MQS_REPORT_NOAUTH environment variable can be used to better diagnose return code 2035 (MQRC_NOT_AUTHORIZED)

Technote (FAQ)


Question

What is the purpose of the MQS_REPORT_NOAUTH environment variable in WebSphere MQ?

Answer

The MQS_REPORT_NOAUTH environment variable can be used to help diagnose authorization problems, such as:

2035 MQRC_NOT_AUTHORIZED

This environment variable was introduced in WebSphere MQ V5.3 Fix Pack 12, MQ V6.0.1.0 and MQ V7.0.0.0.

Enabling
1. Export the environment variable.

MQ 5.3, 6.0, 7.0.x: User MUST set the MQS_REPORT_NOAUTH environment variable to TRUE for the trace to be output.
UNIX: export MQS_REPORT_NOAUTH=TRUE
Windows: set MQS_REPORT_NOAUTH=TRUE
OpenVMS: define/sys MQS_REPORT_NOAUTH TRUE

MQ 7.1, 7.5, 8.0: The MQS_REPORT_NOAUTH environment variable does NOT need to be set, as the trace is generated by default.

2. Start of the queue manager.
3. Recreate the authorization failure.
4. Browse the queue manager error log; looking for AMQ8077.


Disabling

MQ 5.3, 6.0, 7.0.x: To disable the reporting, unset the environment variable and restart the queue manager.
UNIX: unset MQS_REPORT_NOAUTH
Windows: set MQS_REPORT_NOAUTH=
OpenVMS: deassign/sys MQS_REPORT_NOAUTH

MQ 7.1, 7.5, 8.0: To disable the reporting, you must set the MQS_REPORT_NOAUTH environment variable to FALSE (case sensitive)
UNIX: export MQS_REPORT_NOAUTH=FALSE
Windows: set MQS_REPORT_NOAUTH=FALSE


Usage Notes

  • The environment variable can be added in the .profile or .bashrc file for the user "mqm".
  • You must export this environment variable prior to starting the queue manager.
  • In MQ 7.1, if you find that the error logs contain many instances of AMQ8077, then you have the option to disable this generation by unsetting the variable.

Expected output
When this variable is exported, and the queue manager detects an authorization problem, then the queue manager writes the following message in queue manager error log:

AMQ8077: Entity '<insert one>' has insufficient authority to access object '<insert two>'.
EXPLANATION:
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: <insert three>
ACTION:
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.


++ Exception:
When the UserId against which the authorization check is made, is not available on the system, then:

MQ V7.1: Message AMQ8077 is written into the log.

MQ V7.0: No messages are written to the error log. That is, AMQ8077 or AMQ9209 are not written in the log.

MQ V5.3, MQ V6.0: No AMQ8077 message is written to the error log. However, the following error message may be recorded:
AMQ9209: Connection to host 'ipAddress' closed.

If you want to capture the occurrence of this situation, the environment variable MQSAUTHERRORS can be used, which generates FDC files related to the return code 2035. For more details see:

Using MQSAUTHERRORS to generate FDC files related to RC 2035 (MQRC_NOT_AUTHORIZED)

++ Related technote

Using the MQS_REPORT_NOAUTH environment variable on IBMi

Related information

A Japanese translation is available

Product Alias/Synonym

WebSphere MQ WMQ

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere MQ
Security

Software version:

5.3, 6.0, 7.0, 7.1, 7.5, 8.0

Operating system(s):

AIX, HP-UX, Linux, OpenVMS, Solaris, Windows

Reference #:

1299319

Modified date:

2014-10-01

Translate my page

Machine Translation

Content navigation