What is the purpose of the MQS_REPORT_NOAUTH environment variable in WebSphere MQ?
The MQS_REPORT_NOAUTH environment variable can be used to help diagnose authorization problems, such as:
This environment variable was introduced in WebSphere MQ V5.3 Fix Pack 12, MQ V220.127.116.11 and MQ V18.104.22.168.
1. Export the environment variable.
MQ 5.3, 6.0, 7.0.x: User MUST set the MQS_REPORT_NOAUTH environment variable to TRUE for the trace to be output.
UNIX: export MQS_REPORT_NOAUTH=TRUE
Windows: set MQS_REPORT_NOAUTH=TRUE
OpenVMS: define/sys MQS_REPORT_NOAUTH TRUE
MQ 7.1, 7.5, 8.0: The MQS_REPORT_NOAUTH environment variable does NOT need to be set, as the trace is generated by default.
2. Start of the queue manager.
3. Recreate the authorization failure.
4. Browse the queue manager error log; looking for AMQ8077.
MQ 5.3, 6.0, 7.0.x: To disable the reporting, unset the environment variable and restart the queue manager.
UNIX: unset MQS_REPORT_NOAUTH
Windows: set MQS_REPORT_NOAUTH=
OpenVMS: deassign/sys MQS_REPORT_NOAUTH
MQ 7.1, 7.5, 8.0: To disable the reporting, you must set the MQS_REPORT_NOAUTH environment variable to FALSE (case sensitive)
UNIX: export MQS_REPORT_NOAUTH=FALSE
Windows: set MQS_REPORT_NOAUTH=FALSE
- The environment variable can be added in the .profile or .bashrc file for the user "mqm".
- You must export this environment variable prior to starting the queue manager.
- In MQ 7.1, if you find that the error logs contain many instances of AMQ8077, then you have the option to disable this generation by unsetting the variable.
When this variable is exported, and the queue manager detects an authorization problem, then the queue manager writes the following message in queue manager error log:
AMQ8077: Entity '<insert one>' has insufficient authority to access object '<insert two>'.
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: <insert three>
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.
When the UserId against which the authorization check is made, is not available on the system, then:
MQ V7.1: Message AMQ8077 is written into the log.
MQ V7.0: No messages are written to the error log. That is, AMQ8077 or AMQ9209 are not written in the log.
MQ V5.3, MQ V6.0: No AMQ8077 message is written to the error log. However, the following error message may be recorded:
AMQ9209: Connection to host 'ipAddress' closed.
If you want to capture the occurrence of this situation, the environment variable MQSAUTHERRORS can be used, which generates FDC files related to the return code 2035. For more details see:
Using MQSAUTHERRORS to generate FDC files related to RC 2035 (MQRC_NOT_AUTHORIZED)
++ Related technote
Using the MQS_REPORT_NOAUTH environment variable on IBMi
WebSphere MQ WMQ