WMQ 7.1 / 7.5 / 8.0 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 when using client connection as an MQ Administrator

Technote (FAQ)


Question

You create a new queue manager in WebSphere MQ 7.1 or 7.5 or 8.0 or later and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035:

2035 MQRC_NOT_AUTHORIZED

The MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.

Cause

You created a new queue manager in MQ 7.1 or in 7.5 or 8.0 or later. The default value for the new feature introduced in 7.1, "Channel Authentication Records" (CHLAUTH) is ENABLED. You can see the value by using runmqsc:
$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(ENABLED)

By default, the following 3 channel authentication records are generated when a new queue manager is created in 7.1 or upgraded to 7.1:

DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)

The last record blocks all remote channel access to any MQ Administrator. The effect is that non-administrative users can still connect if suitably authorized to do so, but administrative connections and anonymous connections are disallowed regardless of any Object Authority Manager (OAM) authorization settings. This means that new queue managers in V7.1 are much more secure by default than in previous versions, but with the trade off that administrative access must be explicitly defined.

+++ Additional notes:

a) If you upgraded a queue manager to MQ 7.1 this new feature is NOT enabled by default.

$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(DISABLED)

However, this new feature can be enabled by issuing the following command in runmqsc:
ALTER QMGR CHLAUTH(ENABLED)


b) You use the MQ Explorer to remotely access the newly created 7.1 queue manager and get the following errors:



Text inside the dialog box:
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.

After closing the above dialog, the next one appears:



Text inside the dialog box:
An error occurred connecting to queue manager 'QM_71 on 'host.x.com(14xx)''. Are you sure that you want to show this queue manager in the folder anyway? (AMQ4027)
Severity: 10 (Warning)
Explanation: A connection could not be made to the specified remote queue manager.
Response: Ensure that the named queue manager is running on the host and port specified, and has a channel corresponding to the specified name. Ensure that you have the authority to connect to the remote queue manager, and ensure that the network is running. Select Yes if you believe that the problem can be resolved later. Select No if you want to correct the problem now and try again.


c) In the error log for the queue manager you see either the error AMQ9776 or AMQ9777, followed by AMQ9999

c.1) AMQ9776: Channel was blocked by userid
EXPLANATION: The inbound channel 'SYSTEM.ADMIN.SVRCONN' was blocked from address
'9.49.x.x' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(rivera) CLNTUSER(rivera)'.
ACTION: Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records.

c.2) AMQ9777: Channel was blocked
EXPLANATION:The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '127.0.0.1'
because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER()'.
ACTION: Contact the systems administrator, who should examine the channel authentication records to ensure that the correct settings have been configured. The ALTER QMGR CHLAUTH switch is used to control whether channel authentication records are used. The command DISPLAY CHLAUTH can be used to query the channel authentication records.

c.3) Either of the above errors is followed by:

AMQ9999: Channel 'SYSTEM.ADMIN.SVRCONN' to host 'x (9.49.x.x)' ended abnormally.

Answer

1) If this is a production queue manager, then you could stop trying to use a userid that is an MQ Administrator and instead, use a non-administrator userid to access the queue manager.


2) If you really want the MQ Administrator to be able to access the queue manager via client channels, you could do one of the following actions.

2.a) You can add the following two Channel Authentication Records discussed in the following presentation:

What's New in WebSphere MQ v7.1 Security?
T.Rob Wyatt
Page 10: User ID blocking

The first rule blocks administrative users and the MCAUSER "nobody" (which prevents someone from creating a user ID "nobody" and putting it into an authorized group).
$ runmqsc QmgrName
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')

The second rule provides a reduced blacklist for SYSTEM.ADMIN channels that allows administrators to use these. It is assumed here that some other CHLAUTH rule such as an SSLPEERMAP has validated the administrator’s connection or than an exit has done so.
SET CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')

The above rules apply to SYSTEM.ADMIN.SVRCONN which is used by the MQ Explorer.

If you are using another user-defined channel, such as MY.ADMIN.SVRCONN, then you need to add the following two records:
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody')

Note: it is not advisable to use SYSTEM.DEF.* channels for active connections. The system default channels are the objects from which all user-defined channels inherit properties. The recommended practice is that SYSTEM.DEF.* and SYSTEM.AUTO.* channels should NOT be configured to be usable.

2.b) This is a variation of (2.a) but allowing the MQ Administrator to only use a particular host.

