Troubleshooting

Use these tips to troubleshoot problems that might occur with access-control checking in the MQ authorization service.

When a job that includes the WebSphere® MQ connector fails because of a problem with access-control checking, the connector reports MQ error 2035 (MQRC_NOT_AUTHORIZED). If the error is preceded by an informational message indicating that the connector is connecting to the queue manager, then the connector was not granted connect authorization for that queue. If the error is preceded by an informational message indicating that the connector was opening a queue, then the connector was not granted sufficient authorization to open the queue. The connector typically logs information about the queue that it tried to open and logs the open options that it specified when it tried to open the queue. By evaluating the open options, you can often determine which authorizations you need to grant.

For example, the following is an excerpt from the job log that was created when the connector attempted to open queue QUEUE1 to put messages into it:

Opening queue QUEUE1 with open options (MQOO_OUTPUT, MQOO_FAIL_IF_QUIESCING)
Open queue failed with reason code: 2035 (MQRC_NOT_AUTHORIZED); 
CC_WSMQQueue; open(); CC_WSMQQueue.cpp; 372

From the MQOO_OUTPUT flag, you can conclude that the connector tried to open the queue for output.

The MQ error 2035 is typically accompanied by additional information in the queue manager's error log. For the job failure shown above, the following is an example of how the queue manager error log information might look:

9/13/2009 19:26:58 -  Process(7008.130) User(MUSR_MQADMIN) Program(amqzlaa0.exe)
AMQ8077: Entity 'test' has insufficient authority to access object 'QUEUE1'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: put
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.

The information shows the user ID for which the access-control check failed (test), the MQ object for which the check failed (QUEUE1), and the authorization that was requested by the operation (put).

You can use the MQ command line tool dspmqaut to display the current authorizations that are granted for a particular object to a particular user ID. For example, the following command shows the authorizations that are granted to user ID test for queue QUEUE1 which resides under queue manager QMNAME:

dspmqaut -m QMNAME -t queue -n QUEUE1 -p test
Entity test has the following authorities for object QUEUE1:
	get
	browse
	crt