APAR status
Closed as program error.
Error description
If a Websphere MQ queue manager is configured to check userid and password with these settings: - ALTER QMGR CONNAUTH(LOCAL.ISPW) - DEF AUTHINFO(LOCAL.ISPW) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL) ADOPTCTX(YES) and the following is used - USER_OWNER : user ID used to start the client application (or owner of the application) - USER_MQCSP : user ID passed in MQCSP structure for authorization check. The password is also provided in MQCSP structure. In these scenarios the error message AMQ9557 may cause confusion: Scenario 1: USER_MQCSP has no authority to access the queue manager. The client application fails to connect and following error messages are generated in queue manager error log: AMQ8077: Entity 'USER_MQCSP' has insufficient authority to access object 'QM1'. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect AMQ9557: Queue Manager User ID initialization failed for 'USER_OWNER'. EXPLANATION: The call to initialize the User ID 'USER_OWNER' failed with CompCode 2 and Reason 2035. Scenario 2: USER_MQCSP has authority to connect and open objects on QM1. But the password is incorrect. The client application fails to connect and following error messages are generated in queue manager error log: AMQ5534: User ID 'USER_MQCSP' authentication failed EXPLANATION: The user ID and password supplied by 'amqsputc' could not be authenticated. AMQ5542: The failed authentication check was caused by the queue manager CONNAUTH CHCKCLNT(OPTIONAL) configuration. EXPLANATION: The user ID 'USER_MQCSP' and its password were checked because the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'LOCAL.ISPW' with CHCKCLNT(OPTIONAL). This message accompanies a previous error to clarify the reason for the user ID AMQ9557: Queue Manager User ID initialization failed for 'USER_OWNER'. EXPLANATION: The call to initialize the User ID 'USER_OWNER' failed with CompCode 2 and Reason 2035. In both scenarios AMQ9557 presents the asserted User ID not the attempted User ID
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of Websphere MQ v8.0 queue manager using the connauth feature who are passing a user ID in MQCSP structure for the authorization check, where that user ID has no authority to access the queue manager, or where the user ID passed in MQCSP structure has authority to access the queue manager but the password is incorrect. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: A programming error within the queue manager code to generate this log message meant that the wrong user ID was inserted into the error logs within the AMQ9557 message
Problem conclusion
The queue manager security component has been updated so that the AMQ9557 error will show the attempted User ID rather than the asserted User ID. In terms of the scenario described above, this means that the AMQ9557 message will now show USER_MQCSP rather than USER_OWNER in this case. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT08408
Reported component name
WMQ BASE MULTIP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-04-20
Closed date
2015-04-30
Last modified date
2015-05-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ BASE MULTIP
Fixed component ID
5724H7251
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
15 May 2015