MQJMS2013 invalid security authentication

Question

I am trying to connect to IBM Websphere MQ Server from IBM Websphere Application Server.

I am getting the following error:

MQJMS2013: invalid security authentication supplied for MQQueueManager

What I understand is, this is because of invalid security credentials by WAS while connecting to MQ Manager.

I have tried different combination of providing the MQ admin password e.g.

1. Provide J2C authentication to MQ Connection Factory.
2. Provide MQ admin username and password to Queues.
3. Providing Blank username.
4. Combination of all three above.

Also, as mentioned in some of the posts, I have tried the Transport Type as 'Binding' as well as 'Client' for QueueConnectionFactory.

Please suggest.

Answer 1

One problem is that the MQJMS2013 may have nothing to do with the QMgr. It could be config file permission problems, LDAP credentials doing JNDI lookups, problems with a keystore, etc.

One way to determine whether this really is a WMQ authorization exception is to enable authorization events on the QMgr and recreate the error. If it is a WMQ auth problem, the event message will land in SYSTEM.ADMIN.QMGR.EVENT queue. It will contain the ID of the user, the object the call failed on, the API call that failed and all of the options used on the call. If you use SupportPac MO71 then it will format the event message for you. If you use WMQ Explorer then you can install SupportPac MS0P to format the event messages.

If you do not get an event message then the connection is not reaching WMQ! In that case, nothing you do with accounts, groups, setmqaut and other WMQ-specific configuration will help and I'd suggest enabling tracing.

In bindings mode, the ID presented must match the ID the JVM runs as. In client mode another way to diagnose is to set the channel's MCAUSER to a known good value. The channel's MCAUSER overrides any ID passed in by the app server and should always be set to a low-privileged account. For diagnostics, set it TEMPORARILY to 'mqm' and if the connection works that isolates the problem to being WMQ auth issues.

Answer 2

Finally got it working, after 2 days of applying combinations.

To help other (and probably myself also in future), following was the issue:

We were configuring IBM Websphere Application Server with IBM Websphere MQ server. We created queue connection factory, queues and listener ports right. We were getting the exception in question repeatedly.

How did it work is: When you start your application server, the user that is starting the server should have access for MQ. i.e. the user should be part of group MQM. Just to add, after adding the group to the user, do remember to restart MQ server because MQ server refreshes the rights after restart only.

Hope this helps.