The first rule blocks MCAUSER "nobody".
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody')

The second rule removes all access to SYSTEM.ADMIN.SVRCONN ...
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)

... and the third rule adds an entry for the server that needs access.
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(9.27.4x.7y) USERSRC(CHANNEL)


2.c) Disable the Channel Authentication Records feature:

ALTER QMGR CHLAUTH(DISABLED)

WARNING: Disabling this new feature is not recommended for MQ 7.1 production queue managers due to security implications.
Note that disabling CHLAUTH results in a policy that accepts administrative connections by default. The administrative effort to lock down administrative access with CHLAUTH(DISABLED) is much greater than to do so with CHLAUTH(ENABLED). It is therefore recommended to leave CHLAUTH(ENABLED) and use the other security features of WebSphere MQ V7.1 to authenticate administrator connections.


+++ Related technotes

MQ 7.1: How to remove a CHLAUTH record

Remote connection to v7.1 queue manager on IBMi fails with AMQ4036, Access not permitted

+++ Advanced details in the trace

An example of the trace for the MQ queue manager for this error condition is shown below:

Trace for process: amqrmppa

000012 0x1018D30C 2A 4E 4F 41 43 43 45 53 53 : *NOACCESS
000051E8 08:57:27.404186 6640.14 RSESS:000012 (11)------------{ rriCheckUserBlocked
000051E9 08:57:27.404199 6640.14 RSESS:000012 (12)-------------{ rrxError
000051EA 08:57:27.404215 6640.14 RSESS:000012 RetCode = 20009777, rc1 = 0, rc2 = 0, Comment1 = 'SYSTEM.DEF.SVRCONN', Comment2 = '127.0.0.1', Comment3= 'CLNTUSER()', File= 'F:\build\p000_P\src\base\src\cmqxrmsa.c', Line= '885'
000051EB 08:57:27.404236 6640.14 RSESS:000012 (12)-------------}! rrxError (rc=rrcE_CHLAUTH_BLOCKED_NOACCESS)
000051EC 08:57:27.404505 6640.14 RSESS:

The error rrcE_CHLAUTH_BLOCKED_NOACCESS is mapped to 2035 MQRC_NOT_AUTHORIZED as seen in the following reformatted trace:

00005508 08:57:27.417747   6640.14     RSESS:000012 Channel Name:SYSTEM.DEF.SVRCONN  
00005509 08:57:27.417766   6640.14     RSESS:000012 Sending Data:-
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E020 54 53 48 4D 00 00 01 80 00 00 00 01 00 00 00 00 : TSHM...€..... ----------------------+ Transmission Segment Header (TSHM)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E030 02 91 30 00 00 00 00 00 00 00 00 00 11 01 00 00 : .‘0.............    | StrucId       {+000} | 'TSHM'
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E040 B5 01 00 00 00 00 01 78 02 00 00 00 F3 07 00 00 : .......x........    | Length        {+004} | 384
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E050 00 00 00 00 51 4D 5F 56 37 31 30 20 20 20 20 20 : ....QM_V710         | Conv.   Id    {+008} | 1
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :                     | Request Id    {+00C} | 0
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 :                     | Encoding      {+010} | 2  (LITTLE_ENDIAN)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E080 20 20 20 20 57 65 62 53 70 68 65 72 65 20 4D 51 :     WebSphere MQ    | SegmentType   {+011} | 145 rfpTST_MQCONN_REPLY (MQCONN  Reply)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E090 20 43 6C 69 65 6E 74 20 66 6F 72 20 4A 61 76 61 :  Client for Java    | ControlFlags1 {+012} | 30
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0A0 1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    |                      | 10 rfpTCF_FIRST (First Segment)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    |                      | 20 rfpTCF_LAST (Last Segment)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0C0 00 00 00 00 03 00 00 00 00 00 00 00 46 43 4E 4F : ............FCNO    | ControlFlags2 {+013} | 00
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | LUWID         {+014} | 0000000000000000
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | MQEncoding    {+01C} | 0x'111'
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | CCSID         {+020} | 437
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | Reserved      {+022} | 0000
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    +----------------------+ MQ Api (MQAPI)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | Call Length   {+024} | 376
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | CompCode      {+028} | 2 MQCC_FAILED (Failed)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | Reason        {+02C} | 2035 MQRC_NOT_AUTHORIZED (Not authorized.)
00005509 08:57:27.417766   6640.14     RSESS:000012  0x00C8E0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................    | Handle        {+030} | 0

Related information

A Japanese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server Security AIX, Linux, Solaris, Windows 8.0, 7.0

Product Alias/Synonym

WMQ MQ MQSeries

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere MQ
Security

Software version:

7.1, 7.5, 8.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1577137

Modified date:

2014-07-10

Translate my page

Machine Translation

Content navigation