APAR status
Closed as program error.
Error description
Upon first use, the Java MQI implementation, which underpins the MQ classes for JMS and MQ classes for Java APIs, initialises and attempts to locate "mqclient.ini" and "mqs.ini" files. Once located, these configuration files are then parsed to determine configuration parameters. For the "mqclient.ini" file, the locations searched by the Java MQI are as follows: a) The location specified by the environment variable "MQCLNTCF" defined on the system b) The current working directory for the JVM c) The data directory for IBM MQ, for example: "/var/mqm" for UNIX platforms "C:\Program Files\IBM\Websphere MQ" for Windows d) The home directory of the user that started the JVM For the "mqs.ini" configuration file, locations b), c) and d) are searched. In the case where: (1) Classes for JMS or classes for Java application is running on the Windows platforms AND (2) The "mqclient.ini" and/or "mqs.ini" file exists in the data directory for IBM MQ The Java MQI will attempt to query the Windows Registry to determine the data directory used by IBM MQ by invoking the Windows "reg.exe" application in a separate process. When the application is running in a Java Runtime that has the Java Security Manager enabled, the following permission must be set in order for the Windows "reg.exe" application to be invoked without an AccessControlException: permission java.io.FilePermission "<<ALL FILES>>","execute"; For example: grant codeBase "file:MQ_INSTALLATION_PATH/java/lib/com.ibm.mq.allclient.jar" { permission java.io.FilePermission "<<ALL FILES>>","execute"; }; This APAR adds the ability to set either a Java System Property or system environment variable that specifies the location of the MQ Data Directory. As such, the above <<ALL FILES>> with "execute" Java Security Manager FilePermission does not need to be granted to the Java MQI code.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the - IBM MQ V8 classes for JMS - IBM MQ V8 classes for Java who are using the Java Security Manager and have specific configuration properties within the "mqclient.ini" and/or "mqs.ini" files which are located in the MQ data directory. Platforms affected: Windows **************************************************************** PROBLEM DESCRIPTION: On Windows platforms, the Java MQI attempted to determine the IBM MQ data path by issuing a query against the Windows Registry. Once the IBM MQ data path was known, the Java MQI attempted to find the "mqclient.ini" and "mqs.ini" configuration files it contained to parse. When running an application within a Java Runtime that enabled the Java Security Manager, the following Permission was required in order for the Java MQI to invoke the Windows Registry and issue the required query: permission java.io.FilePermission "<<ALL FILES>>","execute"; This permission was required for the "com.ibm.mq.jmqi.jar" file or the "com.ibm.mq.allclient.jar" file, depending on which was being used by the application, because the Java MQI does not provide an absolute path to reg.exe which it attempts to invoke. Setting this FilePermission access may not be desirable within a secure environment because a file path consisting of special token "<<ALL FILES>>" matches any file, meaning that malicious code running within the JVM would have access to be able to run all executable programs on the system.
Problem conclusion
This APAR adds support for the following Java System Property: com.ibm.mq.cfg.MQ_DATA_PATH and the system environment variable: MQ_DATA_PATH which can be used to specify the location of the IBM MQ Data Path. Examples of how to do this on the Windows platform are as follows: Java System Property: java -Dcom.ibm.mq.cfg.MQ_DATA_PATH="C:\Program Files\IBM\Websphere MQ" MyClass To use the system environment variable: set MQ_DATA_PATH="C:\Program Files\IBM\Websphere MQ" java MyClass When either of these variables are used, the value provided is used by the Java MQI when it attempts to locate the "mqclient.ini" and "mqs.ini" configuration files. In this case, on Windows platforms, the Windows Registry is not queried. The required Java Security Manager Permission to read the "com.ibm.mq.cfg.MQ_DATA_PATH" Java System Property is: permission java.util.PropertyPermission "com.ibm.mq.cfg.*","read"; The required Java Security Manager Permission to read the "MQ_DATA_PATH" system environment variable is: permission java.lang.RuntimePermission "getenv.MQ_DATA_PATH"; Note that while this APAR is specifically concerned with the Java Security Manager permissions needed to to run the "reg.exe" program on Windows, the above environment and JVM properties are available for use on all platforms. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.6 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT14762
Reported component name
WMQ BASE MULTIP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-12
Closed date
2016-06-27
Last modified date
2017-06-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ BASE MULTIP
Fixed component ID
5724H7251
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 June 2017