Connect Remote Queue Manager in a container via MQ Explorer

amq4036 mq explorer
mq explorer for windows
mq explorer access not permitted you are not authorized to perform this operation
ibm mq docker example
ibm mq on cloud documentation
ibm mq web console

I want to access queue manager via mq explorer but getting an error:

  • Could not establish a connection to the queue manager - reason 2538. (AMQ4059) Could not establish a connection to the queue manager - reason 2538. (AMQ4059)
  • Severity: 10 (Warning)
  • Explanation: The attempt to connect to the queue manager failed. This could be because the queue manager is incorrectly configured to allow a connection from this system, or the connection has been broken.
  • Response: Try the operation again. If the error persists, examine the problem determination information to see if any information has been recorded.

I followed all the instructions in https://www-01.ibm.com/support/docview.wss?uid=swg21623113 in order to allow mq explorer to be able to access mq server but still no luck.

IBM MQ Server details:

  • Version: 8
  • OS: Centos
  • Running in a docker container
  • Using port 1417 since my 1414 port is not available for another MQ server
  • Listener is up an running and pointing port 1417
  • Channel is defined as it is described in the link that I shared (I disabled all security features as it is described)
  • I have a sample Java App that I can put/get messages and it is working fine

MQ Explorer details:

I was expecting to get an error message in my MQ Server to understand the issue but surprisingly there is no error message at all ...

Screenshot

You've stated that your queue manager(s) are running in a container and your MQ Explorer is running in another container. I've noticed you've supplied 0.0.0.0 as your hostname but the container where MQ Explorer is running has no queue managers running on it!

If you run the following command (replacing with the ID of the container running your queue managers) you should get the IP address of the container on the docker subnet. Try using that IP address in MQ Explorer instead of 0.0.0.0:

docker inspect --format "{{ .NetworkSettings.IPAddress }}" <QM container>

If your container is on a different docker network then you will need to run the following replacing with the name you gave the docker network:

docker inspect --format "{{ .NetworkSettings.Networks.<Network Name>.IPAddress }}" <QM container>

Additionally, when you created your queue manager container did you remember to expose the 1417 port you are trying to use? By default the mq-container sample only exposes the following ports: 1414, 9157 & 9443. When you ran the container you would of needed to expose the ports but supplying --publish-all --publish 1417 when you ran the container. For example:

docker run -d -e LICENSE=accept --publish-all --publish 1417 ibmcom/mq

Connect Remote Queue Manager in a container via MQ Explorer , You've stated that your queue manager(s) are running in a container and your MQ Explorer is running in another container. I've noticed you've� Select Use client channel definition table (CCDT) and specify the location of the channel table file that you transferred from the remote queue manager in step 2 in Tasks on the system that hosts the remote queue manager on the system hosting the remote queue manager. Click Finish. You can now access the remote queue manager from the MQ Explorer.

You don't say what version of IBM MQ your queue manager is running under. i.e. v7.5, v8.0, v9.0 or v9.1.

Did you give yourself CHLAUTH permission to use the SYSTEM.ADMIN.SVRCONN channel? Most likely you are being blocked by the backstop rule.

Also, if you are on IBM MQ v8.0 or higher then then CONNAUTH could be blocking you.

Here are 2 good links to walk you through your issue.

https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/blocked_by_chlauth_why?lang=en

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.mig.doc/q001110_.htm

How to Connect QMgr from MQ Explorer � Issue #367 � ibm , I want to access queue manager via mq explorer but getting an error: Could not establish a connection to the queue manager - reason 2538. (AMQ4059) Could� You must configure the MQ Explorer to manage multi-instance queue managers using remote connections. Creating and configuring a queue manager cluster A cluster is a group of two or more queue managers that are logically associated and can share information with each other.

Connect Remote Queue Manager in a container via MQ , (AMQ4036) Severity: 10 (Warning) Explanation: The queue manager security mechanism has My docker container is running on a remote server. But when I try to connect to my Qmanager via MQ Explorer, I get this error -. To administer remote queue managers, you must manually connect WebSphere MQ Explorer to the remote queue manager and show the queue manager in the Queue Managers folder in WebSphere MQ Explorer. Use one of the following methods to connect to a remote queue manager: Create a connection manually.

