Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MQ Series V9 - MQCONNX ended with reason code 2035 with new user

Status
Not open for further replies.

OlliP

Systems Engineer
Mar 19, 2021
1
DE
Hi,

i'm struggling with using a new userid in a windows 10 pro environment. And i hope you can help me with my problem.
I know there are a lot of thread with the same error, but i couldn't find my solution.

I have a 'MQ-Series' group with the name mqclient. In this group i will connect all the users which should work with the new queue manager and objects.

Lets define some Names:
windows group: mqclient
windows root-user: proroot (that is the Windows-Admin and Installer of MQ)
windows normal user1: app
windows normal user2: mquser
other/more users will be necessary

As 'proroot' i had made the following definitions in MQ:

crtmqm QM1
strmqm QM1

STOP LISTENER('SYSTEM.DEFAULT.LISTENER.TCP') IGNSTATE(YES)

DEFINE QLOCAL('DEV.QUEUE.1') REPLACE
DEFINE QLOCAL('DEV.QUEUE.2') REPLACE
DEFINE QLOCAL('DEV.QUEUE.3') REPLACE
DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE

ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE')

DEFINE TOPIC('DEV.BASE.TOPIC') TOPICSTR('dev/') REPLACE

DEFINE AUTHINFO('DEV.AUTHINFO') AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(OPTIONAL) ADOPTCTX(YES) REPLACE

ALTER QMGR CONNAUTH('DEV.AUTHINFO')

REFRESH SECURITY(*) TYPE(CONNAUTH)

DEFINE CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) REPLACE
DEFINE CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('app') REPLACE

SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) DESCR('Allows connection via APP channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)

DEFINE LISTENER('DEV.LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR) REPLACE

START LISTENER('DEV.LISTENER.TCP') IGNSTATE(YES)

setmqaut -m QM1 -t qmgr -g mqclient +connect +inq
setmqaut -m QM1 -n DEV.** -t queue -g mqclient +put +get +browse +inq

Everything is local on windows.

In DOS-Box i can now:

set MQSERVER=DEV.APP.SVRCONN/TCP/localhost(1414)
set MQSAMP_USER_ID=app

amqsputc DEV.QUEUE.1 QM1
==> THIS WORKS FINE!!! and i can append messages.

But when i set in the same DOS-Box
set MQSAMP_USER_ID=mquser
amqsputc DEV.QUEUE.1 QM1

i entered the password, i received 'MQCONNX ended with reason code 2035'.

In my opinion the advantage of windows-groups will be to grant one group and to
connect many users in this group without thinking twice of rights in MQ.

But this doesn't work.

How can i solve this Problem. Hope you can help me.

Thanks alot.

OlliP


==> SOLUTION: i've read the hole day and found the solution for that problem....

If someone changes a user or a group in windows, then you can only work with the changed rights after logging on to Windows again.

A restart from the queue manager and / or MQ Explorer is not sufficient. A new DOS box is not enough!

It's very simple, but you don't think it works. But it's just Windows.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top