can't connect to MQ from java in windows

Question

I have installed Websphere MQ 8 server in my Windows 8,

using MQ Explorer : I created a queue manager MAJID.QUEUE.MANAGER with port 1419. I created a TCP listener on port 1419.

I tried one of the java programs that Tools from MQ8 installation, it runs like this :

 PCF_ListQueueNames  MAJID.QUEUE.MANAGER 10.196.67.99 1419

but I only got :

 Completion Code '2', Reason '2035'.

UPDATE:

the log file says :

AMQ9777: Channel was blocked

 EXPLANATION:
 The inbound channel 'SYSTEM.DEF.SVRCONN' was blocked from address 'ITD-     968735
 (192.168.56.1)' because the active values of the channel matched a record
  configured with USERSRC(NOACCESS). The active values of the channel were
  'CLNTUSER(alotfi) ADDRESS(ITD-968735)'.
  ACTION:
  Contact the systems administrator, who should examine the channel
  authentication records to ensure that the correct settings have been
  configured. The ALTER QMGR CHLAUTH switch is used to control whether  channel
  authentication records are used. The command DISPLAY CHLAUTH can be used  to
  query the channel authentication records. 
  ----- cmqxrmsa.c : 1461 -------------------------------------------------------
  1/13/2016 15:55:13 - Process(9988.27) User(MUSR_MQADMIN) Program(amqrmppa.exe)
                  Host(ITD-968735) Installation(Installation1)
                  VRMF(8.0.0.4) QMgr(MAJID.QUEUE.MANAGER)

    AMQ9999: Channel 'SYSTEM.DEF.SVRCONN' to host '192.168.56.1' ended abnormally.

   EXPLANATION:
   The channel program running under process ID 9988(8292) for channel
   'SYSTEM.DEF.SVRCONN' ended abnormally. The host name is '192.168.56.1'; in some
   cases the host name cannot be determined and so is shown as '????'.

Answer 1

There is a great MQ security blog article which describes how to configure MQ to let clients connect securely (i.e. without just turning the security features off).

However to address your specific question, the default channel authentication rules for new MQ 8 queue managers prevent client connections to the queue manager via SYSTEM.* channels. If you run DIS CHLAUTH(*) ALL on a new MQ 8 queue manager you'll see:

DIS CHLAUTH(*) ALL
     2 : DIS CHLAUTH(*) ALL
AMQ8878: Display channel authentication record details.
   CHLAUTH(SYSTEM.ADMIN.SVRCONN)           TYPE(ADDRESSMAP)
   DESCR(Default rule to allow MQ Explorer access)
   CUSTOM( )                               ADDRESS(*)
   USERSRC(CHANNEL)                        CHCKCLNT(ASQMGR)
   ALTDATE(2016-01-14)                     ALTTIME(16.15.20)
AMQ8878: Display channel authentication record details.
   CHLAUTH(SYSTEM.*)                       TYPE(ADDRESSMAP)
   DESCR(Default rule to disable all SYSTEM channels)
   CUSTOM( )                               ADDRESS(*)
   USERSRC(NOACCESS)                       WARN(NO)
   ALTDATE(2016-01-14)                     ALTTIME(16.15.20)
AMQ8878: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   DESCR(Default rule to disallow privileged users)
   CUSTOM( )                               USERLIST(*MQADMIN)
   WARN(NO)                                ALTDATE(2016-01-14)
   ALTTIME(16.15.20)

The second rule prevents all client connections to channels named SYSTEM.*. This applies to you because you are connecting to SYSTEM.DEF.SVRCONN.

You probably want to define a new SVRCONN channel for your application to connect to and use that instead of SYSTEM.DEF.SVRCONN.

When defining a new channel MQ security best practice is to set the MCAUSER field of the channel to a user that doesn't exist - for example 'nobody'. You can then define a new channel authentication rule that allows your Java application to adopt the user ID you have chosen instead of the default user 'nobody'. The rule could for example be an ADDRESSMAP rule that allows any clients connecting from a specific IP address to connect to the new channel and to adopt the user ID you have chosen.

In summary:

1) Choose a valid user that exists on your system (but that isn't in the 'mqm' group)

2) Define a new non-SYSTEM channel, with MCAUSER set to 'nobody', e.g.

DEFINE CHANNEL(MY.FIRST.CHANNEL) CHLTYPE(SVRCONN) MCAUSER('nobody')

3) Define a new channel auth rule that allows connections from the IP address of you client, and adopts the user you have defined, e.g.

SET CHLAUTH(MY.FIRST.CHANNEL) TYPE(ADDRESSMAP) ADDRESS('192.168.56.1') USERSRC(MAP) MCAUSER('validuser') ACTION(REPLACE)

You will have one further step to perform. You need to tell MQ that 'validuser' is allowed to connect, put, and/or get messages. You can use SET AUTHREC to define the authorities the client should have. See the KnowledgeCenter for the valid AUTHREC options.

The above is an example of how to configure MQ to let your client connect. You should use a combination of blog articles like the one I've linked to and the KnowledgeCenter to set up your security in the way want. For example you might want to use TLS certificates to authenticate your Java client which I haven't described above.