Fixes are available
APAR status
Closed as program error.
Error description
When configuring the Java Security Manager to work with WebSphere MQ clients, the sample permissions provided in the manual are not comprehensive. With the current permissions, the AccessControlException errors occur.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the WebSphere MQ classes for Java and the WebSphere MQ classes for Java Message Service (JMS) who enable a Java Security Manager. Platforms affected: All Distributed (iSeries, all Unix and Windows) +Java **************************************************************** PROBLEM SUMMARY: The problem was caused by 2 factors: 1. The WebSphere MQ classes for Java/JMS client requires more permissions than detailed in the manuals. 2. The WebSphere MQ classes for Java/JMS client did not always make calls that require security manager clearance within a AccessController.doPrivileged block, and so the security manager rejected the request.
Problem conclusion
The MQ Java client has been updated to correctly issue requests that require security permissions. The permissions required by the WebSphere MQ classes for Java/JMS have been determined as follows, and the Using Java manual will be updated accordingly: //Section required for both WebSphere MQ classes for Java and JMS grant codeBase "file:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar" { //Required permission java.util.PropertyPermission "user.name","read"; permission java.util.PropertyPermission "os.name","read"; //For the client transport type. permission java.net.SocketPermission "*","connect"; //For the bindings transport type. permission java.lang.RuntimePermission "loadLibrary.*"; //For applications that use CCDT tables (access to the CCDT AMQCLCHL.TAB) permission java.io.FilePermission "/var/mqm/qmgrs/QMGR/@ipcc/AMQCLCHL.TAB","read"; //For applications that use User Exits permission java.io.FilePermission "/var/mqm/exits/*","read"; permission java.lang.RuntimePermission "createClassLoader"; //Required for the z/OS platform permission java.util.PropertyPermission "com.ibm.vm.bitmode","read"; //Required if mqclient.ini/mqs.ini configuration files are use permission java.io.FilePermission "/var/mqm/mqclient.ini", "read"; permission java.io.FilePermission "/var/mqm/mqs.ini","read"; }; //Only required for WebSphere MQ classes for JMS applications grant codeBase "file:/opt/mqm/java/lib/com.ibm.mqjms.jar" { permission java.util.PropertyPermission "user.name","read"; permission java.util.PropertyPermission "os.name","read"; permission java.util.PropertyPermission "console.encoding", "read"; permission java.lang.RuntimePermission "setContextClassLoader" //tracing permissions permission java.util.PropertyPermission "com.ibm.msg.client.commonservices.*","read"; permission java.util.PropertyPermission "MQJMS_TRACE_LEVEL","read"; permission java.util.logging.LoggingPermission "control"; //Wherever trace output is expected permission java.io.FilePermission "/tmp/*","read,write"; //Required for the z/OS platform permission java.util.PropertyPermission "com.ibm.vm.bitmode","read"; }; //Only required for WebSphere MQ classes for Java applications grant codeBase "file:/opt/mqm/java/lib/com.ibm.mq.commonservices.jar" { permission java.util.PropertyPermission "user.dir","read"; permission java.util.PropertyPermission "line.separator","read //tracing permissions permission java.util.logging.LoggingPermission "control"; permission java.util.PropertyPermission "com.ibm.mq.commonservices", "read"; //For access to the trace properties file. permission java.io.FilePermission "/tmp/trace.properties", "read"; //For access to the trace output files. permission java.io.FilePermission "/tmp/*", "read,write"; }; --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Windows U200320 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Windows U200320 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- AIX U834987 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- AIX U834987 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- HP-UX (PA-RISC) U834414 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- HP-UX (PA-RISC) U834414 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- HP-UX (Itanium) U834413 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- HP-UX (Itanium) U834413 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Solaris (SPARC) U834986 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Solaris (SPARC) U834986 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Solaris (x86-64) U834210 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Solaris (x86-64) U834210 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- iSeries tbc_p700_0_1_3 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- iSeries tbc_p700_0_1_3 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (x86) U834415 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (x86) U834415 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (x86-64) U834985 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (x86-64) U834985 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (zSeries) U834412 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (zSeries) U834412 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (Power) U835662 v7.0 Platform Fix Pack 7.0.1.3 -------- -------------------- Linux (Power) U835662 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available, information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IC66224
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
701
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-02-11
Closed date
2010-04-28
Last modified date
2010-08-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
R701 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023