Resolving CHLAUTH access issues

Steps and examples to resolve certain access issues when using channel authentication records (CHLAUTH).

Before you begin

Note: The steps in this task require you to run MQSC commands. How you do this varies by platform. See Administering IBM® MQ using MQSC commands.

About this task

There are three default rules for CHLAUTH processing:
  • NO ACCESS to all channels by any MQ-admin* users
  • NO ACCESS to all SYSTEM.* channels by all users
  • ALLOW access to SYSTEM.ADMIN.SVRCONN channel (non MQ-admin users)
The first two rules block access to all channels. The third rule is more specific, and therefore takes precedence over the other two, if the channel is the SYSTEM.ADMIN.SVRCONN channel, thus allowing access on that channel.
CHLAUTH rules are used to determine if a channel can be started, and they allow mapping, through MCAUSER to another user ID. If the channel cannot be started, the following errors commonly occur:
  • RC 2035 MQRC_NOT_AUTHORIZED
  • RC 2059 MQRC_Q_MGR_NOT_AVAILABLE 
  • AMQ4036 Access not permitted 
  • AMQ9776: Channel was blocked by userid 
  • AMQ9777: Channel was blocked 
  • MQJE001: An MQException occurred: Completion Code 2, Reason 2035 
  • MQJE036: Queue manager rejected connection attempt

You should block access strictly, then add more CHLAUTH rules to control who can access and start channels.

As a temporary measure, and to troubleshoot the errors listed, complete any of the following steps.

Procedure

  • Disable CHLAUTH rules

    As a temporary measure, and also to troubleshoot the errors above, you can disable CHLAUTH rules. The rules can be re-enabled at any time, and if disabling the CHLAUTH rules resolves the connection issue, you know that this was the cause.

    To disable CHLAUTH rules run the following MQSC command:
    ALTER QMGR CHLAUTH (DISABLED)
    Note that you can also set CHLAUTH to WARN, which allows access and logs the result of the rule.
  • Modify or remove CHLAUTH rules

    You can also delete or modify the CHLAUTH rule, or rules, causing your problem.

    To modify a CHLAUTH rule, you use the SET CHLAUTH command with the ACTION (REPLACE). For example, to modify the default rule which causes no access to all channels by any MQ-admin users to WARN, instead of being blocked, run the following MQSC command:
    
SET CHLAUTH (*) TYPE (BLOCKUSER) USERLIST (*MQADMIN) WARN(YES) 
ACTION (REPLACE)
    To delete a CHLAUTH rule, you use the SET CHLAUTH command with the ACTION (REMOVE). For example, to delete the default rule which causes no access to all channels by any MQ-admin users, run the following MQSC command:
    
SET CHLAUTH (*) TYPE (BLOCKUSER) USERLIST (*MQADMIN) ACTION (REMOVE)
  • Test access using MATCH (RUNCHECK)
    You can test the result of your CHLAUTH rules, using the MATCH (RUNCHECK) option of the CHLAUTH rule. The MATCH (RUNCHECK) option returns the record that is matched by a specific inbound channel at run time, if that channel connects into this queue manager. You must provide:
    • The channel name
    • ADDRESS attribute
    • SSLPEER attribute, only if the inbound channel uses SSL or TLS
    • QMNAME, if the inbound channel is a queue manager channel, or
    • CLNTUSER attribute, if the inbound channel is a client channel
    The following example runs an MQSC command to check what CHLAUTH rule, with the default rules in place, results in an MQ-admin user johndoe accessing a channel named CHAN1:
    
DISPLAY CHLAUTH (CHAN1) MATCH (RUNCHECK) CLNTUSER ('johndoe') ADDRESS
('192.168.1.138')

AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
    For user johndoe, the channel does not run, the user will be blocked due to the BLOCKUSER rule for *MQADMIN users.
    The following example runs an MQSC command to check what CHLAUTH rule, with the default rules in place, results in user alice who is not an MQ-admin user, accessing a channel named CHAN1:
    
DISPLAY CHLAUTH (CHAN1) MATCH (RUNCHECK) CLNTUSER ('alice') ADDRESS
('192.168.1.138')

AMQ9783: Channel will run using MCAUSER('alice').
    For user alice, the channel runs, and the channel passes alice in as the MCAUSER. The MCAUSER is the user ID used to check IBM MQ object authorities.