The following error occurs when a request is submitted to IBM MQ, such as a request to connect to an IBM MQ channel, or to GET or PUT messages on an IBM MQ queue. 

IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').

Following are the most probable reasons this exception is being returned:

• An invalid username and/or password is being used in the connection request
• The user has not been granted permission to the object (queue manager, topic, queue, et cetera)
• The channel is blocked
• MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY is set to false or JmsConstants.USER_AUTHENTICATION_MQCSP is set to false or system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication is set to false

Get the principal (username)

Often, you will know the username being used to connect to IBM MQ. However, if you only know the channel or queue or topic, the dmpmqaut command can be used to potentially find the username. In this scenario, the username will be known as the principal.

dmpmqaut -m MANAGER01 > dump.txt 2>&1

Something like this should be in dump.txt.

profile:     QUEUE001
object type: queue
entity:      john.doe
entity type: principal
authority:   get browse put inq

Queue Manager

If you are able to determine the username that should have been granted permission to the object, use the dspmqaut command to determine if the user has the inq and connect permission to the queue manager.

dspmqaut -m MANAGER01 -t qmgr -p JohnDoe

Entity JohnDoe has the following authorizations for object MANAGER01: 
    connect
    inq

Channel

Let's say your IBM MQ - Error Logs contains AMQ9777E Channel was blocked. In this example, the channel named CHANNEL01 was blocked. This means that a connection could not be made to the channel.

mm/dd/yyyy hh:mm:ss - Process(18271.9654) User(mqm) Program(amqrmppa)
                    Host(mq.example.com) Installation(Installation1)
                    VRMF(9.1.0.3) QMgr(MANAGER01)
                    Time(yyyy-mm-ddThh:mm:ss.sss)
                    RemoteHost(10.1.2.3)
                    CommentInsert1(CHANNEL01)
                    CommentInsert2(SERVER01 (10.4.5.6))
                    CommentInsert3(CLNTUSER(john.doe) ADDRESS(client.example.com))

AMQ9777E: Channel was blocked

EXPLANATION:
The inbound channel 'CHANNEL01' was blocked from address 'client.example.com
(10.4.5.6)' because the active values of the channel matched a record
configured with USERSRC(NOACCESS). The active values of the channel were
'CLNTUSER(john.doe) ADDRESS(client.example.com)'.

The display chlauth (channel authority) command can be used. Notice in this example that the channel is configured to allow connections from "client01.example.com". If the connection is NOT being made from the system with hostname client01.example.com, the connection will be refused and the IBM MQ log should have "AMQ9777E Channel was blocked".

The set chlauth command can be used to add authority to the channel.

~]# echo "display chlauth (CHANNEL01)" | runmqsc MANAGER01
CHLAUTH(CHANNEL01)                      TYPE(ADDRESSMAP)
DESCR(Allow access and use ID from channel)
CUSTOM( )                               ADDRESS(client01.example.com)
USERSRC(CHANNEL)                        CHCKCLNT(ASQMGR)
ALTDATE(2019-08-20)                     ALTTIME(07.09.01)

Queue or Topic

Use the dspmqaut command to determine if the user has the pub and sub permission to the Topic . . .

dspmqaut -m MANAGER01 -n TOPIC01 -t topic -p JohnDoe

Entity JohnDoe has the following authorizations for object TOPIC01: 
    pub
    sub

. . . or the inq, browse, put and get permissions to the queue.

dspmqaut -m MANAGER01 -n QUEUE01 -t queue -p JohnDoe

Entity JohnDoe has the following authorizations for object QUEUE01: 
    inq
    browse
    get
    put

Note that some Java applications will include the name of the Queue Manager, Queue or Topic, username and password being used in the request.

private static final String QMGR     = "MANAGER01";
private static final String QUEUE    = "QUEUE01";
private static final String USER     = "JohnDoe";
private static final String PASSWORD = "itsasecret";

Check the MQ Error Logs

Refer to IBM MQ - Error Logs for details on the MQ Error Logs. Here is an example of one possible exception in the Error Log, which identifies that channel "MANAGER01.CHANNEL01.SVR" was blocked. In this scenario, you would use the display chlauth command to confirm that "client.example.com" does indeed not have access to channel "MANAGER01.CHANNEL01.SVR".

The set chlauth command can be used to add authority to the channel.

If the log has "AMQ9557E Queue Manager User ID initialization failed", check out my article Resolve "AMQ9557E Queue Manager User ID initialization failed"

mm/dd/yyyy hh:mm:ss - Process(18271.9654) User(mqm) Program(amqrmppa)
                    Host(mq.example.com) Installation(Installation1)
                    VRMF(9.1.0.3) QMgr(MANAGER01)
                    Time(yyyy-mm-ddThh:mm:ss.sss)
                    RemoteHost(10.1.2.3)
                    CommentInsert1(MANAGER01.CHANNEL01.SVR)
                    CommentInsert2(SERVER01 (10.4.5.6))
                    CommentInsert3(CLNTUSER(john.doe) ADDRESS(client.example.com))

AMQ9777E: Channel was blocked

EXPLANATION:
The inbound channel 'MANAGER01.CHANNEL01.SVR' was blocked from address 'client.example.com
(10.4.5.6)' because the active values of the channel matched a record
configured with USERSRC(NOACCESS). The active values of the channel were
'CLNTUSER(john.doe) ADDRESS(client.example.com)'.