FreeKB - IBM MQ Resolve JMSCMQ0001 MQCC_FAILED MQRC_NOT_AUTHORIZED
IBM MQ - Resolve JMSCMQ0001 MQCC_FAILED MQRC_NOT_AUTHORIZED

The following error occurs when a request is submitted to an object (such as a queue or topic) in an IBM MQ server. 

Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').

 

Following are the most probable reasons this exception is being returned:

  • An invalid username and/or password is being used
  • The user has not been granted permission to the object (topic, queue)
  • The channel is blocked

 

Ensure user has permission to the queue manager

If you are able to determine the username that should have been granted permission to the object, use the dspmqaut command to determine if the user has the inq and connect permission to the queue manager.

dspmqaut -m MANAGER01 -t qmgr -p JohnDoe

Entity JohnDoe has the following authorizations for object MANAGER01: 
    connect
    inq

 

Ensure user has permission to the queue or topic

Then use the dspmqaut command to determine if the user has the pub and sub permission to the Topic . . .

dspmqaut -m MANAGER01 -n TOPIC01 -t topic -p JohnDoe

Entity JohnDoe has the following authorizations for object TOPIC01: 
    pub
    sub

 

. . . or the inq, browse, put and get permissions to the queue.

dspmqaut -m MANAGER01 -n QUEUE01 -t queue -p JohnDoe

Entity JohnDoe has the following authorizations for object QUEUE01: 
    inq
    browse
    get
    put

 

Note that some Java applications will include the name of the Queue Manager, Queue or Topic, username and password being used in the request.

private static final String QMGR     = "MANAGER01";
private static final String QUEUE    = "QUEUE01";
private static final String USER     = "JohnDoe";
private static final String PASSWORD = "itsasecret";

 

Check the MQ Error Logs

Refer to IBM MQ - Error Logs for details on the MQ Error Logs. Here is an example of one possible exception in the Error Log, which identifies that channel "MANAGER01.CHANNEL01.SVR" was blocked. In this scenario, you would use the display chlauth command to confirm that "client.example.com" does indeed not have access to channel "MANAGER01.CHANNEL01.SVR".

The set chlauth command can be used to add authority to the channel.

mm/dd/yyyy hh:mm:ss - Process(18271.9654) User(mqm) Program(amqrmppa)
                    Host(mq.example.com) Installation(Installation1)
                    VRMF(9.1.0.3) QMgr(MANAGER01)
                    Time(yyyy-mm-ddThh:mm:ss.sss)
                    RemoteHost(10.1.2.3)
                    CommentInsert1(MANAGER01.CHANNEL01.SVR)
                    CommentInsert2(SERVER01 (10.4.5.6))
                    CommentInsert3(CLNTUSER(john.doe) ADDRESS(client.example.com))

AMQ9777E: Channel was blocked

EXPLANATION:
The inbound channel 'MANAGER01.CHANNEL01.SVR' was blocked from address 'client.example.com
(10.4.5.6)' because the active values of the channel matched a record
configured with USERSRC(NOACCESS). The active values of the channel were
'CLNTUSER(john.doe) ADDRESS(client.example.com)'.

 

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 6da3d in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |