Topic
  • 12 replies
  • Latest Post - ‏2013-02-14T12:12:16Z by SystemAdmin
SystemAdmin
SystemAdmin
8523 Posts

Pinned topic Testing cluster with channel authentication in WebSphere mq 7.5

‏2012-10-30T15:45:15Z |
Hi,

I am testing queue manager cluster. I have a sample program which send messages to the cluster queue. Channel authentication is enabled. I am using use a non-administrator userid to access the queue manager, while connecting it's throwing Error '2035' ('MQRC_NOT_AUTHORIZED') . It works fine if I disabled channel authentication and for stand alone queue manger.

If I enable channel authentication , I'm getting 2035 .

Please help me.

Amar
Updated on 2014-03-06T11:54:47Z at 2014-03-06T11:54:47Z by Morag Hughson
  • Shashikanth@BLR
    Shashikanth@BLR
    132 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-03T13:32:57Z  
    Security has been beefed up in WebSphere MQ v7.5. By default channel authentication is enabled and it's for valid reason. You would want only authorized users connect to queue manager. Accessing queue managers using SYSTEM.* channels is blocked.

    The best practice is to create your own SVRCONN channel and create a channel authentication record for the user you want to allow access to queue manager. This way you will know who is connecting to your queue manager. Please follow http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.doc/zs14190_.htm for more details on channel authentication.
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-05T06:47:02Z  
    Security has been beefed up in WebSphere MQ v7.5. By default channel authentication is enabled and it's for valid reason. You would want only authorized users connect to queue manager. Accessing queue managers using SYSTEM.* channels is blocked.

    The best practice is to create your own SVRCONN channel and create a channel authentication record for the user you want to allow access to queue manager. This way you will know who is connecting to your queue manager. Please follow http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.doc/zs14190_.htm for more details on channel authentication.
    Thanks for the reply Sashi.

    I have created my own channels for cluster as below. I have authorized a administrative user to connect to the queue manager.
    define CHANNEL(TO.AJ1) CHLTYPE(CLUSRCVR) TRPTYPE(TCP) CONNAME('9.55.49.220(6543)') CLUSTER(INVENTORY)
    define CHANNEL(TO.AJ2) CHLTYPE(CLUSSDR) TRPTYPE(TCP) CONNAME('9.55.49.221(6543)') CLUSTER(INVENTORY)

    The output of DISPLAY CHLAUTH(*) is
    1 : DISPLAY CHLAUTH(*)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(CHANNEL)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER)
    USERLIST(nobody)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(NOACCESS)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(*) TYPE(ADDRESSMAP)
    ADDRESS(9.55.*) USERSRC(CHANNEL)
    I still get 2035 MQRC_NOT_AUTHORIZED error.
  • fjb_saper
    fjb_saper
    170 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-12T03:31:07Z  
    Thanks for the reply Sashi.

    I have created my own channels for cluster as below. I have authorized a administrative user to connect to the queue manager.
    define CHANNEL(TO.AJ1) CHLTYPE(CLUSRCVR) TRPTYPE(TCP) CONNAME('9.55.49.220(6543)') CLUSTER(INVENTORY)
    define CHANNEL(TO.AJ2) CHLTYPE(CLUSSDR) TRPTYPE(TCP) CONNAME('9.55.49.221(6543)') CLUSTER(INVENTORY)

    The output of DISPLAY CHLAUTH(*) is
    1 : DISPLAY CHLAUTH(*)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(CHANNEL)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER)
    USERLIST(nobody)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(NOACCESS)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(*) TYPE(ADDRESSMAP)
    ADDRESS(9.55.*) USERSRC(CHANNEL)
    I still get 2035 MQRC_NOT_AUTHORIZED error.
    I do hope that mquser is not part of group mqm.
    Any administrative type of connection via a SVRCONN channel is by default refused.
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-14T05:26:02Z  
    • fjb_saper
    • ‏2012-11-12T03:31:07Z
    I do hope that mquser is not part of group mqm.
    Any administrative type of connection via a SVRCONN channel is by default refused.
    Yes, mqmuser does not belong to administrative group ( mqm ).
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2012-11-21T16:07:16Z  
    Thanks for the reply Sashi.

    I have created my own channels for cluster as below. I have authorized a administrative user to connect to the queue manager.
    define CHANNEL(TO.AJ1) CHLTYPE(CLUSRCVR) TRPTYPE(TCP) CONNAME('9.55.49.220(6543)') CLUSTER(INVENTORY)
    define CHANNEL(TO.AJ2) CHLTYPE(CLUSSDR) TRPTYPE(TCP) CONNAME('9.55.49.221(6543)') CLUSTER(INVENTORY)

    The output of DISPLAY CHLAUTH(*) is
    1 : DISPLAY CHLAUTH(*)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(CHANNEL)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(BLOCKUSER)
    USERLIST(nobody)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ1) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.220) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(TO.AJ2) TYPE(ADDRESSMAP)
    ADDRESS(9.55.49.221) MCAUSER(mquser)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(NOACCESS)
    AMQ8878: Display channel authentication record details.
    CHLAUTH(*) TYPE(ADDRESSMAP)
    ADDRESS(9.55.*) USERSRC(CHANNEL)
    I still get 2035 MQRC_NOT_AUTHORIZED error.
    May I suggest you look for the error message in your AMQERR01.LOG that indicates the channel has been blocked. In that error message will be the various characteristics of the inbound channel connection in question, channel name, ip address, remote queue manager name or client user ID depending on the type of channel, and SSL Peer name if SSL is in use.

    You can then take the information from that error message and form a DISPLAY CHLAUTH(chl-name) MATCH(RUNCHECK) .... command which will tell you exactly why that channel is being refused entry.

    If you are unsure of how to do this, please post the contents of the "channel is blocked" error message and I will take you through it.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-24T16:38:08Z  
    May I suggest you look for the error message in your AMQERR01.LOG that indicates the channel has been blocked. In that error message will be the various characteristics of the inbound channel connection in question, channel name, ip address, remote queue manager name or client user ID depending on the type of channel, and SSL Peer name if SSL is in use.

    You can then take the information from that error message and form a DISPLAY CHLAUTH(chl-name) MATCH(RUNCHECK) .... command which will tell you exactly why that channel is being refused entry.

    If you are unsure of how to do this, please post the contents of the "channel is blocked" error message and I will take you through it.

    Cheers
    Morag
    Hi Morag,

    Below is the output for AMQERR01.LOG
    cmqxrmsa.c : 910
    10/25/12 08:52:43 - Process(6095024.42) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9207: The data received from host 'iss06 (9.42.115.206)' on channel '????'
    is not valid.

    EXPLANATION:
    Incorrect data format received from host 'iss06 (9.42.115.206)' over TCP/IP. It
    may be that an unknown host is attempting to send data. An FFST file has been
    generated containing the invalid data received.

    The channel name is '????'; in some cases it cannot be determined and so is
    shown as '????'.
    ACTION:
    Tell the systems administrator.

    amqccita.c : 3842
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9492: The TCP/IP responder program encountered an error.

    EXPLANATION:
    The responder program was started but detected an error.

    The host name was 'iss06 (9.42.115.206)'; in some cases the host name cannot be
    determined and so is shown as '????'.
    ACTION:
    Look at previous error messages in the error files to determine the error
    encountered by the responder program.

    amqrmrsa.c : 889
    10/31/12 08:09:13 - Process(6095024.62) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9002: Channel 'TO.INDUSQM2' is starting.

    EXPLANATION:
    Channel 'TO.INDUSQM2' is starting.
    ACTION:
    None.
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-24T17:54:57Z  
    Hi Morag,

    Below is the output for AMQERR01.LOG
    cmqxrmsa.c : 910
    10/25/12 08:52:43 - Process(6095024.42) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9207: The data received from host 'iss06 (9.42.115.206)' on channel '????'
    is not valid.

    EXPLANATION:
    Incorrect data format received from host 'iss06 (9.42.115.206)' over TCP/IP. It
    may be that an unknown host is attempting to send data. An FFST file has been
    generated containing the invalid data received.

    The channel name is '????'; in some cases it cannot be determined and so is
    shown as '????'.
    ACTION:
    Tell the systems administrator.

    amqccita.c : 3842
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9492: The TCP/IP responder program encountered an error.

    EXPLANATION:
    The responder program was started but detected an error.

    The host name was 'iss06 (9.42.115.206)'; in some cases the host name cannot be
    determined and so is shown as '????'.
    ACTION:
    Look at previous error messages in the error files to determine the error
    encountered by the responder program.

    amqrmrsa.c : 889
    10/31/12 08:09:13 - Process(6095024.62) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9002: Channel 'TO.INDUSQM2' is starting.

    EXPLANATION:
    Channel 'TO.INDUSQM2' is starting.
    ACTION:
    None.
    So the error message shows that the user ID from the client machine is mqm

    CLNTUSER(mqm)

    therefore this would be blocked by one of the default CHLAUTH rules. The one with *MQADMIN in it.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-24T17:59:20Z  
    Hi Morag,

    Below is the output for AMQERR01.LOG
    cmqxrmsa.c : 910
    10/25/12 08:52:43 - Process(6095024.42) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:14:11 - Process(6095024.46) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:15:52 - Process(6095024.48) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:24:07 - Process(6095024.50) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.221'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(test1)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:25:30 - Process(6095024.52) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v02 (9.55.49.221)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v02
    (9.55.49.221)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:28:57 - Process(6095024.54) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    cmqxrmsa.c : 910
    10/25/12 09:29:29 - Process(6095024.56) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host 'dubua018v01 (9.55.49.220)' ended
    abnormally.

    EXPLANATION:
    The channel program running under process ID 6095024 for channel
    'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is 'dubua018v01
    (9.55.49.220)'; in some cases the host name cannot be determined and so is
    shown as '????'.
    ACTION:
    Look at previous error messages for the channel program in the error logs to
    determine the cause of the failure. Note that this message can be excluded
    completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
    attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
    found in the System Administration Guide.

    amqrmrsa.c : 898
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9207: The data received from host 'iss06 (9.42.115.206)' on channel '????'
    is not valid.

    EXPLANATION:
    Incorrect data format received from host 'iss06 (9.42.115.206)' over TCP/IP. It
    may be that an unknown host is attempting to send data. An FFST file has been
    generated containing the invalid data received.

    The channel name is '????'; in some cases it cannot be determined and so is
    shown as '????'.
    ACTION:
    Tell the systems administrator.

    amqccita.c : 3842
    10/30/12 12:42:55 - Process(6095024.59) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9492: The TCP/IP responder program encountered an error.

    EXPLANATION:
    The responder program was started but detected an error.

    The host name was 'iss06 (9.42.115.206)'; in some cases the host name cannot be
    determined and so is shown as '????'.
    ACTION:
    Look at previous error messages in the error files to determine the error
    encountered by the responder program.

    amqrmrsa.c : 889
    10/31/12 08:09:13 - Process(6095024.62) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9002: Channel 'TO.INDUSQM2' is starting.

    EXPLANATION:
    Channel 'TO.INDUSQM2' is starting.
    ACTION:
    None.
    To use the DISPLAY CHALAUTH MATCH(RUNCHECK) command to find out which rule you are matching against from the error message, here's what to do.

    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    DISPLAY CHLAUTH(chl-name-from-error-message) MATCH(RUNCHECK) ADDRESS(ip-address-from-error-message) CLNTUSER(from-error-message)

    thus:-

    DISPLAY CHLAUTH('SYSTEM.DEF.SVRCONN') MATCH(RUNCHECK) ADDRESS('9.55.49.220') CLNTUSER('mqm')

    Issue that and see what record it says it is matching against.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-24T18:11:37Z  
    To use the DISPLAY CHALAUTH MATCH(RUNCHECK) command to find out which rule you are matching against from the error message, here's what to do.

    10/25/12 09:00:14 - Process(6095024.44) User(mqm) Program(amqrmppa)
    Host(dubua018v02) Installation(Installation1)
    VRMF(7.5.0.0) QMgr(INDUSQM1)

    AMQ9777: Channel was blocked

    EXPLANATION:
    The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address '9.55.49.220'
    because the active values of the channel matched a record configured with
    USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mqm)'.
    ACTION:
    Contact the systems administrator, who should examine the channel
    authentication records to ensure that the correct settings have been
    configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
    authentication records are used. The command DISPLAY CHLAUTH can be used to
    query the channel authentication records.

    DISPLAY CHLAUTH(chl-name-from-error-message) MATCH(RUNCHECK) ADDRESS(ip-address-from-error-message) CLNTUSER(from-error-message)

    thus:-

    DISPLAY CHLAUTH('SYSTEM.DEF.SVRCONN') MATCH(RUNCHECK) ADDRESS('9.55.49.220') CLNTUSER('mqm')

    Issue that and see what record it says it is matching against.

    Cheers
    Morag
    This is the output,

    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(NOACCESS)
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-24T23:55:40Z  
    This is the output,

    AMQ8878: Display channel authentication record details.
    CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
    ADDRESS(*) USERSRC(NOACCESS)
    So now you know which rule to either remove, or that you need to use a channel name that doesn't match SYSTEM.*.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-01-29T10:28:03Z  
    So now you know which rule to either remove, or that you need to use a channel name that doesn't match SYSTEM.*.

    Cheers
    Morag
    Hi Morag,

    Thanks for all your help. The authentication issue got resolved by creating new channel (not using the oob SYSTEM.DEF.SVRCONN ) and using a non privileged user id.

    I followed the steps to create new channel by following the steps mentioned in
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Ffg17050_.htm .

    I was able to send messages to the cluster queue.

    Thanks a ton again.

    Regards,
    Amar
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: Testing cluster with channel authentication in WebSphere mq 7.5

    ‏2013-02-14T12:12:16Z  
    Hi Morag,

    Thanks for all your help. The authentication issue got resolved by creating new channel (not using the oob SYSTEM.DEF.SVRCONN ) and using a non privileged user id.

    I followed the steps to create new channel by following the steps mentioned in
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Ffg17050_.htm .

    I was able to send messages to the cluster queue.

    Thanks a ton again.

    Regards,
    Amar
    FYI: We wrote this up for others to read in the future, here:-

    https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/blocked_by_chlauth_why

    Cheers
    Morag