Question & Answer
Question
User 'fulano' was added to the Unix group 'mqm' but when trying the MQ utility "runmqsc QmgrName" this error is shown: AMQ8135: Not authorized
.
Here is the detailed scenario:
.
Environment: Unix/Linux
You have a queue manager running, named 'QM80'.
[fulano@aztlan1 ~]$ dspmq -m QM80
QMNAME(QM80) STATUS(Running)
QMNAME(QM80) STATUS(Running)
You want the userid 'fulano' to become an MQ Administrator.
For the moment, the user was created and does not belong to the Unix group "mqm".
[fulano@aztlan1 ~]$ id fulano
uid=1021(fulano) gid=1005(mquser) groups=1005(mquser)
uid=1021(fulano) gid=1005(mquser) groups=1005(mquser)
When this user tries to work with the runmqsc utility, is getting the expected authorization error.
[fulano@aztlan1 ~]$ runmqsc QM80
5724-H72 (C) Copyright IBM Corp. 1994, 2015.
Starting MQSC for queue manager QM80.
5724-H72 (C) Copyright IBM Corp. 1994, 2015.
Starting MQSC for queue manager QM80.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
No commands have a syntax error.
All valid MQSC commands were processed.
The error log in the queue manager indicates:
02/21/2020 09:22:39 AM - Process(30220.16) User(mqm) Program(amqzlaa0)
Host(aztlan1.fyre.ibm.com) Installation(Installation1)
VRMF(8.0.0.14) QMgr(QM80)
AMQ8077: Entity 'fulano' has insufficient authority to access object 'QM80'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
Host(aztlan1.fyre.ibm.com) Installation(Installation1)
VRMF(8.0.0.14) QMgr(QM80)
AMQ8077: Entity 'fulano' has insufficient authority to access object 'QM80'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
OK, you understand that it is necessary that this user fulano to have a group membership to the group 'mqm', either as primary or as part of the set of groups.
You open another Unix command prompt and login as user 'root'.
As root user, issue the following to append (-a) the additional group (-G) for user 'fulano': mqm
+++ROOT+++ aztlan1.fyre.ibm.com: /root
# usermod -a -G mqm fulano
As root user, issue the following to append (-a) the additional group (-G) for user 'fulano': mqm
+++ROOT+++ aztlan1.fyre.ibm.com: /root
# usermod -a -G mqm fulano
You need to logout from the session for user 'fulano' and login again, in order to recognize the change of group membership.
Notice that the user 'fulano' is now a member of the group 'mqm' (but the primary group is still 'mquser').
The membership to the group 'mqm' makes this user an MQ Administrator.
.
[fulano@aztlan1 ~]$ id fulano
uid=1021(fulano) gid=1005(mquser) groups=1005(mquser),501(mqm)
.
Try again the runmqsc command.
.
[fulano@aztlan1 ~]$ runmqsc QM80
5724-H72 (C) Copyright IBM Corp. 1994, 2015.
Starting MQSC for queue manager QM80.
Notice that the user 'fulano' is now a member of the group 'mqm' (but the primary group is still 'mquser').
The membership to the group 'mqm' makes this user an MQ Administrator.
.
[fulano@aztlan1 ~]$ id fulano
uid=1021(fulano) gid=1005(mquser) groups=1005(mquser),501(mqm)
.
Try again the runmqsc command.
.
[fulano@aztlan1 ~]$ runmqsc QM80
5724-H72 (C) Copyright IBM Corp. 1994, 2015.
Starting MQSC for queue manager QM80.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
No commands have a syntax error.
All valid MQSC commands were processed.
.
Hum! The user 'fulano' is still getting the authorization error, even though the user is an MQ Administrator!
What is going on!?
What is going on!?
Cause
This scenario falls into the following pattern:
- Queue manager was stopped.
- Userid 'fulano' was created but was NOT a member of the group 'mqm'.
- Queue manager was started.
During startup the queue manager queries the operating system for the complete list of users who belong to the group 'mqm' (either as primary or as part of group membership) and stores the list into cache.
The user 'fulano' was NOT identified as a member of 'mqm' and therefore, it is not in the list in cache of the MQ administrators.
- Then the userid 'fulano' was added to the group 'mqm' while the queue manager is running.
- The queue manager does NOT dynamically check for changes (additions/deletions) to the group membership of 'mqm'. This is done only during the startup.
Thus, according to the list in cache, the user 'fulano' is not a member of the group 'mqm'.
- At this point, the situation becomes confusing: currently the command 'id fulano' is shown to be a member of the group 'mqm', but the queue manager is using old information and this user was not identified as a member of the group 'mqm'.
Answer
How to resolve the issue?
There are 2 ways to proceed. The user 'mqm' is needed for both cases.
.
1: The easiest way is issue "REFRESH SECURITY" to tell the queue manager to discard the list in cache and to recreate it and this time it will identify the user 'fulano' as a member of the group 'mqm'.
runmqsc QM80
REFRESH SECURITY
end
REFRESH SECURITY
end
.
2: The other option is to stop the queue manager and restart it.
endmqm -i QM80
strmqm QM80
strmqm QM80
During startup the queue manager queries the system for the complete list of users who belong to the group 'mqm' (either as primary or as part of group membership) and stores the list into cache.
.
+++ end +++
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
21 February 2020
UID
ibm13251925