Friday, 22 July 2016

MQJCA1011 and the story of the missing IBM MQ JMS Provider permissions

We saw this problem earlier this week: -

Failed to load the WebSphere MQ native JNI library: 'mqjbnd'.

The JVM attempted to load the platform native library 'mqjbnd', which was mapped to the filename: 'libmqjbnd.a'.

When attempting to load the library, the JVM reported the error message:

'mqjbnd (Not found in java.library.path)'

in the context of a failing WebSphere Application Server (WAS) to IBM MQ (MQ) configuration.

We found this, whilst trying to debug this: -

com.ibm.mq.connector.DetailedResourceAdapterInternalException: MQJCA1011: Failed to allocate a JMS connection. An internal error caused an attempt to allocate a connection to fail. See the linked exception for details of the failure.

We're using JMS Activation Specifications, JMS Queues and, most importantly, a JMS MQ Provider.

This latter has a native MQ library configured: -

ra=AdminConfig.getid("/Cell/"+cellID+"/ServerCluster/"+clusterName+"/ J2CResourceAdapter:WebSphere MQ Resource Adapter/")
AdminTask.manageWMQ(ra, '[-nativePath /opt/mqm/java/lib64/ - disableWMQ false ]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

When I checked, the user under which WAS runs, wasadmin, does NOT appear to have the permission to access the MQ native library path: -

/opt/mqm/java/lib64/

as per this example: -

whoami

wasadmin

ls -al /opt/mqm/java/lib64/

ls: 0653-345 /opt/mqm/java/lib64/.: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/..: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/bin: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/doc: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/http: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/jre64: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/lib: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/lib64: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/original.jre64.IT13492: Permission denied.
total 0


We compared / contrasted this against a working system, where wasadmin WAS able to access the Java path.

Thus it feels like the wasadmin user no longer has the permission to access the MQ native libraries, which are owned by mqm.

This may have changed as a result of a MQ patching / maintenance process.

Once the MQ administrator changed the permissions for the /opt/mqm/java directory to: -

dr-xr-xr-x

things started working again ….

No comments: