Resolving CHLAUTH access issues

Suggestions on how you resolve certain access issues when using channel authentication records (CHLAUTH).

Default CHLAUTH rules

There are three default rules for CHLAUTH processing:
  • NO ACCESS to all channels by any MQ-admin* users
  • NO ACCESS to all SYSTEM.* channels by all users
  • ALLOW access to SYSTEM.ADMIN.SVRCONN channel (non MQ-admin users)
The first two rules block access to all channels. The third rule is more specific, and therefore takes precedence over the other two, if the channel is the SYSTEM.ADMIN.SVRCONN channel, thus allowing access on that channel.

Common connection errors

CHLAUTH rules are used to determine if a channel can be started, and they allow mapping, through MCAUSER to another user Id. If the channel can not be started, the following errors commonly occur:
  • RC 2035 MQRC_NOT_AUTHORIZED
  • RC 2059 MQRC_Q_MGR_NOT_AVAILABLE
  • AMQ4036 Access not permitted
  • AMQ9776: Channel was blocked by userid
  • AMQ9777: Channel was blocked
  • MQJE001: An MQException occurred: Completion Code 2, Reason 2035
  • MQJE036: Queue manager rejected connection attempt
You should block access strictly, then add more CHLAUTH rules to control who can access and start channels. As a temporary measure, and to troubleshoot the errors listed you can:

Disable CHLAUTH rules

As a temporary measure, and also to troubleshoot the errors above, you can disable CHLAUTH rules. The rules can be re-enabled at any time, and if disabling the CHLAUTH rules resolves the connection issue, you know that this was the cause.

To disable CHLAUTH rules issue the following command:
runmqsc: ALTER QMGR CHLAUTH (DISABLED)
Note that you can also set CHLAUTH to WARN, which allows access and logs the result of the rule.

Modify or remove CHLAUTH rules

You can also delete or modify the CHLAUTH rule, or rules, causing your problem.

To modify a CHLAUTH rule, you use the SET CHLAUTH command with the ACTION (REPLACE). For example, to modify the default rule which causes no access to all channels by any MQ-admin users to WARN, instead of being blocked, issue the following command:

runmqsc: SET CHLAUTH (*) TYPE (BLOCKUSER) USERLIST (*MQADMIN) WARN(YES) 
ACTION (REPLACE)
To delete a CHLAUTH rule, you use the SET CHLAUTH command with the ACTION (REMOVE). For example, to delete the default rule which causes no access to all channels by any MQ-admin users, issue the following command:

runmqsc: SET CHLAUTH (*) TYPE (BLOCKUSER) USERLIST (*MQADMIN) ACTION (REMOVE)

Testing access using MATCH (RUNCHECK)

You can test the result of your CHLAUTH rules, using the MATCH (RUNCHECK) option of the CHLAUTH rule in runmqsc. The MATCH (RUNCHECK) option returns the record that is matched by a specific inbound channel at run time, if that channel connects into this queue manager. You must provide:
  • The channel name
  • ADDRESS attribute
  • SSLPEER attribute, only if the inbound channel uses SSL or TLS
  • QMNAME, if the inbound channel is a queue manager channel, or
  • CLNTUSER attribute, if the inbound channel is a client channel
The following example checks what CHLAUTH rule, with the default rules in place, results in an MQ-admin user johndoe accessing a channel named CHAN1:

runmqsc: DISPLAY CHLAUTH (CHAN1) MATCH (RUNCHECK) CLNTUSER ('johndoe') ADDRESS
('192.168.1.138')

AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
For user johndoe, the channel does not run, the user will be blocked due to the BLOCKUSER rule for *MQADMIN users.
The following example checks what CHLAUTH rule, with the default rules in place, results in user alice who is not an MQ-admin user, accessing a channel named CHAN1:

runmqsc: DISPLAY CHLAUTH (CHAN1) MATCH (RUNCHECK) CLNTUSER ('alice') ADDRESS
('192.168.1.138')

AMQ9783: Channel will run using MCAUSER('alice').
For user alice, the channel runs, and the channel passes alice in as the MCAUSER. The MCAUSER is the user ID used to check IBM® MQ object authorities.