IBM Support

Collect IBM MQ MustGather data to solve security problems on Linux, UNIX, Windows and IBM i

Technote (troubleshooting)


IBM MQ is incorrectly allowing or denying access to a user or application, and you need to collect MustGather data to find a solution.


These instructions apply only to IBM MQ V9.0 and V8.0, and WebSphere MQ V7.5, V7.1, V7.0 and V6.0 on AIX, HP-UX, Linux, Solaris and Windows, and to IBM MQ V9.0 and V8.0, and WebSphere MQ V7.1, V7.0 and V6.0 on IBM i. Refer to the IBM MQ Read First page for instructions on other operating systems:

Resolving the problem

Please answer these questions about the problem and then follow the steps below:

  • What security problem did you observe on the system?
  • What time did the security problem start and when did it stop?
  • Which specific users or applications and queue manager objects are involved?

Step 1: Generate Data

If the security problem is reproducible or is happening right now, generate data to provide more information about the problem:

  1. Generate a trace of the queue manager when the security problem occurs. If possible, issue the runmqsc command "REFRESH SECURITY" just before tracing so that the trace will show the queue manager querying the operating system for details about the user.

  2. Display information about the user, particularly the groups to which the user belongs. For example:

    1. Displaying user watson on Linux and UNIX

      sh> id watson > /tmp/
      sh> groups watson > /tmp/watson.groups.txt

      Display user "Thomas Watson" on Windows

      C:\> NET USER "Thomas Watson" > %TEMP%\watson.user.txt

      Displaying user WATSON at the IBM i Command Line


      Then use WRKSPLF option 5 to display the joblog from QPUSRPRF

Step 2: Collect Data

  1. Place the user information from Step 1 directly in the top-level MQ errors directory. Both the runmqras automation tool and the manual collection steps below collect files found there.

  2. Collect data automatically with the runmqras command if you are running IBM MQ V9.0 or V8.0, or WebSphere MQ V7.5, V7.1.0.1 or later, or V7.0.1.8 or later. Be sure to collect the runmqras defs and trace sections, and to specify your PMR number:

    1. Collecting runmqras output from queue manager QMA

      runmqras -section defs,trace -qmlist QMA -pmrno 12345,67R,890

  3. Alternatively, collect the MQ data manually.

    Collecting MQ data manually

    1. If your system has more than one MQ installation, use the setmqenv command to choose the one with the problem before proceeding:

      Linux and UNIX

      sh> . /path/to/mqm/bin/setmqenv -n InstallationX


      C:\> "C:\Program Files\IBM\MQ\bin\setmqenv" -n InstallationX

    2. Record the MQ version and maintenance level.

    3. Record the operating system version and maintenance level.

    4. Save the MQ configuration information, for example registry keys and ini files.

    5. If your system has more than one MQ installation, record your MQ installation details:

      Linux and UNIX

      sh> dspmqinst > /tmp/dspmqinst.txt


      C:\> dspmqinst > %TEMP%/dspmqinst.txt

    6. Display the MQ access control for the queue manager. For example:

      Displaying access control for queue manager QMA on Linux and UNIX

      sh> dmpmqaut -m QMA > /tmp/QMA.dmpmqaut.txt

      Displaying access control for queue manager QMA on Windows

      C:\> dmpmqaut -m QMA > %TEMP%\QMA.dmpmqaut.txt

      Displaying access control for queue manager QMA in the IBM i Qshell

      ===> /QSYS.LIB/QMQM.LIB/DMPMQAUT.PGM -m QMA > /tmp/QMA.dmpmqaut.txt

    7. On MQ V7.1 and later installations, use dmpmqcfg to record the queue manager configuration:

      Linux and UNIX

      sh> dmpmqcfg -m QMA > /tmp/QMA.config.txt


      C:\> dmpmqcfg -m QMA > %TEMP%\QMA.config.txt

      IBM i Qshell

      ===> /QSYS.LIB/QMQM.LIB/DMPMQCFG.PGM -m QMA > /tmp/QMA.config.txt

    8. Otherwise, on MQ V7.0 and earlier installations, use runmqsc to record the queue manager configuration. If any command gives an error, carry on with the others:

      DISPLAY Q(*) ALL

    9. Manually package your files for IBM, including files containing the output from the commands listed in Step 1 and 2.

Step 3: Send Data to IBM

  1. Send your data to the IBM ECuRep repository by email to, by standard or secure HTTP or FTP. or by using the IBM Secure Diagnostic Data Upload Utility (SDDUU) Java application.

  2. While the data is transferring, send an email or use the IBM Service Request tool to update your PMR with your description of the problem and of the data you are sending.

  3. Contact your country representative if you need to speak to an IBM technical support representative, or in the US call 1-800-IBM-SERV. Refer to the IBM Software Support Handbook for more information on working with IBM.

Product Alias/Synonym


Document information

More support for: WebSphere MQ
Problem Determination

Software version: 6.0, 7.0, 7.1, 7.5, 8.0, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 1291219

Modified date: 25 October 2016

Translate this page: