当前位置: 首页 > 工具软件 > wmq-admin > 使用案例 >

WMQ 7.1 queue manager - RC 2035 MQRC_NOT_AUTHORIZED

微生翼
2023-12-01

Question

You create a new queue manager in WebSphere MQ 7.1 and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035:

2035 MQRC_NOT_AUTHORIZED

The MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.

Cause

You created a new queue manager in MQ 7.1. The default value for the new feature "Channel Authentication Records" (CHLAUTH) is ENABLED, as seen in runmqsc by running:

$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH

AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(ENABLED)

Alter QMGR CHLAUTH(DISABLED)

By default, the following 3 channel authentication records are generated when a new queue manager is created in 7.1 or upgraded to 7.1:

DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)

The last record blocks all remote channel access to any MQ Administrator. The effect is that non-administrative users can still connect if suitably authorized to do so, but administrative connections and anonymous connections are disallowed regardless of any Object Authority Manager (OAM) authorization settings. This means that new queue managers in V7.1 are much more secure by default than in previous versions, but with the trade off that administrative access must be explicitly defined.

 类似资料:

相关阅读

相关文章

相关问答