The following error occurs when a request is submitted to an object (such as a queue or topic) in an IBM MQ server.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
Following are the most probable reasons this exception is being returned:
Ensure user has permission to the queue manager
If you are able to determine the username that should have been granted permission to the object, use the dspmqaut command to determine if the user has the inq and connect permission to the queue manager.
dspmqaut -m MANAGER01 -t qmgr -p JohnDoe
Entity JohnDoe has the following authorizations for object MANAGER01:
connect
inq
Ensure user has permission to the queue or topic
Then use the dspmqaut command to determine if the user has the pub and sub permission to the Topic . . .
dspmqaut -m MANAGER01 -n TOPIC01 -t topic -p JohnDoe
Entity JohnDoe has the following authorizations for object TOPIC01:
pub
sub
. . . or the inq, browse, put and get permissions to the queue.
dspmqaut -m MANAGER01 -n QUEUE01 -t queue -p JohnDoe
Entity JohnDoe has the following authorizations for object QUEUE01:
inq
browse
get
put
Note that some Java applications will include the name of the Queue Manager, Queue or Topic, username and password being used in the request.
private static final String QMGR = "MANAGER01";
private static final String QUEUE = "QUEUE01";
private static final String USER = "JohnDoe";
private static final String PASSWORD = "itsasecret";
Check the MQ Error Logs
Refer to IBM MQ - Error Logs for details on the MQ Error Logs. Here is an example of one possible exception in the Error Log, which identifies that channel "MANAGER01.CHANNEL01.SVR" was blocked. In this scenario, you would use the display chlauth command to confirm that "client.example.com" does indeed not have access to channel "MANAGER01.CHANNEL01.SVR".
The set chlauth command can be used to add authority to the channel.
mm/dd/yyyy hh:mm:ss - Process(18271.9654) User(mqm) Program(amqrmppa)
Host(mq.example.com) Installation(Installation1)
VRMF(9.1.0.3) QMgr(MANAGER01)
Time(yyyy-mm-ddThh:mm:ss.sss)
RemoteHost(10.1.2.3)
CommentInsert1(MANAGER01.CHANNEL01.SVR)
CommentInsert2(SERVER01 (10.4.5.6))
CommentInsert3(CLNTUSER(john.doe) ADDRESS(client.example.com))
AMQ9777E: Channel was blocked
EXPLANATION:
The inbound channel 'MANAGER01.CHANNEL01.SVR' was blocked from address 'client.example.com
(10.4.5.6)' because the active values of the channel matched a record
configured with USERSRC(NOACCESS). The active values of the channel were
'CLNTUSER(john.doe) ADDRESS(client.example.com)'.