| Author |
Message
|
| pandeg |
 Posted: Thu May 19, 2016 1:30 pm Post subject: Am i connecting MQJMS application as 'root' user |
 |
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
I am getting below message in MQ error log when connecting from JMS application using server connection channel.
AMQ8077: Entity 'root' has insufficient authority to access object 'QMS001'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
AMQ9557: Queue Manager User ID initialization failed for 'root'.
EXPLANATION:
The call to initialize the User ID 'root' failed with CompCode 2 and Reason
2035.
ACTION:
Correct the error and try again.
When i checked groups for root it is showing me below information
groups root
root : root bin daemon sys adm disk wheel
also we have another root user (ltpuser) and when i checked for groups i got below information
groups ltpuser
ltpuser : usrs root mqm
We have disabled CHLAUTH in Queue Manager and MCAUSER is blank as we are not using any authentication. MQ version is 8 and MQ jar version 7.0.1.9 |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu May 19, 2016 3:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So what exactly is your question?
Tell us which userid is running the queue manager? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 19, 2016 3:53 pm Post subject: Re: Am i connecting MQJMS application as 'root' user |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pandeg wrote: |
| AMQ8077: Entity 'root' has insufficient authority to access object 'QMS001'. |
Have you by any chance set an MCAUSER value of 'root' in the SVRCONN?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pandeg |
| Posted: Mon May 23, 2016 6:27 am Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| fjb_saper wrote: |
So what exactly is your question?
Tell us which userid is running the queue manager? |
we are running Queue Manager with 'mqm' user |
|
| Back to top |
|
|
| pandeg |
| Posted: Mon May 23, 2016 6:28 am Post subject: Re: Am i connecting MQJMS application as 'root' user |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| exerk wrote: |
| pandeg wrote: |
| AMQ8077: Entity 'root' has insufficient authority to access object 'QMS001'. |
Have you by any chance set an MCAUSER value of 'root' in the SVRCONN? |
No, MCAUSER Is set to blank for SVRCONN. I tried to add the 'root' user to mqm in the client machine to check if it works. Got the same result |
|
| Back to top |
|
|
| exerk |
| Posted: Mon May 23, 2016 6:43 am Post subject: Re: Am i connecting MQJMS application as 'root' user |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pandeg wrote: |
| exerk wrote: |
| pandeg wrote: |
| AMQ8077: Entity 'root' has insufficient authority to access object 'QMS001'. |
Have you by any chance set an MCAUSER value of 'root' in the SVRCONN? |
No, MCAUSER Is set to blank for SVRCONN. I tried to add the 'root' user to mqm in the client machine to check if it works. Got the same result |
My apologies, I missed the fact you stated no MCAUSER value in your original post 
So which user are you running the JMS application under?
And just because CHLAUTH is disabled in the queue manager does not mean that no authority checking is carried out - with a blank MCAUSER the user name flowed will be checked against the local, i.e. queue manager's, OAM.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pandeg |
| Posted: Mon May 23, 2016 7:50 am Post subject: Re: Am i connecting MQJMS application as 'root' user |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| Quote: |
So which user are you running the JMS application under?
|
'root' user |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon May 23, 2016 8:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
are you supplying a user id to the QCF when you connect?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| pandeg |
| Posted: Mon May 23, 2016 9:44 am Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| mqjeff wrote: |
| are you supplying a user id to the QCF when you connect? |
no we are not supplying any user id to QCF. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon May 23, 2016 9:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| pandeg wrote: |
| mqjeff wrote: |
| are you supplying a user id to the QCF when you connect? |
no we are not supplying any user id to QCF. |
then you are likely connecting to the queue manager as an 'empty' user, which will turn into mqm on the qmgr side.
Also, I didn't mean a user id *in* the qcf configuration. I meant one when you ask the qcf to give you a queueconnection. I.e. you call the connect method.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| pandeg |
| Posted: Mon May 23, 2016 11:22 am Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| Quote: |
then you are likely connecting to the queue manager as an 'empty' user, which will turn into mqm on the qmgr side. |
If that's the case , Queue Manager is also running as mqm user and it should allow the client application to connect to it, but as per the log it is identifying the user as 'root' and rejecting it. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon May 23, 2016 12:21 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pandeg wrote: |
| Quote: |
then you are likely connecting to the queue manager as an 'empty' user, which will turn into mqm on the qmgr side. |
If that's the case , Queue Manager is also running as mqm user and it should allow the client application to connect to it, but as per the log it is identifying the user as 'root' and rejecting it. |
Then supply a user that will not be rejected or use an MCAUSER value in the SVRCONN, one that is authorised for connect and whatever else you need it to do.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
