p permissions can be used. – JoshMc Feb 22 '17 at 04:48
  • Resolved with 'SecurityPolicy=user' + 'setmqaut' as edited in question. More Testing is going on – MQ Beginner Feb 22 '17 at 18:38
  • New question added on MQ9+JDK and Flips as below url [http://stackoverflow.com/questions/42625346/mq9-oracle-jdk8-cipersuites-and-cipher-specs] – MQ Beginner Mar 06 '17 at 12:12
  • It is not necessary and you should not provide links in old questions to new questions with the only thing tying them together is that you posted them, these two questions are not related at all. You should use the tag [[tag:ibm-mq]] instead of [[tag:mq]] because your question is related to IBM MQ. – JoshMc Mar 06 '17 at 15:05
  • Need to know about Authorization in MQ @ windows , new question posted [http://stackoverflow.com/questions/43040127/authorization-commands-in-mq-windows] – MQ Beginner Mar 27 '17 at 07:21
  • Please delete your comments that have links to new questions as this is not required, please just tag them with tag [[tag:ibm-mq]] and people that want to help with IBM MQ will see them. – JoshMc Mar 27 '17 at 16:28

1 Answers1

4

AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) will require that if a password is sent that it is a valid password.

The AMQ8077 error you are getting is because the user does not have permissions to connect to the queue manager.

You must grant OAM permission to allow clientadmin to connect to the queue manager.

By default on Linux you can grant MQ OAM permissions only against a group that a user is a member of, in your case a group that clientadmin is a member of. In MQ v8.0 and later if the following setting has been added to the qm.ini you can also grant OAM permission against the user itself:

Service:
   SecurityPolicy=user

The above setting is not required, it just allows two different ways to grant OAM permissions. This is documented in the IBM MQ v8.0 Knowledge center page "Principals and groups". This page states:

UNIX and Linux systems

ACLs are based on both user IDs and groups and you can use either for authorization.

With Version 8.0, you can use the user-based model for authorization, and this allows you to use both users and groups. However, when you specify a user in the setmqaut command, the new permissions apply to that user alone, and not any groups to which that user belongs.

See Installable services for more information.

When you are using the group-based model for authorization, the primary group to which the user ID belongs is included in the ACL.

The individual user ID is not included and authority is granted to all members of that group. Because of this, be aware that you can inadvertently change the authority of a principal by changing the authority of another principal in the same group.

This is documented in the IBM MQ v8.0 Knowledge center page "Installable services". This page states:

SecurityPolicy=user|group|default

On UNIX and Linux systems the value specifies whether the queue manager uses user-based or group-based authorization. Values are not case sensitive. If you do not include this attribute, default is used, which uses group-based authorization. Restart the queue manager for changes to become effective.

To grant OAM permission to connect to the queue manager against a group you can do it either with a MQSC command SET AUTHREC:

SET AUTHREC PROFILE('self') GROUP('groupname') OBJTYPE(QMGR) AUTHADD(CONNECT,DSP,INQ)

The same can be accomplished with a command line tool setmqaut:

setmqaut -m <queue_manager_name> -t qmgr -g groupname +connect +dsp +inq

To grant OAM permission to connect to the queue manager against the user itself you can do it either with a MQSC command SET AUTHREC:

SET AUTHREC PROFILE('self') PRINCIPAL('clientadmin') OBJTYPE(QMGR) AUTHADD(CONNECT,DSP,INQ)

The same can be accomplished with a command line tool setmqaut:

setmqaut -m <queue_manager_name> -t qmgr -p clientadmin +connect +dsp +inq

You would need to also grant PUT or GET access to the queue you want to access. The following example using a MQSC command SET AUTHREC is using the principal but you can change it to use a group if required:

SET AUTHREC PROFILE('QUEUE.NAME') PRINCIPAL('clientadmin') OBJTYPE(QUEUE) AUTHADD(PUT,GET,BROWSE,DSP,INQ)

The same can be accomplished with a command line tool setmqaut:

setmqaut -m <queue_manager_name> -t queue -p clientadmin +put +get +browse +dsp +inq

Update 2017/02/21

Setting permission on Linux using -p without having SecurityPolicy=user is not recommended. This is because this action does NOT set the permission against the user specified with -p, it instead sets it against the primary group of that user at the time you run the command.

This can cause various situations, a few examples I can think of are below:

  1. If you have two users with the same primary group and you provide them different access levels, they both end up with the same level of access that resulted from the last setmqaut command that you ran.
  2. Even if you provided them both the same level of access to begin with you may want to remove access from one of the two users and issue a similar command with the permission -remove specified. The result would not be that you removed the access from one of the two users, but you instead removed it from both users.
  3. It is not uncommon for the primary group of a unix account to change. If the user is not also a member of that same group as a secondary group after the change they will loose access to MQ.

It is also not recommended to provide a non-administrative user with +all, if you do this you might as well add the user to the mqm group and provide them with full MQ administrative authority.

You should instead provide the user with the specific permissions that are required. I provided in my example a limited set of permissions that should work for most applications.

JoshMc
  • 10,239
  • 2
  • 19
  • 38
  • Service: SecurityPolicy=clientadmin added in qm.ini and restarted MQ as well as application , dint resolve 2035 issue. let me try with below commands , i believe next commands are unix level permissions – MQ Beginner Feb 21 '17 at 02:51
  • WIll try with suggestions mentioned , edited question – MQ Beginner Feb 22 '17 at 02:52