Websphere MQ Explorer (AMQ4036) error when trying to access to MQ running in docker (ibmcom/mq)

Question

I'm running a Queue Manager on docker using the latest ibmcom/mq image, but I have an access denied when I try to connect to it from my windows using MQ Explorer.

I've disabled CHLAUTH in MQSC (runmqsc) using the command:
ALTER QMGR CHLAUTH(DISABLED)

I've disabled CONNAUTH using the commands:

ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)

I've removed the default CHLAUTH rules of the image

SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)

I've set a Listener and a channel, and added a queue to them

DEFINE LISTENER(LISTENER.TCP) TRPTYPE(TCP) PORT(30002) CONTROL(QMGR) REPLACE
START LISTENER(LISTENER.TCP)
DEFINE CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) REPLACE
DEFINE QLOCAL('MyQueue') REPLACE

When I try to connect to the Channel SYSTEM.DEF.SVRCONN from windows using MQ Explorer, I'm getting the error (AMQ4036). The error in /var/mqm/qmgrs/MyQueueManager/errors/AMQERR01.LOG into the docker container is:

----- cmqxrsrv.c : 2552 -------------------------------------------------------
02/06/20 10:18:13 - Process(1658.19) User(mqm) Program(amqrmppa)
                    Host(5652aa2322eb) Installation(Installation1)
                    VRMF(9.1.4.0) QMgr(MyQueueManager)
                    Time(2020-02-06T10:18:13.718Z)
                    ArithInsert1(2) ArithInsert2(2035)
                    CommentInsert1(myWindowsId)

AMQ9557E: Queue Manager User ID initialization failed for 'myWindowsId'.

EXPLANATION:
The call to initialize the User ID 'myWindowsId' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''. If a
userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.

I want to used the queue manager for local development. Do you have any idea on how to disable the security for my windows user id to be able to connect with MQ Explorer and Application Server Weblogic ?

Answer 1

I am wondering why you need to disable security. If you have explorer running then the next step will be to add your queue manager in explorer. From the tutorial - https://developer.ibm.com/tutorials/mq-macos-dev/

(I know it's for Mac, but the principal is the same for windows).

This will be:

1. Right click on ‘Queue managers’ in the MQ Explorer Navigator box, then ‘Add remote queue manager’. A pop up appears.
2. Add your queue manager name – if Docker – QM1, then click Next.
3. Add Host name or IP Address – if Docker – localhost.
4. Add Server connection channel – if Docker – DEV.ADMIN.SVRCONN, then click ‘Next’ twice
5. Tick ‘Enable user identification’, if Docker – default is admin. Leave ‘Prompt for password’ selected.
6. Click Finish, then add password for user – if Docker – passw0rd. Your queue manager should appear.

Answer 2

If you truly want to disable security and don't care anything about access to this queue manager, just do the following (in addition to all the turning off of security settings you have already done).

ALTER CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('user-id-in-mqm-group-on-docker')

The problem is that your 'myWindowsId' is not defined to the OS in your docker container. The above command asserts the user id specified in the MCAUSER field, and will ignore the user id flowed by the channel from your Windows box.

I would however, encourage you to try the earlier answer, and learn how to do enough in security to let yourself in rather than turning it all off.