IBM MQ, Connect Remote Queue Manager in a container via MQ Explorer Announcing the arrival of Valued Associate #679: Cesar Manara Planned� Emma Bushby from the WebSphere MQ AVP team created this video to answer the question of "How do I connect to a remote queue manager with WebSphere MQ Explorer?". More information about setting up

[PDF] Connecting an on-premise queue manager to an IBM MQ , IBM MQ is a family of message-oriented middleware products that IBM launched in December It is responsible for transferring data to other queue managers via message using a client connection can connect to a queue manager on any other host in Remote queue: represents a queue on another queue manager. If the connection is then used to connect to the target queue manager via an intermediate queue manager, the userId is flowed in the UserIdentifier parameter of the message descriptor (MQMD) again. In order for the MCA listener on the target queue manager to accept this message, either the MCAUSER attribute must be set, or the userId must

IBM WebSphere MQ Metrics Reference, connection via the secure gateway using MQSC commands or by using the MQ A cloud-hosted queue manager deployed using the MQ service in IBM Cloud. https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md docker image, or download the client and the IBM MQ documentation will tell you � I installed MQ8.0.0.4 on a ubuntu(14.4) server. I am able to launch a local MQ explorer and connect to local Queue Managers. I want to connect to the same Queue Manager from a remote windows machine. When I try this I get authorization errors: Access not permitted. You are not authorized to perform this operation. (AMQ4036) Access not permitted.

Comments
  • Which version of MQ v8 are you using for the queue manager (for example 8.0.0.3 or 8.0.0.11)? Check that DIS QMGR CHLEV is set to ENABLED if it is not, then enable it with ALTER QMGR CHLEV(ENABLED). Reproduce the failure and check to see any messages are generated in the SYSTEM.ADMIN.CHANNEL.EVENT queue. If you see messages then run this: /opt/mqm/samp/bin/amqsevt -m QMGRNAME -q SYSTEM.ADMIN.CHANNEL.EVENT. Look at the last few messages to see if they correspond to your MQ Explorer and explain why you see a failure.
  • Both the comment from @JoshMc and the answer from Roger are suggesting you are having security issues, but reason code 2358 is MQRC_HOST_NOT_AVAILABLE, so you should double check your connectivity. You have suggested that you have not got connectivity issues because you can telnet to the QMgr - is this telnet from the same machine/docker container as the MQ Explorer is running in? You don't show us a screen shot of your MQ Explorer connection settings - we can only assume you have input the correct port there?
  • @JoshMc, many thanks for the advice! I followed your recommendations and as you mentioned, a record appeared in SYSTEM.ADMIN.CHANNEL.EVENT queue. Unfortunately, I do not have amqsevt script. I do have /opt/mqm/samp folder but no bin folder. I also check /opt/mqm/bin folder too but no luck. I will try to find amqsevt. Many thanks for the tip!
  • @JoshMc, I should tell you my steps since I have feeling that the message in the queue might not be related to my issue. I changed CHLEV value in my queue manager and tried to login from mq explorer again. Nothing happened. Then, I thought that I should restart my queue manager so I did. Then, started my listener and then I thought I should start my channel as well since it is necesary for remote queue so I thought that it might be a requirement for mq explorer as well .. Anyway, I think the message in SYSTEM.ADMIN.CHANNEL.EVENT is most likely from my start channel command :(
  • @JoshMc, I just stopped/started my channel and the number of messages becomes 3
  • Many thanks Rob! This solved my problem. Just to be clear, I have already published port 1417 to my host but I was using 0.0.0.0 instead of 172.17.0.2
  • Glad to hear it solved your problem. This slack overflow document details what to do when someone answers a question and how to mark the problem as solved: stackoverflow.com/help/someone-answers In this case you should "accept" this answer to show it fixed your problem.
  • MQ version is 8.0.0.4. In the link that I shared (www-01.ibm.com/support/docview.wss?uid=swg21623113), it recommends: * c. For MQ 7.1 and later, and if you need to allow remote connections by an MQ Administrator. * d. For MQ 8.0 and later, and if you want the password to be optional for an MQ Administrator. * I did both of them so CONNAUTH is not an issue for me but I will take a look to your link in case I might catch something. Thanks a lot for the reply
  • I just read the links but they are all related if CHLAUTH(ENABLED) which is not the case for me.
  • 0.0.0.0 seems to be a docker reference to the real ip of the host from what i read. Unless you tell docker to route a host port to the docker ip it does not.
  • On a normal linux host 0.0.0.0 went to 127.0.0.1 for me.
  • On Windows it doesn't seem to be setup by default.
  • Not sure from your comments whether you think this is or is not the problem?
  • I think it may have to do with the container ports that are exposed or not exposed.