MCAUSER configured for RCVR channel is not being used to verify Put Authority

Technote (troubleshooting)


Problem(Abstract)

You have MCAUSER configured for your RCVR (receiver) channel, but messages XMIT'ed (transmitted) from the SDR channel are being put to the queue manager's dead letter queue (DLQ) instead of the target queue.

The MQDEAD message on the DLQ reports a reason MQRC_NOT_AUTHORIZED (2035, 0x7F3), which indicates that the user id does not have the proper authority.

When Put Authority is set to 'Context' for the RCVR channel the following is true:

"The user ID used to check open authority on the queue for MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY is that of the process or user running the MCA at the receiving end of the message channel. The user ID used to check open authority on the queue for
MQOO_OUTPUT is the UserIdentifier in the message descriptor."

Cause

Your RCVR channel is configured with Put Authority of 'Context' (PUTAUT(CTX) ).

Whenever a MQ application issues an MQOPEN call it will pass with it a set of MQ Open Options (MQOO_*). One such option is MQOO_OUTPUT, which tells the queue manager that you want to open the object for output. This allows a message to be PUT onto the Q. When using MQOO_OUTPUT, the queue manager will check the default user id for PUT authority to said Q. In the case that you have MCAUSER set on your RCVR channel, the default user id is the MCAUSER.

Because you have Put Authority set to 'Context' (CTX), however, the behavior and thus the MQOO (open options) are different. With CTX set, MQOO_ALTERNATE_USER_AUTHORITY is also passed during the MQOPEN call. What this means is that the UserIdentifier in the message descriptor (originates with the user id used to create the message) is copied to the AlternateUserId field of the object descriptor. Because MQOO_ALTERNATE_USER_AUTHORITY is set the queue manager will use the user id in the AlternateUserId field to authenticate PUT authority. This is why the queue manager is checking PUT authority for the user which is in the message descriptor's UserIdentifier field and not the MCAUSER.


Resolving the problem

If you want the MCAUSER to be used to verify PUT authority to the target queue, change Put Authority on the RCVR channel to 'Default' ( PUTAUT(DEF) ).




Example Trace Analysis:
From the trace file for the queue manager's agent process (amqzlaa0.exe) reports that 'testuser' does not have PUT authority for queue 'A.LQ'. I'm including the pertinent section from the trace file below.

0004B25D 06:51:48.219111 4948.2 Entity testuser has insufficient authority to access object A.LQ
0004B25E 06:51:48.219141 4948.2 The following requested permissions are unauthorized: put
0004B25F 06:51:48.219159 4948.2 --------------}! zfu_as_checkobjectauthority (rc=MQRC_NOT_AUTHORIZED)

The 'AMQ3132.0.TRC' (the channel pooling process) shows the following sequence of events that I will comment on following each section of the trace.

0004A44F 06:51:47.358276 3132.2 -----{ xcsGetNTUserSID
0004A450 06:51:47.358294 3132.2 UserID(mca_user_id) Domain()
0004A5A7 06:51:47.650596 3132.2 Id mca_user_id type 1 found on Domain FEDERATED
0004A5A8 06:51:47.650647 3132.2 Sid: S-1-5-21-2132039509-88427576-126092852-45204
0004A5A9 06:51:47.650668 3132.2 -----} xcsGetNTUserSID (rc=OK)

The above shows that the RCVR channel was started and the MCA (message channel agent) is using 'mca_user_id'. This should match what you have configured for MCA User in your RCVR channel properties.

