IBM Support

PM71101: ICH408I OCCURS FOR A JMS PUB/SUB CLIENT WHEN IT IS SUBSCRIBED TO A TOPIC. NO SECURITY CHECK SHOULD BE MADE.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A WAS JMS Pub/Sub client gets a security violation when it
subscribes to a TOPIC:
.
 ICH408I USER(USER  ) GROUP(GROUP  ) NAME(MTS.
  SYSTEM.MANAGED.NDURABLE.C9F6812265BBCF51
  CL(MQQUEUE )
  INSUFFICIENT ACCESS AUTHORITY
  FROM P01T.SYSTEM.** (G)
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(NONE   )
.
As stated in the WMQ V710 Info Center, no security checks
should be made against managed destination queues:
.
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.i
bm.mq.doc/ps19550_.htm
.
The user is authorized to subscribe to the TOPIC. Thus, the
security violation should not occur.
.
This problem only occurs with JMS pub/sub applications. They
have no
problems with pub/sub applications written in C or dotnet.
.
The change team was able to recreate this problem on a test
system, and they can see the reason why the unexpected security
check is taking place. When the subscription is created, no
security check takes place on the managed queue that is created
as expected, however when a message is published and matches
the subscriber, WMQConsumerShadow.initialize calls spiSubscribe
using the subID of the subscription to obtain a handle to the
destination queue, This call fails, and so MQOPEN is called
instead, and this leads to a security check being made on the
queue being opened.
.
The root of the problem is that the qmgr is incorrectly
returning MQRC_SUB_NAME_ERROR on the spiSubscribe call - this
call should have succeeded, in which case there would have been
no need to call MQOPEN, and as the queue is managed, no
security check would have taken place.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
*                 Release 0 Modification 1 and Release 1       *
*                 Modification 0.                              *
****************************************************************
* PROBLEM DESCRIPTION: MDBs using a TopicConnection fail to    *
*                      process messages published on the topic *
*                      when queue security is enabled. ICH408I *
*                      reports insufficient authority for      *
*                      the managed destination queue           *
*                      SYSTEM.MANAGED.DURABLE.xxxxxxxxxxxx /   *
*                      SYSTEM.MANAGED.NDURABLE.xxxxxxxxxxxx    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
An MDB is configured with a TopicConnection, causing a
DESTCLAS(MANAGED) subscription to be created. When a message is
published to a matching topic, it should be delivered to the
subscription and put to the managed destination queue. As the
destination is a managed queue no security checks should take
place against the queue, however an error in CSQMSUBV prevents
a handle to the queue being returned by spiSubscribe. This
leads to a call to MQOPEN to get a handle to the queue, which
causes the invalid authority check to take place.

    



Problem conclusion


    

  • CSQMSUBV is corrected so that the spiSubscribe call correctly
returns a handle to the queue without the invalid check taking
place.
010Y
100Y
CSQMSSUB
CSQMSUB
CSQMSUBV

    



Temporary fix


    

  • 



Comments


    

  • ×**** PE12/10/11 FIX IN ERROR. SEE APAR PM74832  FOR DESCRIPTION
×**** PE13/11/28 FIX IN ERROR. SEE APAR PI06190  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    PM71101
    • 

  • Reported component name
    WMQ Z/OS V7
    • 

  • Reported component ID
    5655R3600
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2012-08-17
    • 

  • Closed date
    2012-09-11
    • 

  • Last modified date
    2013-11-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK81710 UK81711
    

    • 



Modules/Macros


    

  • CSQMSSUB CSQMSUB  CSQMSUBV

    



Fix information


    

  • Fixed component name
    WMQ Z/OS V7
    • 

  • Fixed component ID
    5655R3600
    • 



Applicable component levels


    

  • R010  PSY  UK81710
       UP12/10/10  P  F210
    • 

  • R100  PSY  UK81711
       UP12/10/10  P  F210
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 November 2013
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback