2012. november 12., hétfő

IBM MQ object authorization for JMS clients

Assume you have a queue manager named QMA, a queue named QUEUE1, and an appropriate channel defined in your IBM WebSphere MQ instance with proper authorization records for group "mqclient", e.g. you did something like:

setmqaut -m QMA -t qmgr -g mqclient +connect
setmqaut -m QMA -n QUEUE1 -t q -g mqclient +get +put +browse

Now, if you can successfully connect to the queue manager and the queue from a non-JMS IBM MQ client, e.g. the sample get client application:

$ /opt/mqm/samp/bin/amqsgetc QUEUE1 QMA
Sample AMQSGET0 start
no more messages
Sample AMQSGET0 end
$

...but not from a Java JMS client using the WebSphere MQ client libraries, because you get a "MQRC_NOT_AUTHORIZED (2035)" error, then you might end up wondering what's wrong with your client. The answer is in the "MQRC_NOT_AUTHORIZED (2035) for Java client accessing server" technote at IBM:

Cause
The WebSphere MQ Java classes inquire on some of the queue manager attributes while connecting.
Resolving the problem
Give the user +inquire authority to the queue manager object.
Example:
setmqaut -m QMGR -t qmgr -p user1 +connect
So in our case:
setmqaut -m QMA -t qmgr -g mqclient +connect +inq
setmqaut -m QMA -n QUEUE1 -t q -g mqclient +get +put +browse +inq

Bottom line: if you plan to access your MQ objects from JMS clients, give also +inquire authority to your clients. And yes, as the second line shows, this is needed not only for queue managers but for queues as well, independent of whether you are using QueueBrowsers or MessageConsumers.

Note: Don't forget to REFRESH SECURITY in MQSC or restart your queue manager QMA after this.

3 megjegyzés:

  1. - I had an existing JMS client working with IBM websphere MQ. Later MQ guys decided to upgrade. Now My JMS client is getting exception - Authorization issue - MQ guys gave right on for MQDSP (MQ DISPLAY OPTION)then it worked fine.

    --> MQ guy will revoke this right. They asked me to check my JMS code and remove dependency on MQDSP DISPLAY OPTION.

    --> First their is not request for MQDSP in my code, may be it could JMS internal implementation.

    --> QueueSession session = conn.createQueueSession(false, QueueSession.AUTO_ACKNOWLEDGE);
    Message msg = createMessage(session, content, propertyMap);
    QueueSender sender = session.createSender(queue);
    conn.start();
    sender.send(msg);


    >>> QueueSession session = conn.createQueueSession(false, QueueSession.AUTO_ACKNOWLEDGE);
    Queue replyQueue = session.createTemporaryQueue();
    Message msg = createMessage(session, content, propertyMap);
    msg.setJMSReplyTo(replyQueue);
    QueueSender sender = session.createSender(queue);
    sender.setDeliveryMode(DeliveryMode.NON_PERSISTENT);
    QueueReceiver receiver = session.createReceiver(replyQueue);
    conn.start();
    sender.send(msg);
    Message reply = receiver.receive(timeout);
    if (reply instanceof TextMessage){
    replyContent = ((TextMessage)reply).getText();
    }


    Kindly let me know why MQ DISPLAY OPTION is REQUIRED and what is triggering it without which it fails

    VálaszTörlés
    Válaszok
    1. Hi Moshin,

      I'm not sure what you are referring to by "MQDSP" and "MQ DISPLAY OPTION", but I guess it is the "display" (+dsp) authority in MQ. Also it's hard to tell anything without the exact exception including the line number that fails in your client code.
      Anyway, after a quick googling my guess is that temporary queue creation needs the +dsp authority on the model queue that is used for this purpose (SYSTEM.DEFAULT.MODEL.QUEUE by default).

      Sources:

      http://publib.boulder.ibm.com/infocenter/wmqfte/v7r0/index.jsp?topic=%2Fcom.ibm.wmqfte.doc%2Fgroup_resource_access.htm

      "Authority to create a temporary reply queue for file transfers

      File transfer requests wait for the transfer to complete and rely on a temporary reply queue being created and populated. Therefore grant any user that can run a file transfer command DISPLAY, PUT, GET, and BROWSE authorities on the temporary model queue definition as it is known to the agent. By default this is SYSTEM.DEFAULT.MODEL.QUEUE [...]"

      http://www-01.ibm.com/support/docview.wss?uid=swg21595102
      "[...] By default, MQ uses the queue 'SYSTEM.DEFAULT.MODEL.QUEUE' to support temporary queue creation so appropriate authority must be granted to the MQ userid [...]"

      BTW usually you can find the resources needed on the following pages:
      WebSphere MQ forums: http://www.ibm.com/developerworks/forums/forum.jspa?forumID=280
      MQSeries.net forums: http://www.mqseries.net/phpBB2/index.php
      IBM support page: http://www.ibm.com/support/

      Hope this helps,
      Patrik

      Törlés