APAR status
Closed as program error.
Error description
This problem was first seen on the MQ Appliance but the issue also affects other MQ installations. The MQ LDAP authorization service fails. Failure Data Capture (FDC) records are generated as follows: FDC details: Probe Ids: - ZF272010 (zfuLdapGetUserDn) - ZF292010 (zfuFindGroupsByMember) - ZF291010 (zfuFindGroupsByDNAttr) and Major Errorcode :- MQRC_SERVICE_ERROR Attempts to authenticate users making connections to the queue manager may fail, even if valid credentials are presented.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of any queue manager where an AUTHINFO object has been configured to contact LDAP repositories for authentication and/or authorization checks. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: Within the MQ OAM code that deals with connections to the LDAP repository, threads were not adequately protected while accessing shared data. On one queue manager thread, a connection attempt was made to the LDAP server, but this attempt failed. The MQ code did not clean up some context information, so another thread acted on the basis that the connection had been successful. But a little later in the logic, the second thread noticed the connection was not valid, which caused this FDC to be written. This might be noticed only if a connection to the LDAP server breaks. Reasons for the connection to break include: - network problems - problems on the LDAP server - user runs REFRESH SECURITY Therefore the FDC is a sign that there are breaks in LDAP connectivity, but these might be temporary, and if they clear quickly, then this MQ code bug will not be noticed.
Problem conclusion
The MQ OAM code has been changed to protect shared data adequately, so that this FDC no longer appears in cases where LDAP connectivity has been lost in the scenario described. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.12 v9.0 LTS 9.0.0.6 v9.1 CD 9.1.2 v9.1 LTS 9.1.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT24916
Reported component name
IBM MQ APPL M20
Reported component ID
5725Z0900
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-05-01
Closed date
2019-01-03
Last modified date
2019-01-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ APPL M20
Fixed component ID
5725Z0900
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
03 January 2019