Error 2035 ('MQRC_NOT_AUTHORIZED') from HermesJMS to MQ8

Question

I am accessing an MQ8 server using HermesJms.

The latter has the following configuration:

However, when I am trying to "Discover" via the relevant option provided by Hermes, I get an 2035 with the following message appearing on the queue manager error logs:

AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.

EXPLANATION:
The call to initialize the User ID 'pkaramol' failed with CompCode 2 and Reason
2035.

Note that pkaramol is my local OS user I am logged in as, in the linux machine running Hermes.

Questions:

1) Why I get the following error despite the fact that I have disabled both CHLAUTH and CONNAUTH:

ALTER QMGR CHLAUTH(DISABLED) CONNAUTH(' ')

REFRESH SECURITY TYPE(CONNAUTH)

2) Why is the server perceiving pkaramol as the user trying to access the queue manager, although I am explicitly providing mquser in both ClientID and user fields of HermesJMS?

Answer 1

I cannot find much documentation on HermesJMS, but through some trial and error I found out that it does not honor the User and Password settings if you click Discover, it will always send the user you are logged in as to the queue manager, this is why you do not see the user mquser. Because you are running it as the user pkaramol which does not exist on the server where your queue manager is running you receive the following error:

AMQ9557: Queue Manager User ID initialization failed for 'pkaramol'.

I also found that to perform the discover it opens a temporary dynamic queue using the model queue SYSTEM.DEFAULT.MODEL.QUEUE and puts PCF messages to the SYSTEM.ADMIN.COMMAND.QUEUE. In addition for it to discover any queue details you must have at minimum +inq and +dsp on the queues.

In your comment you stated you added the user pkaramol to the server and put it in the mqm group. While this is a quick way to get this to work, it does provide that user full MQ Admin access. You could provide your actual user with the following permissions and still be able to Discover all of the objects on the queue manager. Please replace the word group below with a group your user is a member of on the server:

setmqaut -m DMSQM -t qmgr -g group +connect +inq +dsp
setmqaut -m DMSQM -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g group +inq +put +dsp
setmqaut -m DMSQM -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g group +get +dsp
setmqaut -m DMSQM -n '**' -t queue -g group +inq +dsp

I also noted that once you have queues populated either through Discover or manually adding them, it will use the User that you specified.

Note that with CHLAUTH and CONNAUTH disabled the queue manager is taking whatever user is presented and using it. You could leave CONNAUTH enabled and specify a valid user and password and MQ would authenticate it.

Another option since Discover does not honor the User setting would be to set a MCAUSER on the SVRCONN channel of mquser.

Answer 2

You need to give the UserId 'pkaramol' permission to access the queue manager and the queues via the setmqaut command.