IBM MQ Error - pymqi.MQMIError: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED

Question

I am trying to connect to a remote queue manager using SSL via python pymqi. I am getting pymqi.MQMIError: MQI Error. Comp: 2, Reason 2035: FAILED: MQRC_NOT_AUTHORIZED error. In the log the explanation is

AMQ9777E: Channel was blocked

EXPLANATION:
The inbound channel 'MY.SSL.CHL' was blocked from address 'xx.xx.xx.xx'
because the active values of the channel matched a record configured with
USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(mysysusrid).

Somehow the code is not using the user defined in the code but the my system user id.

Here is the code:

queue_manager = 'MY.DEV.IN.QM'
channel = b'MY.SSL.CHL'
host = 'xx.xx.xx.xx'
port = '1414'
queue_name = 'MY.Q'
conn_info = f'{host}({port})'
conn_info = conn_info.encode('utf-8')
ssl_cipher_spec = b'TLS_RSA_WITH_AES_256_CBC_SHA256'
key_repo_location = b'key'
certificate_label = b'certificate_label '
user = 'user'
password = 'password'
message = 'Hello from Python!'

cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
cd.CertificateLabel = certificate_label

sco = pymqi.SCO()
sco.KeyRepository = key_repo_location
sco.CertificateLabel = certificate_label

kwargs = {
    'user': user,
    'password': password,
    'cd': cd,
    'sco': sco
}

qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, **kwargs)

What parameter should be added to solve the error?

Answer 1

In order to have the password validated user ID you provide in your application used for subsequent checks by the queue manager, several things must be true.

• You must supply the correct user ID and password combination
• The queue manager must be configured to check the user ID and password (see below)
• The queue manager must be configured to take the validated user ID and adopt it for the connection (this didn't use to be the default, so should be checked explicitly - don't assume it will be on).

Configure Queue Manager to check passwords

To configure your queue manager to check the application provided user ID and password, use commands like the following:-

DEFINE AUTHINFO(USE.PW) AUTHTYPE(IDPWOS) CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED) ADOPTCTX(YES)

ALTER QMGR CONNAUTH(USE.PW)

REFRESH SECURITY TYPE(CONNAUTH)

The ADOPTCTX(YES) setting takes the password validated user ID and makes it the user under which the connection will now run.

This example shows how to use the O/S as the password repository. There are a variety of other options that you can use which are summarised in a nice table here.