Worked Example: Solving MQRC_NOT_AUTHORIZED

MQRC_NOT_AUTHORIZED (2035) can result from a number of different causes (CHLAUTH rules, CONNAUTH settings, and missing Authorities). This post is going to provide a worked example of solving your MQRC_NOT_AUTHORIZED failure when missing authorities are the reason.

You might guess that it’s missing authorities because you have disabled CHLAUTH and CONNAUTH (please don’t – read this for another worked example for leaving those security features on), or because you have looked in the AMQERR01.LOG and seen a message like the following. If the latter, well done, you are already well on your way to solving the issue.

AMQ8077W: Entity 'mqgusr1' has insufficient authority to access object MQG2 [qmgr].

EXPLANATION:
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.

To fix this issue you are going to grant the missing authority. However, it is more appropriate to grant it using the group than the user id. So first, we should find out what group this user ID is in.

Discover group (Linux/Unix)

Issue a command like the following.

id -Gn mqgusr1

The output will be a list of the groups this user is a member of.

Discover group (Windows)

Issue a command like the following.

net user mqgusr1

You will see output like this.

Local Group Memberships      *mqgemadm             *Users

While the user may be a member of a number of groups, there should be one that is clearly the MQ related group name where these authorities should be granted. For the purposes of my example, this is a group called mqgemadm because I am trying to use this user id to connect to MQ and display some queues.

Now that we know the group name to use – all the other information we need to build up our authority granting command is available in the error message. Here is a table of the information we found and where we found it.

Required Info	Value	Source of Value
Entity Type	Group	Best practice decision
Entity	mqgemadm	Looking up reported users group membership
Object Type	Queue Manager	Error message title line “[qmgr]”
Object Name	MQG2	Error message title line “… object MQG2 …”
Authority required	connect	Error message EXPLANATION section

From this table we can build up an MQSC command to grant the missing authority. We either issue this command from a privileged user Id, or add it to our queue manager start-up script. I suggest doing the former as there are going to several of these commands needed. Once you’ve completed the exercise it might be appropriate to gather up the commands that were needed for future use to put into such a script.

You’ll notice that there is no need to mention the object name in the following command because it’s the queue manager object and there is only one. Some people add it in and some use OBJNAME(SELF) but it can simply be omitted.

SET AUTHREC OBJTYPE(QMGR) GROUP('mqgemadm') AUTHADD(CONNECT)

So now, we run the application again, and it fails again, with the same reason code. Nothing has changed!

Well actually something has changed. If you look in the AMQERR01.LOG file for the latest error it looks like this.

AMQ8245W: Entity 'mqgusr1' has insufficient authority to display object MQG2 [qmgr].

EXPLANATION:
The specified entity is not authorized to display the required object. The following requested permissions are unauthorized: dsp

So, something has changed. Rather than reporting that we don’t have connect authority it is now reporting that we don’t have display (dsp) authority. As before we can build up an MQSC command to grant the missing authority.

SET AUTHREC OBJTYPE(QMGR) GROUP('mqgemadm') AUTHADD(DSP)

So now, once more, we run the application again, and it fails again, with the same reason code again. However, we’re familiar with this now. It’s not the same issue, just the same reason code. So, again, we look in the AMQERR01.LOG file for the latest error. In my example, the next error looks like this.

AMQ8077W: Entity 'mqgusr1' has insufficient authority to access object SYSTEM.ADMIN.COMMAND.QUEUE [queue].

EXPLANATION:
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: put

Let’s build up a table of our pieces of information like we did earlier.

Required Info	Value	Source of Value
Entity Type	Group	Best practice decision
Entity	mqgemadm	Looking up reported users group membership
Object Type	Queue	Error message title line “[queue]”
Object Name	SYSTEM.ADMIN.COMMAND.QUEUE	Error message title line just before “[queue]”
Authority required	put	Error message EXPLANATION section

As before, we can use this information to build up an MQSC command to grant the missing authority. Now we also have an object name, so this command will look slightly longer than the previous ones you saw.

SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) GROUP('mqgemadm') AUTHADD(PUT)

I hope that is enough of an example to illustrate the technique. Just keep viewing the AMQERR01.LOG and finding the reported missing authority and fixing it with the appropriate MQSC AUTHREC command (or the equivalent setmqaut command if you prefer). Look at the error messages closely as all the information you need is in there.

IBM MQ New Year’s Resolutions

The developerWorks Connections platform, which hosted the MQDev Blog, was sunset as of 31st December 2019. The blog post below was something I wrote previously on that platform, and since I consider it to still be useful, I am now hosting a copy here. It was originally written in 2015, but I have updated it for 2021, and again for 2023. View all saved from sunset posts here.

It’s that time of year again, New Year. Time to make New Year’s Resolutions. Here are a few IBM MQ related New Year’s Resolutions you could adopt for this coming new year.

Remember to look in your error logs

This is top of the list because it is so often forgotten about by so many MQ users. If you look at questions raised about IBM MQ on the various forums out there, there are many questions where the answer would have been found in the error log. There are error logs at both the client machine and the queue manager machine where you have a problem with a client connection – always look in both. There are error logs are both ends of MCA channels – always look in both.

Use MQRC return codes

IBM MQ provides error information to applications via a Return Code on the MQ API call. These numbers are of the form 20nn. Some of them are very familiar to us, but others are seen rarely. Get to know the common ones. You can look them up using the mqrc tool that comes with your MQ installation. Your applications should handle certain common MQRCs and not simply end as soon as a non-zero MQRC is encountered. Doing so will avoid call-outs in the middle of the night to restart an application that received a 2009 (MQRC_CONNECTION_BROKEN) or worse a 2033 (MQRC_NO_MSG_AVAILABLE)!!! Resolve to teach your application developers how to handle the common ones in the application, and to log anything they don’t handle. And remember, Java programmers, we want to see the linked exception!

MQ API resolutions

Resolve to ensure that your MQ application programs follow all the below as appropriate.

• Don’t leave syncpoint to the default value. Always explicitly state MQPMO_SYNCPOINT or MQPMO_NO_SYNCPOINT and utilise MQGMO_SYNCPOINT_IF_PERSISTENT where possible.
• Don’t rely on the default persistence value set on a queue (DEFPSIST), set it explicitly in your application. And while we’re on the subject, does your message really have to be persistent?
• Have you set an expiry value? Does your message really have to live for ever? Perhaps you can utilise CAPEXPRY until your application can be updated, especially now that it is a real attribute.
• Remember to set the format of your messages correctly. If it’s a string message, say so. And ensure that getting applications always use MQGMO_CONVERT. There is no penalty for this if no conversion is required, and it’ll save you pain in the future when conversion does become necessary.
• Watch out for MQCONN-MQOPEN-MQPUT-MQCLOSE-MQDISC loops. Get familiar with application activity trace to find whether you have applications doing this.

 

Use a Dead-Letter Queue

In much older releases of MQ, there was an all-or-nothing configuration for the Dead-Letter Queue. If you had one single application that couldn’t suffer the possibility of out-of-order messages on its channel due to a detour through a Dead-Letter Queue, you couldn’t enable the DLQ for any other applications and their channels either. In all in-support releases of MQ there is an attribute both on a Channel and on a Topic to indicate that you want to use (or not use) the DLQ for this specific item. That attribute is USEDLQ( YES | NO ). Make this the year you enable the Dead-Letter Queue now that you can choose which channels will make use of it. Learn where channels make use of the DLQ in this recent post.

Protect against run-away client connections

Make use of MAXINST and MAXINSTC to protect your queue manager against runaway client connections that connect repeatedly, but do not disconnect. Read more about this in a post saved from sunset.

Enable IBM MQ Security features

When MQ V7.1 first delivered CHLAUTH, many of you, initially, disabled it just to be able to continue working as before. MQ V8 delivered CONNAUTH and I’m sure that was turned off by many too. Lots of you aren’t making use of message level encryption with Advanced Message Security.

These features have had a few releases to bed in now, and if you’re not making use of them, it’s time to think about them now. Security of your MQ Queue Managers is very important! Make this the year your fully secure your queue managers.

Stop using SSL V3.0 and TLS V1.0

MQ Channel cipherspecs should be regularly reviewed and upgraded to more modern, stronger algorithms. Make this the year you review all the cipher specs you have in use and change them to be a TLS V1.2 or higher one. Even if you’re not yet using a version of IBM MQ that deprecates these protocols by default, you should consider the fact that they are deprecated in those newer releases as a strong hint to stop using them. See the full list of MQ Channel cipher specs and which protocol they make use of in IBM Docs: Enabling CipherSpecs.

Finally enable MQ Events, Accounting and Statistics

The IBM MQ Queue Manager can be configured to emit lots of useful information in the form of event messages and accounting and statistics data. Make 2023 the year you finally turn on these features and get the benefits from them. We know many of you keep meaning to get around to it. It’s not hard, and is made easier with a helpful tool to view the data. We have one if you’re interested!

Use modern versions of IBM MQ

Make this the year that you migrate onto IBM MQ V9.3. Version 8.0 went EOS on 30th April 2020, Version 9.0.0 went EOS on 30th September 2021 and Version 9.1.0 went EOS on 30th September 2023. (View MQ EOS dates here). You can migrate straight to IBM MQ V9.3 without first jumping to another release from V8 and upwards (read more here). If you want to learn more about the new features in IBM MQ V9.2 and V9.3, check out these new MQGem Training courses.

Don’t forget client versions

It’s harder to manage than your queue manager versions, but resolve to get all the old clients in your system identified, and work on persuading them to upgrade. Use the information that IBM MQ provides to find all those old client versions.

Participate in the MQ community

The IBM MQ community is a great crowd. You can learn so much from the many expert users in the field. If you are stuck with a question, ask it on one of the many fora dedicated to MQ. Interact with IBM by raising an IDEA if there is a change you would like to see made to the product; and socialise your IDEA on the fora to gain votes from others who agree with you. Use IBM Docs to discover how to use MQ, and provide feedback to IBM whenever you find anything incorrect in the documentation.

Learn something new about MQ

Every release of IBM MQ comes with new features. Is your level of MQ knowledge up-to-date? Make a resolution to try out a new feature that you have never used before; attend a training course; or go to a technical conference for some education.

---

Have you any other suggestions? Made any New Year’s resolutions already this year? Let us know, and everyone else see, in the comments below.

I can haz error logs?

IBM MQ on IBM Cloud has now reached the Beta phase. See Jen’s latest Blog Post: MQ on IBM Cloud – we’ve hit beta and one of the new things in the beta is the ability to view your queue manager’s error logs.

This is a very important step since one of the first things you should learn is how to discover what your queue manager is trying to tell you when there is an error. In fact this is one of the most important things my MQ training modules also teach you.

Here’s a quick summary of exactly how you can view your IBM Cloud queue manager error logs.

Having created your queue manager, as per Woz Arshad’s YouTube video:

Introducing MQ on IBM Cloud

you can view your queue manager and get connection information on how to connect to it. From this same view you can also get hold of your queue manager’s error log. Select the “Logs and diagnostics” option.

Select the Logs and diagnostics section

This will show a panel where you have two choices. You can download a smaller zip file which is mainly about obtaining your error logs, or you can go for the full RAS package. For just the error logs click on the “Collect logs” button, and you will then be prompted to supply a password which you will use to unlock the error log files in the zip you download.

Press the button to collect the queue manager error logs

Download your password protected zip file

After a few moments your zip file will be ready and then you can download it to view the contents.

Inside the zip file there will be three folders:-

• FDCs
• QM Logs
• trace

You’ll be interested in the folder called “QM Logs”. N.B. This is the error logs from the queue manager not the transactional logs.

Inside that folder you will find three files AMQERR0n.LOG – usually you will find all you need in AMQERR01.LOG.