WMQ 7.1 queue manager - RC 2035 MQRC_NOT_AUTHORIZED
Question
You create a new queue manager in WebSphere MQ 7.1 and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035:
2035 MQRC_NOT_AUTHORIZED
The MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.
Cause
You created a new queue manager in MQ 7.1. The default value for the new feature "Channel Authentication Records" (CHLAUTH) is ENABLED, as seen in runmqsc by running:
$ runmqsc QmgrName
DISPLAY QMGR CHLAUTH
AMQ8408: Display Queue Manager details.
QMNAME(TEST01) CHLAUTH(ENABLED)
Alter QMGR CHLAUTH(DISABLED)
By default, the following 3 channel authentication records are generated when a new queue manager is created in 7.1 or upgraded to 7.1:
DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
The last record blocks all remote channel access to any MQ Administrator. The effect is that non-administrative users can still connect if suitably authorized to do so, but administrative connections and anonymous connections are disallowed regardless of any Object Authority Manager (OAM) authorization settings. This means that new queue managers in V7.1 are much more secure by default than in previous versions, but with the trade off that administrative access must be explicitly defined.