IBM Support

IT44798: A ICH408I error can occur after upgrading the WebSphere Liberty Profile used by the IBM MQ Console to 22.0.0.12 on z/OS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • This is seen when the IBM MQ Console on z/OS is upgraded to a
level that ships WebSphere Liberty Profile version 22.0.0.12 or
later - so from IBM MQ LTS versions 9.1.0.15, 9.2.0.8, and
9.3.0.2 and CD versions from 9.3.1.1 and 9.3.2.

The issue occurs when users not in either MQWebAdmin or
MQWebAdminRO roles, in the EBJROLE class, try to access a z/OS
queue manage via the console.

The error seen is like:

RACF:
 ICH408I USER(user-id ) GROUP(group-name) NAME(name       )
   profilePrefix.com.ibm.mq.console.MQWebAdmin CL(EJBROLE )
   INSUFFICIENT ACCESS AUTHORITY
   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Top Secret:
TSS7250E J=console-job A=acid TYPE=EJBROLE
   RESOURCE=profilePrefix.COM.IBM.MQ.CONSOLE.MQWEBADMIN

although this can vary based on the security manager used.

The user is still able to access the console despite the error
being generated.
.
z/OS APAR: PH56363

Local fix

  • This is a sample mqwebuser.xml so can copy and look to update
the contents as required.

Problem summary

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the IBM MQ Console on z/OS


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
This is seen when the IBM MQ Console on z/OS is upgraded to a
level that ships WebSphere Liberty Profile version 22.0.0.12 or
later - so from IBM MQ LTS versions 9.1.0.15, 9.2.0.8, and
9.3.0.2 and CD versions from 9.3.1.1 and 9.3.2.

The issue occurs when users not in either MQWebAdmin or
MQWebAdminRO roles, in the EBJROLE class, try to access a z/OS
queue manage via the console.

The error seen is like:

RACF:
 ICH408I USER(user-id ) GROUP(group-name) NAME(name       )
   profilePrefix.com.ibm.mq.console.MQWebAdmin CL(EJBROLE )
   INSUFFICIENT ACCESS AUTHORITY
   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Top Secret:
TSS7250E J=console-job A=acid TYPE=EJBROLE
   RESOURCE=profilePrefix.COM.IBM.MQ.CONSOLE.MQWEBADMIN

although this can vary based on the security manager used.

The user is still able to access the console despite the error
being generated.

This issue is caused by the default zos_saf_registry.xml having
multiple safAuthorization entries - if hte file has been edited
to modify this, then the issue may not occur.

Problem conclusion

  • The sample configuration file zos_saf_registry.xml has been
updated to remove the duplicate safAuthorization entry.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.1 LTS   9.1.0.20
v9.2 LTS   9.2.0.25
v9.3 LTS   9.3.0.20
v9.x CD    9.3.5

The latest available maintenance can be obtained from
'IBM MQ Recommended Fixes'
https://www.ibm.com/support/pages/recommended-fixes-ibm-mq

If the maintenance level is not yet available information on
its planned availability can be found in 'IBM MQ
Planned Maintenance Release Dates'
https://ibm.biz/mqplannedmaintenance

---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT44798
    • 

  • Reported component name
    IBM MQ BASE MP
    • 

  • Reported component ID
    5724H7271
    • 

  • Reported release
    910
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-10-20
    • 

  • Closed date
    2023-12-14
    • 

  • Last modified date
    2024-01-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ BASE MP
    • 

  • Fixed component ID
    5724H7271
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 January 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback