APAR status
Closed as program error.
Error description
An IBM MQ queue manager reports that a user identifier is missing "browse" authority on the "SYSTEM.FTE.AUTHOPS1.<agent_name>" queue for both the source and destination agents when that user attempts to cancel a file transfer which it previously requested. As per the Knowledge Center, when the Managed File Transfer (MFT) user authority checking function has been enabled, the following MQ authorities must be granted for each user that wishes to cancel a transfer request that the same user previously requested: - BROWSE on queue SYSTEM.FTE.AUTHTRN1.source_agent_name - PUT on queue SYSTEM.FTE.AUTHTRN1.destination_agent_name Even though the above authorities are granted to user 'userA', the following errors are found on the queue manager error logs: AMQ8077: Entity 'userA' has insufficient authority to access object 'SYSTEM.FTE.AUTHOPS1.source_agent_name. AMQ8077: Entity 'userA' has insufficient authority to access object 'SYSTEM.FTE.AUTHOPS1.destination_agent_name'. If the agent property: logAuthorityChecks is set to a valid value other than "None", then the following warning message is also found in the MFT agent event log, the "output0.log" file: [timestamp] [thread] WMQAuthorityChecker BFGAG0106W: The authority check for user 'userA' and authority 'TRANSFER_OPERATIONS' has failed. The transfer gets cancelled successfully regardless of the error messages reported.
Local fix
To prevent the error messages reported by the source and destination agent queue managers, grant the users cancelling transfers browse authority on the queues: - SYSTEM.FTE.AUTHOPS1.source_agent_name - SYSTEM.FTE.AUTHOPS1.destination_agent_name To prevent the agent logging the BFGAG0106W message in its event log, disable the logAuthorityChecks function in the agent.properties file by setting it to the default value "None": logAuthorityChecks=None Alternatively, remove the property from the agent.properties file.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of IBM MQ Managed File Transfer who enabled agent property "authortyChecking" and are cancelling a file transfer previously started by the same user. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The error and warning messages noted in the Problem Description section of this APAR were logged due to an incorrect order in which authority checks were performed. When an agent received a request to cancel a transfer that was previously started by the same user, it first checked whether the user requesting the "cancel" command has sufficient authority. To do this the agent checked whether the user has ?browse? authority on its SYSTEM.FTE.AUTHOPS1.<agent_name> queue by attempting to open it with MQOO_BROWSE option. However, the user is expected to have "browse" authority on SYSTEM.FTE.AUTHOPS1.agent_name queues only if cancelling a transfer started by a different user. Therefore user was not given this authority on the agent queue managers so both the queue manager and agent reported a failure in the authority check. After the first authority check failed, the agent then checked whether the user cancelling the transfer was the same user who started the transfer. Since it was the same user, it checked whether user has the required permissions on SYSTEM.FTE.AUTHTRN1.<agent_name> queue. The user did have the required permissions on those authority queues therefore the transfer was cancelled successfully.
Problem conclusion
The product code for IBM MQ Managed File Tranafer (MFT) has been updated to change the order in which authority checks are performed to avoid unexpected errors in agent and queue manager error logs. After this APAR, when an agent receives a request to cancel a file transfer, it will first check whether the user requesting the "cancel" command is the same user who started the transfer. If the user cancelling the transfer is not the same as the user that requested it, the agents will then check if the cancelling user has ?browse? permission on SYSTEM.FTE.AUTHOPS1.<agent_name> queues. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 CD 9.0.4 v9.0 LTS 9.0.0.3 The latest available MQ maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT22099
Reported component name
IBM MQ MFT V9.0
Reported component ID
5724H7262
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-08-22
Closed date
2017-09-29
Last modified date
2017-09-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ MFT V9.0
Fixed component ID
5724H7262
Applicable component levels
R900 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
29 September 2017