When an application connects to a queue manager, a substantial amount of checking is performed to ensure that both ends of the channel understand what is supported by the other end. The receiving end of the channel does some extra checking, involving CHLAUTH and CONNAUTH, to ensure that the client is allowed to connect
Step 7: Adopt MQCSP user (if ChlauthEarlyAdopt is Y and ADOPTCTX=YES)
The user Id asserted by the client is authenticated.
If CONNAUTH is using LDAP to map an asserted distinguished name to a short user Id, the mapping happens in this step.
If authentication is successful, the user Id is adopted by the channel and is used by the CHLAUTH mapping step.
Step 10: Authenticate the user
The authentication phase happens if CONNAUTH is enabled on the queue manager.
To check this, issue the MQSC command ‘DISPLAY QMGR CONNAUTH’.
If CHCKCLNT(REQUIRED) is set then a user must have been authenticated in step 7 or 10. Otherwise, the connection is rejected.
But as I can see there is no chlauth rule defined to block root as user.
Below errors occurred at the same because root user wasn’t having enough privilege to connect to the qmgr.12/07/22 09:04:53 - Process(22544474.2158416) User(mqm) Program(amqzlaa0)
Host(APP) Installation(Installation1)
VRMF(9.2.0.5) QMgr(APP.QM1)
Time(2022-12-07T01:04:53.934Z)
CommentInsert1(root)
CommentInsert2(APP.QM1 [qmgr])
CommentInsert3(connect)
AMQ8077W: Entity 'root' has insufficient authority to access object
APP.QM1 [qmgr].
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1637 -------------------------------------------------------
12/07/22 09:04:53 - Process(22151254.23184421) User(mqm) Program(amqrmppa)
Host(APP) Installation(Installation1)
VRMF(9.2.0.5) QMgr(APP.QM1)
Time(2022-12-07T01:04:53.935Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1(root)
AMQ9557E: Queue Manager User ID initialization failed for 'root'.
EXPLANATION:
The call to initialize the User ID 'root' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a
userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.
After adding root to mqm group,
You could have used REFRESH SECURITY TYPE(AUTHSERV), which is the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.
AUTHSERV
The list of authorizations held internally by the authorization services component is refreshed.
What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in.
did a test on my system and observed that if CHCKCLNT is set to REQUIRED. We need to execute the REFRESH SECURITY TYPE(AUTHSERV) after adding a user to the mqm group.
As mentioned in the knowledge center, a refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulate its cache of OS information as needed.
The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.
What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in.
In case when you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running TLS channels are stopped and restarted not for AUTHSERV.