Bootstrap FreeKB - IBM MQ - Resolve "MQRC_SECURITY_ERROR"
IBM MQ - Resolve "MQRC_SECURITY_ERROR"
Updated:   |  IBM MQ articles

Let's say you are getting the following error when attempting to connect to an IBM MQ queue manager.

JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2063' ('MQRC_SECURITY_ERROR').

 

Sometimes, this error is preceded by JMSWMQ0018 Failed to connect to queue manager.

Sometimes this may be due to an LDAP issue. Let's say the IBM MQ error log has the following. In this example, LDAP user john.doe is unable to connect to queue manager MANAGER01.

----- amqzfula.c : 3092 -------------------------------------------------------
12/14/2020 04:34:35 AM - Process(35455.636659) User(mqm) Program(amqzlaa0)
                    Host(mq.example.com) Installation(Installation1)
                    VRMF(9.1.0.5) QMgr(MANAGER01)
                    Time(2020-12-14T10:34:35.070Z)
                    ArithInsert1(81)
                    CommentInsert1(ldap_simple_bind)
                    CommentInsert2(Can't contact LDAP server)
                    CommentInsert3(cn=john.doe,ou=MQ,ou=Appmgmt,ou=svcs,o=acme)

AMQ5530E: Error from LDAP authentication and authorization service

EXPLANATION:
The LDAP authentication and authorization service has failed. The
'ldap_simple_bind' call returned error 81 : 'Can't contact LDAP server'.  The
context string is 'cn=john.doe,ou=MQ,ou=Appmgmt,ou=svcs,o=acme'. Additional
code is 0.
ACTION:
Correct the LDAP configuration. Look at the LDAP server logs for additional
error information.

 

On the MQ server, use the dspmq command to ensure the queue manager is running. If the queue manager is not running, use the strmqm command to start the queue manager.

QMNAME(MANAGER01)    STATUS(Running)

 

Use the display lsstatus command to ensure the queue manager listener is running and is using the port identifies in the error message.

LISTENER(LISTENER01)                    STATUS(RUNNING)
PID(92928)                              STARTDA(2020-06-09)
STARTTI(04.00.53)                       DESCR( )
TRPTYPE(TCP)                            CONTROL(QMGR)
IPADDR(*)                               PORT(5201)
BACKLOG(100)

 

The display qmgr command can be used to determine if the queue manager is configured to use LDAP. In this example, the queue manager named MANAGER01 is using MANAGER01.LDAP.AUTHINFO.

CONNAUTH(MANAGER01.LDAP.AUTHINFO)

 

The display authinfo command can be used to determine if MANAGER01.LDAP.AUTHINFO authentication type is IDPWLDAP (it should be).

AUTHINFO(MANAGER01.LDAP.AUTHINFO)        AUTHTYPE(IDPWLDAP)

 

The display qmstatus ldapconn command can be used to determine if the queue manager is running and connected to LDAP.

QMNAME(MANAGER01)                        STATUS(RUNNING)
LDAPCONN(CONNECTED)

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter be4d47 in the box below so that we can be sure you are a human.