A fix is available
APAR status
Closed as program error.
Error description
A WAS JMS Pub/Sub client gets a security violation when it subscribes to a TOPIC: . ICH408I USER(USER ) GROUP(GROUP ) NAME(MTS. SYSTEM.MANAGED.NDURABLE.C9F6812265BBCF51 CL(MQQUEUE ) INSUFFICIENT ACCESS AUTHORITY FROM P01T.SYSTEM.** (G) ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE ) . As stated in the WMQ V710 Info Center, no security checks should be made against managed destination queues: . http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.i bm.mq.doc/ps19550_.htm . The user is authorized to subscribe to the TOPIC. Thus, the security violation should not occur. . This problem only occurs with JMS pub/sub applications. They have no problems with pub/sub applications written in C or dotnet. . The change team was able to recreate this problem on a test system, and they can see the reason why the unexpected security check is taking place. When the subscription is created, no security check takes place on the managed queue that is created as expected, however when a message is published and matches the subscriber, WMQConsumerShadow.initialize calls spiSubscribe using the subID of the subscription to obtain a handle to the destination queue, This call fails, and so MQOPEN is called instead, and this leads to a security check being made on the queue being opened. . The root of the problem is that the qmgr is incorrectly returning MQRC_SUB_NAME_ERROR on the spiSubscribe call - this call should have succeeded, in which case there would have been no need to call MQOPEN, and as the queue is managed, no security check would have taken place.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 * * Release 0 Modification 1 and Release 1 * * Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: MDBs using a TopicConnection fail to * * process messages published on the topic * * when queue security is enabled. ICH408I * * reports insufficient authority for * * the managed destination queue * * SYSTEM.MANAGED.DURABLE.xxxxxxxxxxxx / * * SYSTEM.MANAGED.NDURABLE.xxxxxxxxxxxx * **************************************************************** * RECOMMENDATION: * **************************************************************** An MDB is configured with a TopicConnection, causing a DESTCLAS(MANAGED) subscription to be created. When a message is published to a matching topic, it should be delivered to the subscription and put to the managed destination queue. As the destination is a managed queue no security checks should take place against the queue, however an error in CSQMSUBV prevents a handle to the queue being returned by spiSubscribe. This leads to a call to MQOPEN to get a handle to the queue, which causes the invalid authority check to take place.
Problem conclusion
CSQMSUBV is corrected so that the spiSubscribe call correctly returns a handle to the queue without the invalid check taking place. 010Y 100Y CSQMSSUB CSQMSUB CSQMSUBV
Temporary fix
Comments
×**** PE12/10/11 FIX IN ERROR. SEE APAR PM74832 FOR DESCRIPTION ×**** PE13/11/28 FIX IN ERROR. SEE APAR PI06190 FOR DESCRIPTION
APAR Information
APAR number
PM71101
Reported component name
WMQ Z/OS V7
Reported component ID
5655R3600
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2012-08-17
Closed date
2012-09-11
Last modified date
2013-11-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK81710 UK81711
Modules/Macros
CSQMSSUB CSQMSUB CSQMSUBV
Fix information
Fixed component name
WMQ Z/OS V7
Fixed component ID
5655R3600
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 November 2013