Troubleshooting
Problem
The most common problem is an authorization failure. The characteristic of this is an error box which displays:
Access not authorized. You are not authorized to perform this operation (AMQ4036).
Cause
Resolving The Problem
If the user name is not known, then it can be found in the AMQ8077 entry in the queue manager error logs.
Actions on the Unix remote host: host2
1. Create the required user on the remote machine
Login as user root.
Use the OS facilities to create the user, such as, AIX smit, HPUX sam or useradd, Solaris & Linux useradd.
The user name must be in lower case, that is, for user MYUSER on Windows create user myuser on UNIX.
2. Ensure that the listener is setup and running.
Login as an MQ administrator. The default is user: mqm
If you do not have an MQ Listener, you can define it as follows.
Notice that "control(qmgr)" is a very useful configuration because when the queue manager starts, it will automatically start the listener, and when the queue manager stops, then it will automatically stop the listener.
runmqsc MYQMGR
define listener(LISTENER) trptype(tcp) control(qmgr) port(1444)
start listener(LISTENER)
end
3. Ensure the command server is running
The command server's process name is amqpcsea.
ps -ef | grep amqpcsea
mqm 29248 1 0 09:22:00 - 0:00 amqpcsea MYQMGR
4. Create the server-connection SVRCONN channel
The channel name is SYSTEM.ADMIN.SVRCONN
runmqsc MYQMGR
def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
end
There are several options at this point
a. If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the Unix group "mqm", again using the OS facilities to do so. In this case there is no further action required.
The command in Linux is: usermod -a -G mqm userid
b. If restricted access to MQ objects is required, further commands are necessary as below
5. Grant specific authority over MQ objects to the required userID
Issue these setmqaut commands to grant minimal authority to the userID.
The purpose of the following setmqaut commands is:
5.a. GENERAL: Grant authority to access the queue manager.
setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
5.b. MQ EXPLORER: Grant authority to the client channel to get the command server reply messages.
setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get +dsp
5.c. MQ EXPLORER: Grant authority to put messages onto the command server input queue.
setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put +dsp
5.d. MQ EXPLORER: Grant authority to get the reply messages.
setmqaut -m MYQMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p myuser +inq +browse +get +dsp +put
The user will need additional authorities to work with objects.
For example, fhe following command gives additional put/get authority for queue Q1.
setmqaut -m MYQMGR -t q -n Q1 -p myuser +inq +browse +get +put +dsp
The following command gives only the authority to display the names of the SYSTEM.* queues, (otherwise, the user cannot view the non-system queues, such as Q1, via MQ Explorer):
setmqaut -m MYQMGR -t q -n SYSTEM.** -p myuser +dsp
Product Synonym
WMQ MQ
Was this topic helpful?
Document Information
Modified date:
26 May 2020
UID
swg21250706