Remote connection to v7.1 queue manager on IBMi fails with AMQ4036, Access not permitted

Technote (troubleshooting)


Problem(Abstract)

You have created a queue manager on IBMi WebSphere MQ (WMQ) v7.1, and when you attempt to connect to the queue manager via WMQ Explorer, to perform remote administration, or a WMQ client application using a WMQ administrator profile, you receive an AMQ4036,"Access not permitted. You are not authorized to perform this operation." on the client.

On iSeries, in the error log for the queue manager, you may see either an AMQ9776, Channel was blocked by userid, or an AMQ9777, Channel was blocked, followed by an AMQ9999, Channel 'SYSTEM.ADMIN.SVRCONN' to host 'x (9.49.x.x)' ended abnormally.

Cause

The default value for the new feature "Channel Authentication Records" (CHLAUTH) is ENABLED for all new queue managers created at WMQ v7.1. The following three channel authentication records are set for all new and upgraded queue managers at v7.1.

DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
> AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)

This record permits any authorized user from any ip address to connect via the SYSTEM.ADMIN.SVRCONN channel. The flowed userid or MCAUSER id is used to connect.
If the user fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ8077, Entity '&3' has insufficient authority to access object '&4', is logged on IBMi.


> AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(NOACCESS)

This record blocks any ip address attempting to connect via any of the SYSTEM channels.
If the user fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ9777, Channel was blocked, is logged on IBMi.

> AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN)

This record blocks all administrative users including *ALLOBJ, QMQM, and QMQMADM attempting to connect via any channel. If the WMQ administrator fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ9776, Channel was blocked by userid, is logged on IBMi.

This new v7.1 feature provides a much more secure queue manager by default than in previous releases by requiring that administrative access be explicitly defined.

The new queue manager parameter, CHLAUTH, is NOT enabled, by default, on upgraded queue managers.


Diagnosing the problem

For a v7.1 queue manager, review the CHLAUTH parameter setting on the queue manager and display the channel authentication settings for the queue manager via RUNMQSC using DISPLAY CHLAUTH(*). Also review the error logs on IBMi and the remote system for authorization failure messages.

Resolving the problem

This assumes you are using the SYSTEM.ADMIN.SVRCONN(except where noted) to connect to the IBMi queue manager.


1)Use a non-administrative user profile to connect to the queue manager. The user profile must exist on IBMi and be granted the authorities found in DCF item 1299521.

2)Allow any administrative user to connect using a specific ipaddr
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(9.xx.xx.xx) USERSRC(CHANNEL)

3)Allow any administrative user to connect via a user defined channel
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)

4)Allow any administrative user to connect to the queue manager.
SET CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)

5)Disable the channel authentication record feature
CHGMQM MQMNAME(<QMGR_NAME>) CHLAUTH(*DISABLED)

WARNING: Disabling this feature is not recommended for WMQ v7.1 production queue managers due to the security exposure.


Related information

DistTech Note

Product Alias/Synonym

WMQ MQ

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
Security

Software version:

7.1

Operating system(s):

OS/400, i5/OS, iSeries

Software edition:

All Editions

Reference #:

1597265

Modified date:

2013-03-15

Translate my page

Machine Translation

Content navigation