MQS_REPORT_NOAUTH environment variable can be used to better diagnose return code 2035 (MQRC_NOT_AUTHORIZED)

Technote (FAQ)


Question

What is the purpose of the new MQS_REPORT_NOAUTH environment variable in WebSphere MQ?

Answer

The MQS_REPORT_NOAUTH environment variable can be used to help diagnose authorization problems, such as:

2035 MQRC_NOT_AUTHORIZED

This environment variable was introduced in WebSphere MQ V5.3 Fix Pack 12, MQ V6.0.1.0 and MQ V7.0.0.0.

Enabling

  1. Export the environment variable:
    UNIX: export MQS_REPORT_NOAUTH=TRUE
    Windows: set MQS_REPORT_NOAUTH=TRUE
    OpenVMS: define/sys MQS_REPORT_NOAUTH TRUE
  2. Start of the queue manager.
  3. Recreate the authorization failure.
  4. Browse the queue manager error log; looking for AMQ8077.


Usage Notes
  • The environment variable can be added in the .profile or .bashrc file for the user "mqm".
  • You must export this environment variable prior to starting the queue manager. The value is ignored, but it is a good practice to use a value that indicates that it is set, such as TRUE.
  • In MQ 7.1, if you find that the error logs contain many instances of AMQ8077, then you have the option to disable this generation by unsetting the variable.
  • To disable the environment variable. You will need to restart the queue manager.
    UNIX: unset MQS_REPORT_NOAUTH
    or by setting it to FALSE:
    export MQS_REPORT_NOAUTH=FALSE
    Windows: set MQS_REPORT_NOAUTH=
    OpenVMS: deassign/sys MQS_REPORT_NOAUTH

Expected output
When this variable is exported, and the queue manager detects an authorization problem, then the queue manager writes the following message in queue manager error log:

AMQ8077: Entity '<insert one>' has insufficient authority to access object '<insert two>'.
EXPLANATION:
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: <insert three>
ACTION:
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.


++ Exception:
When the UserId against which the authorization check is made, is not available on the system, then:

MQ V7.1: Message AMQ8077 is written into the log.

MQ V7.0: No messages are written to the error log. That is, AMQ8077 or AMQ9209 are not written in the log.

MQ V5.3, MQ V6.0: No AMQ8077 message is written to the error log. However, the following error message may be recorded:
AMQ9209: Connection to host 'ipAddress' closed.

If you want to capture the occurrence of this situation, the environment variable MQSAUTHERRORS can be used, which generates FDC files related to the return code 2035. For more details see:

Using MQSAUTHERRORS to generate FDC files related to RC 2035 (MQRC_NOT_AUTHORIZED)

++ Related technote

Using the MQS_REPORT_NOAUTH environment variable on IBMi

Product Alias/Synonym

WebSphere MQ WMQ

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
Security

Software version:

5.3, 6.0, 7.0, 7.1, 7.5

Operating system(s):

AIX, HP-UX, Linux, OpenVMS, Solaris, Windows

Reference #:

1299319

Modified date:

2013-05-03

Translate my page

Machine Translation

Content navigation