A fix is available
APAR status
Closed as program error.
Error description
The DEFINE SUB command with a blank SUBUSER is performing incorrect security checks when putting the response message to the reply-to queue. When the queue manager puts command replies to the reply queue, following RACF error occurs: 10.56.42 STC001 ICH408I JOB(CSQ1MSTR) STEP(CSQ1MSTR) CSQ1.SYSTEM.CSQ2SLIST.D47FC0EC4C39FF82 CL(MQQUEUE ) INSUFFICIENT ACCESS AUTHORITY FROM CSQ1.* (G) ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE ) 10.56.42 STC001 CSQN207I (CSQ1 COMMAND SERVER UNABLE TO OPEN REPLY TO QUEUE 10.56.42 STC001 CSQN203I (CSQ1 QUEUE SYSTEM.CSQ2SLIST.D47FC0EC4C39FF82, MQCC=2 MQRC=2035 (MQRC_NOT_AUTHORIZED) 11.00.50 STC001 ICH408I JOB(CSQ1MSTR) STEP(CSQ1MSTR) CSQ1.SYSTEM.CSQ2SLIST.D47FC1E6254D1F84 CL(MQQUEUE ) INSUFFICIENT ACCESS AUTHORITY FROM CSQ1.* (G) ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 1 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: ICH408I is issued reporting a security * * error when opening the reply queue for * * a DEFINE SUB/MQCMD_CREATE_SUBSCRIPTION * * command that specified the SUBUSER * * parameter with a blank value. * **************************************************************** During the creation of the subscription, a check is made that the user associated with the subscription is authorised to access the subscription queue. When SUBUSER is specified as blanks, the associated user is the issuer of the command, however after performing the check, CSQMCNSB incorrectly sets the current user to the passed in SUBUSER value of blanks. When the command server subsequently opens the reply queue, any authority checks for the reply queue are performed using this invalid value, and consequently the reply queue fails to be opened.
Problem conclusion
CSQMCNSB is changed to correctly restore the current user when a SUBUSER of blanks is specified.
Temporary fix
Comments
APAR Information
APAR number
PH14428
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-12
Closed date
2019-07-23
Last modified date
2019-10-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI64370
Modules/Macros
CSQMCNSB
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R100 PSY UI64370
UP19/09/26 P F909
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 October 2019