1

I am accessing an MQ8 server using HermesJms.

The latter has the following configuration:

enter image description here

However, when I am trying to "Discover" via the relevant option provided by Hermes, I get an 2035 with the following message appearing on the queue manager error logs:

AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.

EXPLANATION:
The call to initialize the User ID 'pkaramol' failed with CompCode 2 and Reason
2035.

Note that pkaramol is my local OS user I am logged in as, in the linux machine running Hermes.

Questions:

1) Why I get the following error despite the fact that I have disabled both CHLAUTH and CONNAUTH:

ALTER QMGR CHLAUTH(DISABLED) CONNAUTH(' ')

REFRESH SECURITY TYPE(CONNAUTH)

2) Why is the server perceiving pkaramol as the user trying to access the queue manager, although I am explicitly providing mquser in both ClientID and user fields of HermesJMS?

JoshMc
  • 10,239
  • 2
  • 19
  • 38
pkaramol
  • 16,451
  • 43
  • 149
  • 324
  • Are there any other errors with the same timestamp in the query manager's AMQERR01.LOG? – JoshMc Aug 28 '17 at 16:24
  • Does the error also say `If an MQCSP block was used, the User ID in the MQCSP block was 'mquser'.` Can you confirm what version of HermesJMS you are using and if you are starting it with any special flags? – JoshMc Aug 29 '17 at 00:35
  • @JoshMc no, there are no other errors, nor does the MQSCP message is printed. I managed to get around my error by creating a `pkaramol` system user on the server and adding him to `mqm` group but this does not seem the proper way to go about this. – pkaramol Aug 29 '17 at 07:31
  • Yes, you need the UserId to be known on the server where the queue manager is running. Secondly, putting the UserId in the 'mqm' group is BAD, BAD idea. You just have circumvented security. Remove your UserId from the mqm group and use setmqaut command to set the proper authorizations (permissions). – Roger Aug 29 '17 at 16:16
  • Depending on your use case, your could be interested in [JMSToolBox](https://sourceforge.net/projects/jmstoolbox) which is simpler to use and configure – titou10 Aug 31 '17 at 02:09
  • Could anyone please provide details to resolve this issue? Basically, what fixed the issue? I'm running into the same problem. Appreciate any help or insgiht. Thanks in advance! – testbg testbg May 20 '21 at 10:02
  • @pkaramol - Could you please let me know what fixed the issue? I'm also having the same issue. Could you provide the sample Dockerfile? Any help would be greatly appreciated. Thanks in advance! – testbg testbg May 20 '21 at 10:17

2 Answers2

1

I cannot find much documentation on HermesJMS, but through some trial and error I found out that it does not honor the User and Password settings if you click Discover, it will always send the user you are logged in as to the queue manager, this is why you do not see the user mquser. Because you are running it as the user pkaramol which does not exist on the server where your queue manager is running you receive the following error:

AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.

I also found that to perform the discover it opens a temporary dynamic queue using the model queue SYSTEM.DEFAULT.MODEL.QUEUE and puts PCF messages to the SYSTEM.ADMIN.COMMAND.QUEUE. In addition for it to discover any queue details you must have at minimum +inq and +dsp on the queues.

In your comment you stated you added the user pkaramol to the server and put it in the mqm group. While this is a quick way to get this to work, it does provide that user full MQ Admin access. You could provide your actual user with the following permissions and still be able to Discover all of the objects on the queue manager. Please replace the word group below with a group your user is a member of on the server:

setmqaut -m DMSQM -t qmgr -g group +connect +inq +dsp
setmqaut -m DMSQM -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g group +inq +put +dsp
setmqaut -m DMSQM -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g group +get +dsp
setmqaut -m DMSQM -n '**' -t queue -g group +inq +dsp

I also noted that once you have queues populated either through Discover or manually adding them, it will use the User that you specified.

Note that with CHLAUTH and CONNAUTH disabled the queue manager is taking whatever user is presented and using it. You could leave CONNAUTH enabled and specify a valid user and password and MQ would authenticate it.

Another option since Discover does not honor the User setting would be to set a MCAUSER on the SVRCONN channel of mquser.

JoshMc
  • 10,239
  • 2
  • 19
  • 38
  • @pkaramol what version of HermesJMS are you using? – JoshMc Aug 30 '17 at 11:39
  • I am using 1.14 on Ubuntu 16.04, but this has been noticed on Windows users also. – pkaramol Aug 30 '17 at 11:49
  • @Pkaramol - Could you please provide details on how you resolved the issue? I'm running into the same issue. Any info. or details would be greatly helpful for me. Thanks in advance! – testbg testbg May 20 '21 at 10:19
-2

You need to give the UserId 'pkaramol' permission to access the queue manager and the queues via the setmqaut command.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Roger
  • 7,062
  • 13
  • 20
  • 1
    He got confused by how you phrased the answer in the form of a question, rather than as a statement. It's a common problem; we have lots of people trying to abuse the answer box to ask clarification questions. I've adjusted the wording so that shouldn't be a problem in the future. – Cody Gray - on strike Aug 29 '17 at 16:24