IBM MQ Docker Image & JMSToolBox v7 Problem

/ Von / Software Engineering / ibm, ibm mq, jms, jms toolbox, jmstoolbox, messaging, mq, toolbox / 4 minutes of reading
Table of contents
  1. Introduction
  2. IBM MQ Container setup
  3. JMSToolbox setup
  4. Troubleshooting

Introduction

If you ever used the IBM MQ Docker image provided by IBM, you might have encountered the problem that JMSToolBox is not able to connect to the broker using any user. In this blog post we will show you a simple setup to fix this problem and some additional tips for troubleshooting.

IBM MQ Container setup

We assume you went through the trouble of setting up docker and we will focus on the container setup. The image we will be using is the one provided by IBM: hub.docker.com/r/ibmcom/mq

You have also already probably created a custom queue manager configuration (e.g. 20-config.mqsc) to create some queues. (If not take a look at: customizing-the-queue-manager-configuration) We will expand this configuration a little more so that JMSToolBox can function.

The main reason why this has problem occurs interacting with the container is the default authorization setup (10-dev.mqsc.tpl). To fix this we need to add the following lines to the custom configuration file:

SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('admin') AUTHADD(DSP, CONNECT, INQ)

SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('app') AUTHADD(DSP, PUT, INQ)
SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('app') AUTHADD(DSP, GET)

SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('app') AUTHADD(DSP)

Also if you have already setup some queues, do not forget to also permit the users to use these queues:

* Create a queue
DEFINE QLOCAL('MY.QUEUE.1') REPLACE

* Authorize app user
SET AUTHREC PROFILE('MY.QUEUE.1') OBJTYPE(QUEUE) PRINCIPAL('app') AUTHADD(BROWSE, GET, PUT, INQ)

That’s everything in terms of the MQ setup. More info about AUTHREC (Authentication Records) can be found here:
ibm.com/docs/en/ibm-mq/9.2.x?topic=reference-set-authrec-set-authority-records-multiplatforms

JMSToolbox setup

JMSToolBox won’t work with IMB MQ out of the box, since some JARs need to be downloaded and installed manually.
This is explained in the Github Wiki: github.com/jmstoolbox/jmstoolbox/wiki/2.1-Setup-for-IBM-MQ.

After doing this, IBM MQ should be selectable when selecting a new session.

JMSToolBox session setup

The most important detail during the session setup is the channel name:

  • If you want to connect using the app user you have to use the DEV.APP.SVRCONN channel
  • If you want to connect using the admin user you have to use the DEV.ADMIN.SVRCONN channel
JMSToolBox session setup properties

If you are trying to use the app user with the web console that still won’t work as only the admin user is authorized to use this:

ibm mq 403

Troubleshooting

In this section we will give you some tips to debug IBM MQ yourself. The way we found the solution to this is by examining the container log. Let’s do that again by emptying our custom MQ configuration and trying to connect using JMSToolBox.

You should get the following log message:

AMQ8077W: Entity 'app' has insufficient authority to access object SYSTEM.ADMIN.COMMAND.QUEUE [queue]. [CommentInsert1(app), CommentInsert2(SYSTEM.ADMIN.COMMAND.QUEUE [queue]), CommentInsert3(put/inq)]

While this does look a little cryptic it’s pretty easy to discern:

  • CommentInsert1(app) tells us the user is app
  • CommentInsert2(SYSTEM.ADMIN.COMMAND.QUEUE [queue]) tells us that user tried to access the queue SYSTEM.ADMIN.COMMAND.QUEUE
  • CommentInsert3(put/inq)] tells us that the user is missing the PUT and INQ rights

So to fix this we need to give the respective rights to the app user:

SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('app') AUTHADD(PUT, INQ)

The previous error is now gone, but we get a new one:

AMQ8077W: Entity 'app' has insufficient authority to access object SYSTEM.DEFAULT.MODEL.QUEUE [queue]. [CommentInsert1(app), CommentInsert2(SYSTEM.DEFAULT.MODEL.QUEUE [queue]), CommentInsert3(get)]

As we have seen previously, this error means that the user app is missing GET right for the queue SYSTEM.DEFAULT.MODEL.QUEUE. So we need to give the user the permissions:

SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(QUEUE) PRINCIPAL('app') AUTHADD(GET)

If you continue this process of looking at the log and adding permissions you should eventually be able to for example connect with JMSToolBox. You might also encounter the following error:

AMQ8245W: Entity 'app' has insufficient authority to display object QM [qmgr]. [CommentInsert1(app), CommentInsert2(QM [qmgr])]

This log does not explicitly state the permissions needed but if we take a look at the IBM Docs. We can quickly figure out that the user app is missing the DSP permissions. So we need to add the following line to our configuration:

SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('app') AUTHADD(DSP)

And that’s pretty much it, you can apply these steps to any custom user you create or any other problem you have.

Thank you for reading!

If you liked this post, you might also be interested in this post explaining the differences of Traditional Brokers and SQS:
https://blog.consol.de/software-engineering/cloud-native/aws-sqs-vs-traditional-message-brokers/

Ähnliche Beiträge

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nach oben scrollen
WordPress Cookie Hinweis von Real Cookie Banner