what should be done when a new user added to mqm group ?

ERROR : AMQ9557E: Queue Manager User ID initialization failed for ‘root’.

AMQ8077W: Entity ‘root’ has insufficient authority to access object QMGR.QM1

When an application connects to a queue manager, a substantial amount of checking is performed to ensure that both ends of the channel understand what is supported by the other end. The receiving end of the channel does some extra checking, involving CHLAUTH and CONNAUTH, to ensure that the client is allowed to connect

Step 7: Adopt MQCSP user (if ChlauthEarlyAdopt is Y and ADOPTCTX=YES)

The user Id asserted by the client is authenticated.

If CONNAUTH is using LDAP to map an asserted distinguished name to a short user Id, the mapping happens in this step.

If authentication is successful, the user Id is adopted by the channel and is used by the CHLAUTH mapping step.

Step 10: Authenticate the user

The authentication phase happens if CONNAUTH is enabled on the queue manager.

To check this, issue the MQSC command ‘DISPLAY QMGR CONNAUTH’.

If CHCKCLNT(REQUIRED) is set then a user must have been authenticated in step 7 or 10. Otherwise, the connection is rejected.

when we did a test on my system and observed that if CHCKCLNT is set to REQUIRED. We need to execute the REFRESH SECURITY TYPE(AUTHSERV) after adding a user to the mqm group.

As mentioned in the knowledge center, a refresh of AUTHSERV, CONNAUTH or CLASSES will remove all cached OS security information in the qmgr. This means that subsequent authorization checks will result in the qmgr calling OS or LDAP services to repopulate its cache of OS information as needed.

The actual act of REFRESH SECURITY TYPE(AUTHSERV), which the default type and the one that flushes the cache of OS groups for IDs on a queue manager, is not in itself expensive. It is merely a matter of the queue manager forgetting what it has cached.

What that means however, is that each time a new user ID attempts to connect to the queue manager or open a queue, and they will all be new after a refresh, the queue manager must ask the OS what groups that ID is in. 

In case when you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running TLS channels are stopped and restarted not for AUTHSERV.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *