APAR status
Closed as program error.
Error description
An MQ V8.0.0.4 Managed File Transfer agent on z/OS is configured to run as a started task. The started task is executed using a user identifier that does not have log-on privileges on the z/OS system. If another user tries to enable trace for that agent, by running the command: fteSetAgentTraceLevel -traceAgent <trace_specification> <agent_name> the following error occurs: BFGCL0561E: An attempt to connect to the agent has failed either due to the command not having the same user ID as the agent was started with or because of a general communication failure. The report exception was: BFGNV0112E: Failed to make client connection for service <agent name>@<queue manager name> for the current user. This is probably because another user is currently using the service.
Local fix
The command will need to be run as the user that the agent is running under.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the MQ V8 and V9 Managed File Transfer component on z/OS who have agents that are running as a started task. Platforms affected: z/OS **************************************************************** PROBLEM DESCRIPTION: When the WebSphere MQ File Transfer Edition product was repackaged to be included as a component of the IBM MQ product, a number of security enhancements were made. These included restricting the commands: - fteStartAgent - fteStopAgent - fteSetAgentTraceLevel - fteShowAgentDetails - fteStartLogger - fteStopLogger - fteSetLoggerTraceLevel so that they could only be issued by the user that the agent or logger processes were running as. When using the MQ Managed File Transfer on z/OS, it is possible to run agents as a started task. Started tasks typically run as an administrative user that does not necessarily have log-on privileges. In this situation, it was not possible to log on to the z/OS system as the same user that the agent was running under, which in turn meant that the commands: - fteStartAgent - fteStopAgent - fteSetAgentTraceLevel - fteShowAgentDetails could not be issued for that agent.
Problem conclusion
A new agent property: adminGroup has been added for use with MQ Managed File Transfer V8 agents on z/OS. When this property is set to the name of an existing group, members of that group can execute the following commands for that agent: - fteStartAgent - fteStopAgent - fteSetAgentTraceLevel - fteShowAgentDetails and the following message will be written to the agent's event log BFGNV0176I: Members of the group '<group name>' can perform administrative tasks on the agent. If the property is set to the name of a group that does not exist, then the message: BFGNV0175W: The group '<group name>'', specified by the agent property "adminGroup", does not exist. will be written to the agent's event log and only the user that the agent process is running under can issue the four commands mentioned above. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.7 v9.0 LTS 9.0.0.1 The latest available FTE maintenance can be obtained from 'Fix List for WebSphere MQ File Transfer Edition 7.0' http://www-01.ibm.com/support/docview.wss?uid=swg27015313 The latest available MQ maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
PI52942
Reported component name
WMQ MFT Z/OS
Reported component ID
5655MFT00
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-11-23
Closed date
2016-11-25
Last modified date
2017-07-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ MFT Z/OS
Fixed component ID
5655MFT00
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 July 2017