IBM Support

HOWTO: Setmqaut commands to allow Windows Explorer remote administration of WMQ on a UNIX

Technote (troubleshooting)


When setting up Windows Explorer to do administration on WebSphere MQ queue managers on remote UNIX machines there are a number of actions that need to be done.
The most common problem is an authorization failure. The characteristic of this is an error box which displays:

Access not authorized. You are not authorized to perform this operation (AMQ4036).


Several setmqaut commands are required to allow WebSphere MQ Explorer to access a remote queue manager.

Resolving the problem

The requirement is for userID MYUSER on a Windows machine to be able to perform remote admin on a qmgr called MYQMGR hosted on a remote UNIX machine called tenpin listening on port 1444.

If the user name is not known, then it can be found in the AMQ8077 entry in the qmgr error logs.

Actions on tenpin In this example it is assumed that the root user is a member of the mqm group.

1. Create the required user on the remote machine

Use the O/S facilities to create the user, e.g. on AIX smit, HPUX sam or useradd, Solaris & Linux useradd.
The user name must be in lower case, e.g. for user MYUSER on Windows create user myuser on UNIX.

2. Ensure that the listener is setup and running.

If using inetd, put this entry in /etc/services
MQ_MYQMGR 1444/tcp
and this entry in /etc/inetd.conf
MQ_MYQMGR stream tcp nowait root /usr/lpp/mqm/bin/amqcrsta amqcrsta -m MYQMGR
Request inetd to refresh its cache from the files by finding the PID of inetd and sending a SIGHUP signal to the process.

tenpin: $ su
root's Password:
tenpin: # ps -ef | grep inetd
root 4450 8010 0 27 Oct - 0:01 /usr/sbin/inetd
root 14706 1 0 27 Oct - 0:00 /etc/inetd.afs /etc/inetd.conf.afs
root 30596 44986 0 09:16:34 pts/0 0:00 grep inetd
tenpin: # kill -1 4450

If using runmqlsr, start the listener:
runmqlsr -m MYQMGR -t TCP -p 1444

3. Ensure the command server is running

The command server's process name is amqpcsea.

tenpin: # ps -ef | grep amqpcsea
root 35272 51086 0 09:21:53 pts/0 0:00 grep amqpcsea
tenpin: # strmqcsv MYQMGR
WebSphere MQ command server started.
tenpin: # ps -ef | grep amqpcsea
mqm 29248 1 0 09:22:00 - 0:00 amqpcsea MYQMGR
root 44990 51086 1 09:22:08 pts/0 0:00 grep amqpcsea

4. Create the SVRCONN channel for the command server to use

The channel name is SYSTEM.ADMIN.SVRCONN

tenpin: # runmqsc MYQMGR
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Starting MQSC for queue manager MYQMGR.

def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
1 : def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
AMQ8014: WebSphere MQ channel created.
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.

There are several options at this point
1. If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the mqm group on the UNIX machine, again using the O/S facilities to do so. In this case there is no further action required.
The command in Linux is adduser -G mqm,user 2. An alternative method of giving full privileges is to set the MCAUSER attribute on the SVRCONN channel created at step 4 above to mqm. Do this by adding MCAUSER('mqm') to the above runmqsc command. Again, no further action is required.
3. If restricted access to MQ objects is required, further commands are necessary as below

5. Grant specific authority over MQ objects to the required userID

Issue these setmqaut commands to grant minimal authority to the userID:

tenpin: # setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
tenpin: # setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get
tenpin: # setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put

The purpose of these commands is:
1. Grant authority to access the qmgr
2. Grant authority to the client channel to get the command server reply messages
3. Grant authority to put messages onto the command server input queue

An extra command is required on a qmgr being administered from v6 WMQExplorer.

tenpin: # setmqaut -m MYQMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p myuser +inq +browse +get +dsp

The purpose of this command is to grant authority to get the reply messages.

Administration setmqaut commands, +chg +clr +dlt +dsp, will be required on each object in the qmgr to be administered remotely.
For example, to allow dsp authority on a particular queue QL1:

tenpin: # setmqaut -m MYQMGR -t q -n QL1 -p myuser +dsp

Note that a non-mqm user CANNOT display the complete list of queues. This is because authorities cannot be granted on queue SYSTEM.AUTH.DATA.QUEUE; only users in the mqm group have authorities on that queue.

Extra commands are required to display channels on a qmgr being administered from v6 WMQExplorer.

tenpin: # setmqaut -m MYQMGR -t channel -n CHLNAME -p myuser +dsp tenpin: # setmqaut -m MYQMGR -t clntconn -n CLCHL -p myuser +dsp

CHLNAME is the name or generic profile of all channel types except CLNTCONN
CLCHL is the name or generic profile of a CLNTCONN channel

Actions on Windows 1. Show the qmgr in the Explorer window

Right-click the Queue Managers folder and select Show Queue Manager...
Select the Show a remote queue manager radio button
Enter the Queue Manager Name, e.g. MYQMGR
and Connection Name, e.g. tenpin(1444)
Click OK

Product Alias/Synonym


Document information

More support for: WebSphere MQ
MQ Explorer / Remote admin

Software version: 5.3, 6.0, 7.0, 7.0.1, 7.1, 7.5, 8.0

Operating system(s): Linux, Windows

Reference #: 1250706

Modified date: 05 May 2016