What is the purpose of the new MQS_REPORT_NOAUTH environment variable in WebSphere MQ?
The MQS_REPORT_NOAUTH environment variable can be used to help diagnose authorization problems, such as:
This environment variable was introduced in WebSphere MQ V5.3 Fix Pack 12, MQ V220.127.116.11 and MQ V18.104.22.168.
- Export the environment variable:
UNIX: export MQS_REPORT_NOAUTH=TRUE
Windows: set MQS_REPORT_NOAUTH=TRUE
OpenVMS: define/sys MQS_REPORT_NOAUTH TRUE
- Start of the queue manager.
- Recreate the authorization failure.
- Browse the queue manager error log; looking for AMQ8077.
- The environment variable can be added in the .profile or .bashrc file for the user "mqm".
- You must export this environment variable prior to starting the queue manager. The value is ignored, but it is a good practice to use a value that indicates that it is set, such as TRUE.
- In MQ 7.1, if you find that the error logs contain many instances of AMQ8077, then you have the option to disable this generation by unsetting the variable.
- To disable the environment variable. You will need to restart the queue manager.
UNIX: unset MQS_REPORT_NOAUTH
or by setting it to FALSE:
Windows: set MQS_REPORT_NOAUTH=
OpenVMS: deassign/sys MQS_REPORT_NOAUTH
When this variable is exported, and the queue manager detects an authorization problem, then the queue manager writes the following message in queue manager error log:
AMQ8077: Entity '<insert one>' has insufficient authority to access object '<insert two>'.
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: <insert three>
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.
When the UserId against which the authorization check is made, is not available on the system, then:
MQ V7.1: Message AMQ8077 is written into the log.
MQ V7.0: No messages are written to the error log. That is, AMQ8077 or AMQ9209 are not written in the log.
MQ V5.3, MQ V6.0: No AMQ8077 message is written to the error log. However, the following error message may be recorded:
AMQ9209: Connection to host 'ipAddress' closed.
If you want to capture the occurrence of this situation, the environment variable MQSAUTHERRORS can be used, which generates FDC files related to the return code 2035. For more details see:
Using MQSAUTHERRORS to generate FDC files related to RC 2035 (MQRC_NOT_AUTHORIZED)
++ Related technote
Using the MQS_REPORT_NOAUTH environment variable on IBMi
WebSphere MQ WMQ