Websphere MQ Explorer & AMQ8077 Errors

Question

I see a bunch of errors that looks like

AMQ8077: Entity 'tcs-mq-user ' has insufficient authority to access object 'SYSTEM.INTERNAL.REPLY.QUEUE'

on the mq error logs whenever I access the queue objects via MQ Explorer. This is repeated for many system objects such as....

 SYSTEM.MQEXPLORER.REPLY.MODEL SYSTEM.ADMIN.COMMAND.QUEUE
 SYSTEM.SELECTION.VALIDATION.QUEUE SYSTEM.DEFAULT.MODEL.QUEUE
 SYSTEM.RETAINED.PUB.QUEUE SYSTEM.PENDING.DATA.QUEUE
 SYSTEM.NDURABLE.MODEL.QUEUE SYSTEM.MQSC.REPLY.QUEUE
 SYSTEM.JMS.TEMPQ.MODEL SYSTEM.INTERNAL.REPLY.QUEUE
 SYSTEM.INTER.QMGR.PUBS SYSTEM.INTER.QMGR.FANREQ
 SYSTEM.INTER.QMGR.CONTROL SYSTEM.HIERARCHY.STATE
 SYSTEM.DURABLE.SUBSCRIBER.QUEUE SYSTEM.DURABLE.MODEL.QUEUE
 SYSTEM.DOTNET.XARECOVERY.QUEUE SYSTEM.DEFAULT.REMOTE.QUEUE
 SYSTEM.DEFAULT.MODEL.QUEUE SYSTEM.DEFAULT.LOCAL.QUEUE
 SYSTEM.DEFAULT.INITIATION.QUEUE SYSTEM.DEFAULT.ALIAS.QUEUE
 SYSTEM.DEAD.LETTER.QUEUE SYSTEM.CLUSTER.TRANSMIT.QUEUE
 SYSTEM.CLUSTER.REPOSITORY.QUEUE SYSTEM.CLUSTER.REPOSITORY.QUEUE
 SYSTEM.CLUSTER.HISTORY.QUEUE SYSTEM.CLUSTER.COMMAND.QUEUE
 SYSTEM.CICS.INITIATION.QUEUE SYSTEM.CICS.INITIATION.QUEUE

How do I get rid of these?

Answer 1

When WMQ Explorer paints the queues screen, it needs to enumerate all the queues and does so by issuing the command server equivalent of DIS Q(*) as a PCF command. The results of that command are returned on a per-queue basis so each queue the user has access to display returns MQCC=0 whereas each queue the user has no access to display returns MQCC=2, MQRC=2035. Since it does this for each queue hat is defined, you will need to authorize tcs-mq-user to at least display all queues.

Since tcs-user is in the mq-user group (based on notes in previous postings) then do this:

SET AUTHREC PROFILE('**') GROUP('mq-users') OBJTYPE(QUEUE) AUTHADD(DSP)

Note that you need two asterisks in the profile name because WMQ recognizes dot characters as node separators. For example, using a profile of SYSTEM* would match a queue named SYSTEM_QUEUE but not one named SYSTEM.QUEUE because the single asterisk wildcard matches only a single node in the name. A two-asterisk wildcard like SYSTEM** would match both names. To match all SYSTEM queues, you usually would use the pattern SYSTEM.**, including the dot and both asterisks. That way the pattern excludes user-defined names like SYSTEMIC but matches all the default object names. To match all queues, just use the pattern ** as shown in the command example above.

You will also get many of the same errors on the other objects. To get around all of these in one step, first apply the base authorizations as explained in the post on Viewing Channels in WebSphere MQ Explorer. That gives the ability to display and/or inquire on all objects, then you can add more specific profiles to allow put, get, browse, etc. on just the objects where mq-user requires more access.

You may also want to have a look at the WebSphere MQ Security Heats Up article on developerWorks for more background and setmqaut commands.