IBM Support

IT20275: USERMAP CHLAUTH rules and ChlauthEarlyAdopt do not map to the correct user

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If ChlauthEarlyAdopt is enabled and the AUTHINFO ADOPTCTX
attribute is set to YES then any USERMAP channel authentication
rules is ignored and the final adopted MCAUSER is the user
supplied by connecting client applications in the MQCSP
structure.

Local fix

  • None available

Problem summary

  • ****************************************************************
USERS AFFECTED:
Any users using USERMAP channel authentication rules while
ADOPTCTX is set to YES and CHLAUTHEARLYADOPT is enabled.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
Certain combinations of ADOPTCTX, USERMAP and EARLYADOPT
settings would cause an incorrect MCAUSER to be used.

The MQ code for adopting users based on the ADOPTCTX, USERMAP
and EARLYADOPT settings was incorrectly adopting the wrong user.

Problem conclusion

  • The MQ code has been corrected to adopt the correct user for
each combination of ADOPTCTX, USERMAP and ChlAuthEarlyAdopt
settings where it was incorrect. This has brought LTS releases
behaviour in line with the MQ v9.0.5 continuous delivery release
behaviour.

The following scenarios are changed:

------------------------------------------

USERMAP channel authentication rules

For example:
- The following rule is configured: SET CHLAUTH(CHANNEL.NAME)
TYPE(USERMAP) CLNTUSER('cspuser') MCAUSER('mapuser')
- ChlAuthEarlyAdopt is set to Y in the qm.ini file
- AdoptCTX is set to YES on the active CONNAUTH AUTHINFO object
- The connecting client application provides cspuser as client
user ID (in the MQCSP flow) to be evaluated by CONNAUTH

Before this change, "cspuser" was adopted incorrectly. After
this change "mapuser" is adopted as expected.

To revert to the previous behavior, set ChlAuthEarlyAdopt=N in
the qm.ini file.

------------------------------------------

ADDRESSMAP/SSLPEERMAP channel authentication rules

For example:
- The following rule is configured: SET CHLAUTH(CHANNEL.NAME)
TYPE(ADDRESSMAP) ADDRESS('*') MCAUSER('mapuser') [ or
TYPE(SSLPEERMAP) ]
- ChlAuthEarlyAdopt is set to Y in the qm.ini file
- AdoptCTX is set to YES on the active CONNAUTH AUTHINFO object
- The connecting client application provides "cspuser" as client
user ID (in the MQCSP flow) to be evaluated by CONNAUTH

Before this change, "cspuser" was adopted incorrectly. After
this change "mapuser" is adopted as expected.

To revert to the previous behavior:
- set ChlAuthEarlyAdopt=N in the qm.ini file.
OR
-  Specify USERSRC(channel) instead of the MCAUSER attribute on
the chlauth rule. This is functionally equivalent to removing
the rule if ChlAuthEarlyAdopt=Y

------------------------------------------

BLOCKUSER  channel authentication rules (multiple scenarios are
affected)

Scenario 1
For example:
- The following rule is configured: SET CHLAUTH(CHANNEL.NAME)
TYPE(BLOCKUSER) USERLIST('user')
- There is no MCAUSER value set on the SVRCONN channel
definition
- ChlAuthEarlyAdopt is set to N in the qm.ini file
- AdoptCTX is set to YES on the active CONNAUTH AUTHINFO object
- The connecting client application is running as "user" (the
user ID supplied in the MQCSP flow is not relevant)

Before this change, "user" was adopted incorrectly. After this
change, the connection is blocked.

To revert to the previous behavior:
- set ChlAuthEarlyAdopt=Y in the qm.ini file.
OR
- Remove the CHLAUTH BLOCKUSER rule.

-

Scenario 2
For example:
- The following rule is configured: SET CHLAUTH(CHANNEL.NAME)
TYPE(BLOCKUSER) USERLIST('user')
- MCAUSER('channeluser') is set on the SVRCONN channel
definition
- ChlAuthEarlyAdopt is set to Y in the qm.ini file
- AdoptCTX is set to NO on the active CONNAUTH AUTHINFO object
- The connecting client application is running as "user" (the
user ID supplied in the MQCSP flow is not relevant)

Before this change, "channeluser" was adopted incorrectly. After
this change, the connection is blocked.

To revert to the previous behavior:
- set ChlAuthEarlyAdopt=N in the qm.ini file.
OR
- Define a rule of TYPE(USERMAP) to map "user" to "channeluser"

-

Scenario 3
For example:
- The following rule is configured: SET CHLAUTH(CHANNEL.NAME)
TYPE(BLOCKUSER) USERLIST('cspuser')
- MCAUSER('channeluser') is set on the SVRCONN channel
definition
- ChlAuthEarlyAdopt is set to Y in the qm.ini file
- AdoptCTX is set to NO on the active CONNAUTH AUTHINFO object
- The connecting client application is running as "user"
- The connecting client application provides "cspuser" as client
user ID (in the MQCSP flow) to be evaluated by CONNAUTH

Before this change, "channeluser" was adopted incorrectly. After
this change "user" is adopted as expected.

To revert to the previous behavior:
- set ChlAuthEarlyAdopt=N in the qm.ini file.
OR
- Define a rule of TYPE(USERMAP) to map "user" to "channeluser"

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.10
v9.0 LTS   9.0.0.5

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT20275
    • 

  • Reported component name
    IBM MQ BASE M/P
    • 

  • Reported component ID
    5724H7261
    • 

  • Reported release
    902
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-04-19
    • 

  • Closed date
    2018-06-20
    • 

  • Last modified date
    2018-06-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ BASE M/P
    • 

  • Fixed component ID
    5724H7261
    • 



Applicable component levels


    

  • R902  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            20 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback