A fix is available
APAR status
Closed as program error.
Error description
On topic open only MQRC_NOT_AUTHORIZED ( MQRC 2035 ) is returned without any other messages to indicate what object an application is not authorized for. In the APARed instance it appears that the reason for this was that there were no suitable topic nodes to perform a security check against thus no security check was issued. No ICH408I messages were generated by RACF.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 * * Release 0 Modification 1 and Release 1 * * Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: No security check occurs on the root * * node of the topic tree if authority was * * not granted by any topic objects, and * * SYSTEM.BASE.TOPIC does not exist. * * No ICH408I message is issued for the * * xxxx.PUBLISH.SYSTEM.BASE.TOPIC or * * xxxx.SUBSCRIBE.SYSTEM.BASE.TOPIC. * * * * The application opening the topic fails * * with MQRC_NOT_AUTHOIRZED. * * If no relevant topic objects exist for * * the topic being opened, no ICH408I * * messages appear to indicate what * * authority is needed. * **************************************************************** * RECOMMENDATION: * **************************************************************** When opening a topic, a security check takes place on each administrative topic node (i.e. node with an associated TOPIC object) between the topic and the root node of the topic tree, until access is granted, or the root node is reached. If the root node is reached, because no suitable topic objects existed, or access had not been granted by a suitable topic object, authorization should be based on the profile for object 'SYSTEM.BASE.TOPIC'. If this topic object does not exist, the queue manager should behave as if it exists with default values, however in this situation no security check is issued and the call fails MQRC_NOT_AUTHORIZED, even if the application has the correct access to the profile for SYSTEM.BASE.TOPIC.
Problem conclusion
Open processing is changed to always check if an application has access to SYSTEM.BASE.TOPIC if access has not already been granted by a topic object lower in the topic tree, even if topic object SYSTEM.BASE.TOPIC does not exist. 010Y 100Y CSQMOPEN CSQMOPNI
Temporary fix
Comments
APAR Information
APAR number
PM96242
Reported component name
WMQ Z/OS V7
Reported component ID
5655R3600
Reported release
010
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2013-09-02
Closed date
2013-09-12
Last modified date
2013-11-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK97472 UK97473
Modules/Macros
CSQMOPEN CSQMOPNI
Fix information
Fixed component name
WMQ Z/OS V7
Fixed component ID
5655R3600
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 November 2013