APAR status
Closed as program error.
Error description
This is seen when the IBM MQ Console on z/OS is upgraded to a level that ships WebSphere Liberty Profile version 22.0.0.12 or later - so from IBM MQ LTS versions 9.1.0.15, 9.2.0.8, and 9.3.0.2 and CD versions from 9.3.1.1 and 9.3.2. The issue occurs when users not in either MQWebAdmin or MQWebAdminRO roles, in the EBJROLE class, try to access a z/OS queue manage via the console. The error seen is like: RACF: ICH408I USER(user-id ) GROUP(group-name) NAME(name ) profilePrefix.com.ibm.mq.console.MQWebAdmin CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Top Secret: TSS7250E J=console-job A=acid TYPE=EJBROLE RESOURCE=profilePrefix.COM.IBM.MQ.CONSOLE.MQWEBADMIN although this can vary based on the security manager used. The user is still able to access the console despite the error being generated. . z/OS APAR: PH56363
Local fix
This is a sample mqwebuser.xml so can copy and look to update the contents as required.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the IBM MQ Console on z/OS Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: This is seen when the IBM MQ Console on z/OS is upgraded to a level that ships WebSphere Liberty Profile version 22.0.0.12 or later - so from IBM MQ LTS versions 9.1.0.15, 9.2.0.8, and 9.3.0.2 and CD versions from 9.3.1.1 and 9.3.2. The issue occurs when users not in either MQWebAdmin or MQWebAdminRO roles, in the EBJROLE class, try to access a z/OS queue manage via the console. The error seen is like: RACF: ICH408I USER(user-id ) GROUP(group-name) NAME(name ) profilePrefix.com.ibm.mq.console.MQWebAdmin CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Top Secret: TSS7250E J=console-job A=acid TYPE=EJBROLE RESOURCE=profilePrefix.COM.IBM.MQ.CONSOLE.MQWEBADMIN although this can vary based on the security manager used. The user is still able to access the console despite the error being generated. This issue is caused by the default zos_saf_registry.xml having multiple safAuthorization entries - if hte file has been edited to modify this, then the issue may not occur.
Problem conclusion
The sample configuration file zos_saf_registry.xml has been updated to remove the duplicate safAuthorization entry. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 LTS 9.1.0.20 v9.2 LTS 9.2.0.25 v9.3 LTS 9.3.0.20 v9.x CD 9.3.5 The latest available maintenance can be obtained from 'IBM MQ Recommended Fixes' https://www.ibm.com/support/pages/recommended-fixes-ibm-mq If the maintenance level is not yet available information on its planned availability can be found in 'IBM MQ Planned Maintenance Release Dates' https://ibm.biz/mqplannedmaintenance ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT44798
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7271
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-10-20
Closed date
2023-12-14
Last modified date
2024-01-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7271
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 January 2024