There are various types of IBM MQ Not Authorized events:
- Not Authorized (type 1) MQCONN not authorized
- Not Authorized (type 2) MQOPEN/MQPUT1 not authorized
- Not Authorized (type 3) MQCLOSE not authorized
- Not Authorized (type 4) Command not authorized
- Not Authorized (type 5) MQSUB not authorized
- Not Authorized (type 6) MQSUB Destination not authorized
This post is focusing on the Type 4 events which report when a command, e.g. MQSC or PCF, is issued and fails because it is not authorized. When a user that does not have authority to display all the queues on a queue manager issues a command such as:-
DISPLAY QLOCAL(*) ALL
then you might end up with rather a lot of these event messages, one written for each queue that the user does not have display access to.
Unfortunately these event messages tell you very little. Their entire content is documented in IBM Docs as follows:-
Event data
- QMgrName
-
Description: Name of the queue manager generating the event. Identifier: MQCA_Q_MGR_NAME. Data type: MQCFST. Maximum length: MQ_Q_MGR_NAME_LENGTH. Returned: Always. - ReasonQualifier
-
Description: Identifier for type 4 authority events. Identifier: MQIACF_REASON_QUALIFIER. Data type: MQCFIN. Values: - MQRQ_CMD_NOT_AUTHORIZED
- Command not authorized.
Returned: Always. - Command
-
Description: Command identifier. See the MQCFH header structure, described in Event message MQCFH (PCF header). Identifier: MQIACF_COMMAND. Data type: MQCFIN. Returned: Always. - UserIdentifier
-
Description: User identifier that caused the authorization check. Identifier: MQCACF_USER_IDENTIFIER. Data type: MQCFST. Maximum length: MQ_USER_ID_LENGTH. Returned: Always.
One thing that is missing from these events is the object name the event is about. If you issue a generic display command you can get hundreds of identical events because there is nothing to tell you which event is for which object. Unfortunately there is also nothing to tell you that this was as a result of a generic display command either, just that it was a display command. You can infer that it was a generic display command because you get so many identical events from the same user id in a very short space of time.
It is really a shame that these actions even generate such events at all. The user asked to see all the objects they were allowed to see, and they were only given command responses for those objects they were allowed to see. Raising authority events for such an action doesn’t really seem warranted. Perhaps we should raise an IDEA with IBM to suggest this could be turned off.
Saving off these events to a different Event Stream
Another blog post covers how you can save off different MQ event messages to different streams in order to apply longer (or shorter) retention intervals to them, and these specific event messages do seem like an excellent candidate for that, this time though in order to have a much shorter retention interval.
As noted in that blog post, you might normally like to retain security related events for longer than the MQEV default of 90 days, but for these we might like a much shorter interval.
DEFINE EVSTREAM(SECURITY) TYPE(EVENTS) RETINTVL(120) DEFINE EVSTREAM(DISCMDSEC) TYPE(EVENTS) RETINTVL(7)
Then the mqev.mqx script would be enhanced to include the following:-
********************************************************************* * Function for processing an event * ********************************************************************* func MQEVEvent() if (event.EVTYPE = AUTHOR) if (event.EVREASON = AUTCMD AND + substr(event.SUMMARY,1,27) = "Command not Auth - Inquire ") _stream = "DISCMDSEC" else _stream = "SECURITY" endif endif endfunc
While we could have checked the event.COMMAND
attribute in the event against const.MQCMD_INQUIRE_Q
and all the other MQCMD_* constants, that would have been a very long list and we’d have to maintain it too. Instead we use the event.SUMMARY
string which will always begin with the same characters for an Inquire command and let the MQGem team keep MQEV up-to-date with any new commands that are added to IBM MQ.
Now that all these commands are being stored on a different stream we can view our other events without these in the way. We can also easily purge this stream and throw away these events whenever we want to, and MQEV will automatically throw them away for us after the retention interval on the stream expires.
Alternatively, if you just want to immediately throw away ALL of these DISPLAY events (whether from generic display commands or specific display commands) you could instead set the stream to null like this:-
_stream = "$null"
Event Storms
Another thing that MQEV does to assist you not being completely flooded by events such as this, is that it detects events that are identical. This is known as an event storm. These “Command Not Authorized” events fall squarely in this category since there isn’t even an object name in the event message.
By default, if MQEV sees more than 20 identical events in a 60 second time period, then it will begin to capture them as a repeated event. This means you will see 20 identical events, and then at the end of the 60 seconds, one more event with an EVREPEAT count showing how many more there were.
DISPLAY EVENTS(*) WHERE(EVREPEAT) ALL
EVQMGR(MQG1) EVENTS(DISCMDSEC) EVTIME(2022-08-18 17:38:44 (Local)) EVREASON(AUTCMD) EVTYPE(AUTHOR) EVUSERID(mqgusr1) EVOBJTYPE(CHANNEL) COMMAND(Inquire Channel) EVENTID(00000068) CFHCMD(44) CFHREASON(2035) SUMMARY(Command not Auth - Inquire Channel - Channel:) RSNQUAL(4) USERID(mqgusr1) EVREPEAT(15) _________________________________________________________________________________ EVQMGR(MQG1) EVENTS(DISCMDSEC) EVTIME(2022-08-18 17:38:37 (Local)) EVREASON(AUTCMD) EVTYPE(AUTHOR) EVUSERID(mqgusr1) EVOBJTYPE(QUEUE) COMMAND(Inquire Q) EVENTID(00000067) CFHCMD(44) CFHREASON(2035) SUMMARY(Command not Auth - Inquire Q - Queue:) RSNQUAL(4) USERID(mqgusr1) EVREPEAT(113) _________________________________________________________________________________
You can alter these settings using an ALTER EV STORMTHR(number) STORMINT(seconds)
command.
Drowning in MQ events? Let MQEV help.
Read more about MQEV, and download a copy, from the MQEV Web Page. If you don’t have a licence and would like to try out MQEV before deciding whether to buy then send an email to support@mqgem.com and a 1-month trial licence will be sent to you.