Topic
  • 2 replies
  • Latest Post - ‏2017-03-10T00:07:52Z by MoragH
michaesi
michaesi
17 Posts

Pinned topic Channel Authorization error

‏2017-02-20T13:40:19Z |

I have configured a Receiver Channel as follows:

I have created a user "csqmca" belonging to same name group (AIX) and used this User ID

as the MCA USerID of this Channel.

Then I have granted the following authorities to the group csqmca

setmqaut -m QM_BOAP -t qmgr -g csqmca +connect +dsp +inq +setall
setmqaut -m QM_BOAP -n @class -t queue -g csqmca +none
setmqaut -m QM_BOAP -t qmgr -g csqmca +none
setmqaut -m QM_BOAP -n OL* -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid
setmqaut -m QM_BOAP -n OR* -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid

I found the following in the error log although I am not sure what is the cause:

02/20/17 08:41:23 - Process(24576034.114) User(mqm) Program(amqzlaa0)
                    Host(mqprod) Installation(Installation1)
                    VRMF(8.0.0.5) QMgr(QM_BOAP)
                   
AMQ8077: Entity 'csqmca' has insufficient authority to access object
'OC_KAT_TO_BOA'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 687 --------------------------------------------------------

I have added the following authority record:

setmqaut -m QM_BOAP -n OC* -t channel -g csqmca +dsp

Is this behaviour expected? I though that since this userID is the MCA UserID of the channel then

it would not require any further authorities.

 

 

  • ErolG
    ErolG
    3 Posts

    Re: Channel Authorization error

    ‏2017-02-28T05:49:59Z  

    Hi,

     

    What you have:
    setmqaut -m QM_BOAP -t qmgr -g csqmca +connect +dsp +inq +setall
    setmqaut -m QM_BOAP -n @class -t queue -g csqmca +none
    setmqaut -m QM_BOAP -t qmgr -g csqmca +none
    setmqaut -m QM_BOAP -n OL* -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid
    setmqaut -m QM_BOAP -n OR* -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid

     

    Please update your MQ authorities as so:
    setmqaut -m QM_BOAP -t qmgr -g csqmca +connect +dsp +inq +setall
    setmqaut -m QM_BOAP -n OL** -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid
    setmqaut -m QM_BOAP -n OR** -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid
    setmqaut -m QM_BOAP -n OC** -t queue -g csqmca +dsp +inq +put +passall +passid +setall +setid

     

    I would recommend not setting +setall either for security reasons. Once you grant the relevant MQ
    authority always remember to refresh your Queue Manager internal security cache otherwise restart
    your Queue Manager.

    To refresh MQ Security cache:
    runmqsc QM_BOAP
    refresh security
    end

    Regards,

     

    Erol
     

    Updated on 2017-02-28T05:50:14Z at 2017-02-28T05:50:14Z by ErolG
  • MoragH
    MoragH
    131 Posts

    Re: Channel Authorization error

    ‏2017-03-10T00:07:52Z  

    From your provided error message, we see the object name:-

    AMQ8077: Entity 'csqmca' has insufficient authority to access object
    'OC_KAT_TO_BOA'.

    EXPLANATION:
    The specified entity is not authorized to access the required object. The
    following requested permissions are unauthorized: dsp

    but unfortunately that error message doesn't show the object type. Your proposed solution to do the following:-

    I have added the following authority record:

    setmqaut -m QM_BOAP -n OC* -t channel -g csqmca +dsp

    suggests that it is a channel object. With a name including two queue managers names KAT and BOA joined with the word "TO" this seems likely. I assume that this channel that the error mentions is the receiver channel that you mention at the beginning of your question.

    You ask, "Is this behaviour expected? I thought that since this userID is the MCA UserID of the channel then it would not require any further authorities."

    Let me try to answer that part of your question.

    In order to determine the various attributes that have been defined on the channel, the running instance of the channel needs to be able to see the channel definition. For example, to find the value for heartbeats. It is normal for the running channel instance to need to be able to see the channel definition.

    Cheers
    Morag

     

    Updated on 2017-03-10T00:08:22Z at 2017-03-10T00:08:22Z by MoragH