0004B2AC 06:51:48.220923 3132.2 MessageReceived (360 bytes)
0004B2AD 06:51:48.220943 3132.2 Data:-
0004B2AD 06:51:48.220943 3132.2 0x009CD238 5A 52 4F 50 DF 07 00 00 00 00 00 00 02 00 00 00 : ZROPß...........
0004B2AD 06:51:48.220943 3132.2 0x009CD248 F3 07 00 00 A0 F3 5F 00 4F 44 20 20 03 00 00 00 : ó... ó_.OD ....
0004B2AD 06:51:48.220943 3132.2 0x009CD258 01 00 00 00 45 44 47 45 2E 49 44 52 20 20 20 20 : ....A.LQ
0004B2AD 06:51:48.220943 3132.2 0x009CD268 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B2AD 06:51:48.220943 3132.2 0x009CD278 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B2AD 06:51:48.220943 3132.2 0x009CD288 20 20 20 20 51 4D 5F 45 58 54 31 20 20 20 20 20 : QM1
0004B2AD 06:51:48.220943 3132.2 0x009CD298 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B2AD 06:51:48.220943 3132.2 0x009CD2A8 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 : 0004B2AD 06:51:48.220943 3132.2 0x009CD2B8 20 20 20 20 24 20 20 20 20 20 20 20 20 20 20 20 : $
0004B2AD 06:51:48.220943 3132.2 0x009CD2C8 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 : 0004B2AD 06:51:48.220943 3132.2 0x009CD2D8 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 : 0004B2AD 06:51:48.220943 3132.2 0x009CD2E8 20 20 20 20 6B 6C 6F 62 75 62 6A 20 20 20 20 20 : testuser
0004B2AD 06:51:48.220943 3132.2 0x009CD2F8 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 : ............
0004B2AD 06:51:48.220943 3132.2 0x009CD308 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
0004B2AD 06:51:48.220943 3132.2 0x009CD318 1D 01 01 05 00 00 00 00 00 05 15 00 00 00 55 57 : ..............UW
0004B2AD 06:51:48.220943 3132.2 0x009CD328 14 7F 38 4C 45 05 34 06 84 07 4A 04 00 00 00 00 : ..8LE.4.„.J.....
0004B2AD 06:51:48.220943 3132.2 0x009CD338 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 : ........
0004B2AD 06:51:48.220943 3132.2 0x009CD348 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B2AD 06:51:48.220943 3132.2 3 lines suppressed, same as above
0004B2AD 06:51:48.220943 3132.2 0x009CD388 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 : ....
0004B2AD 06:51:48.220943 3132.2 0x009CD398 00 00 00 00 00 05 D5 30 : ......Õ0
0004B2AE 06:51:48.221072 3132.2 ----------} zcpReceiveOnPipe (rc=OK)
0004B2AF 06:51:48.221087 3132.2 ---------}! ziiSendReceiveAgent (rc=MQRC_NOT_AUTHORIZED)

The message was received on the RCVR channel, but the PUT failed due to 'MQRC_NOT_AUTHORIZED'.

0004B2BF 06:51:48.221472 3132.2 -------}! zstMQOPEN (rc=MQRC_NOT_AUTHORIZED)0004B2C0 06:51:48.221492 3132.2 !! - ObjHandle=-1 ObjType=1 ObjName=A.LQ 0004B2C1 06:51:48.221507 3132.2 ------}! MQOPEN (rc=MQRC_NOT_AUTHORIZED)

The MQOPEN call ends with same.

0004B854 06:51:48.300248 3132.2 ---------} zstMQOPEN (rc=OK)
0004B855 06:51:48.300269 3132.2 !! - ObjHandle=6288288 ObjType=1 ObjName=SYSTEM.DEAD.LETTER.QUEUE

The channel pooling process then opens the DLQ 'SYSTEM.DEAD.LETTER.QUEUE'.

0004B86A 06:51:48.300835 3132.2 Data:-
0004B86A 06:51:48.300835 3132.2 0x0062B14C 44 4C 48 20 01 00 00 00 F3 07 00 00 45 44 47 45 : DLH ....ó...A.LQ
0004B86A 06:51:48.300835 3132.2 0x0062B15C 2E 49 44 52 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B86A 06:51:48.300835 3132.2 0x0062B16C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :
0004B86A 06:51:48.300835 3132.2 0x0062B17C 20 20 20 20 20 20 20 20 20 20 20 20 51 4D 5F 45 : QM1
0004B86B 06:51:48.300871 3132.2 !! - ..............

From the DLH (dead letter header) you see that the MQDEAD message was created for reason MQRC_NOT_AUTHORIZED' (2035, F3 07 byteswapped = 0x7F3).

All of this points to the user 'testuser' not having PUT authority for queue 'A.LQ'. Do you have Put Authority set to 'Context' for your RCVR channel 'TESTUSER.TO.QM1'? One way to check this is to issue the following MQSC (runmqsc) command from a command line:

DIS CHL('TESTUSER.TO.QM1') CHLTYPE(RCVR) PUTAUT MCAUSER


Related information

Put Authority (PUTAUT)

Historical Number

58006 111 000

Product Alias/Synonym

MQSeries
WebSphere MQ

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
Security

Software version:

6.0, 7.0, 7.0.1, 7.1, 7.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1265760

Modified date:

2013-06-21

Translate my page

Machine Translation

Content navigation