Reason code 2035—MQRC_NOT_AUTHORIZED—is the error application developers see when IBM MQ refuses MQOPEN, MQPUT, or MQGET. The queue manager is running, the channel may show RUNNING, and yet the program cannot touch the queue. Beginners blame the network or restart the queue manager; veterans check which user ID the call actually runs under and whether that ID has +put or +get on the object. 2035 is not one root cause—it is the symptom of missing or incorrect object authority management (OAM on distributed, RACF or equivalent on z/OS), wrong MCAUSER from channel or CHLAUTH, PUT or GET inhibited, or attempting admin operations without privilege. This tutorial explains how 2035 appears in logs and APIs, tracing identity from SVRCONN through MCAUSER, granting authority without handing out +all, differences from CHLAUTH and TLS failures, and repeatable troubleshooting steps for operations and development teams.
Client applications receive 2035 in MQRC on failed MQI calls. Server-side trigger monitors and channel agents log 2035 when putting to application queues. Batch jobs using bindings mode see the same reason code. Capture the full completion code and reason in the program log plus the object name and operation—MQOPEN versus MQPUT changes which authority is required. On distributed MQ, the error log may reference the user ID that failed. Correlate timestamp with channel CHSTATUS MCAUSER when the caller connected through SVRCONN.
| Symptom | Layer | First check |
|---|---|---|
| 2035 NOT_AUTHORIZED | Object authority OAM | AUTHREC and MCAUSER |
| CHLAUTH log block | Channel authentication | DISPLAY CHLAUTH |
| TLS handshake fail | Transport | SSLCIPH and certs |
| 2059 Q_MGR_NOT_AVAILABLE | QM down or wrong name | dspmq and listener |
On an inbound SVRCONN, the queue manager typically uses MCAUSER from the channel definition unless CHLAUTH MAP overrides it with SSLPEERMAP or USERMAP. Applications may also pass a user ID on MQCONNX in some configurations—the interaction is platform-specific. The ID that matters for 2035 on queue access is the one OAM evaluates. DISPLAY CHSTATUS on the active SVRCONN instance shows MCAUSER during a failing test. Grant authority to that ID, not to your personal admin ID used in MQ Explorer unless you are testing as admin deliberately.
12345DISPLAY CHSTATUS('APP.SVRCONN') MCAUSER DISPLAY AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) SET AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) PRINCIPAL('apppay') + AUTHADD(PUT) DISPLAY QLOCAL('PAY.IN') PUT GET
AUTHADD(PUT) allows put operations; AUTHADD(GET) for consumers. AUTHADD(BROWSE) for browse without destructive read. Remote queue definitions need +pass and +put as documented for your routing design. Group principals use GROUP instead of PRINCIPAL where your site standards require. After SET AUTHREC, retry the application without restarting the queue manager. If 2035 persists, confirm PUT is not inhibited on the queue definition and that the program opens the correct object name including case.
On z/OS, queue profiles and the channel initiator identity interact with RACF or equivalent. 2035 may require FACILITY or profile updates rather than SET AUTHREC syntax shown for distributed. Coordinate with security administration; never grant overly broad MQADMIN access to application IDs to “fix quickly.” Document profile names in the application runbook alongside queue names.
Projects that enable CHLAUTH and lower MCAUSER privilege see a wave of 2035 in test environments—that is progress, not regression. Map each application to an MCAUSER, grant minimal OAM, and retest. Legacy jobs that relied on channel MCAUSER mqm must be updated before production hardening. Maintain a spreadsheet: application, channel, MCAUSER, queues, required AUTHADD bits.
2035 is having a valid building pass (channel connected) but the wrong key for the specific room (queue)—security lets you in the building but not into every office.
You got into the school but your badge does not open the library door—so you need the librarian to add your name to the list for that room.
Write SET AUTHREC for apppay +put on PAY.IN and explain why +all is avoided.
Trace identity: SSLPEERMAP to MCAUSER to AUTHREC in three sentences for one SVRCONN.
List three non-OAM causes that can still block puts and how to DISPLAY each.
1. 2035 means:
2. 2035 after RUNNING channel often needs:
3. CHLAUTH block prevents:
4. Least privilege means: