IBM Support

IT12728: WITHIN MFT, USER SANDBOXES AND COMMANDPATH DO NOT WORK PROPERLY WHEN USED TOGETHER.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A WebSphere MQ V7.5.0.1 Managed File Transfer agent has
configured with a user sandbox that allows all users to read to,
and write from, the directory C:\temp. The agent has also been
set up with the agent property commandPath set to the value
"C:\".

In this configuration, the agent can perform managed transfers
that move transfer items files to and from the directory
C:\temp.

After migrating to the MQ V8 Managed File Transfer component,
and using the same configuration, the agent is unable to perform
managed transfers which move transfer items to and from C:\temp.
When the agent tries to do this, the transfer item fails with
errors similar to the one shown below:

BFGIO0056E: Attempt to read file "C:\temp\myFile.txt" has been
denied. The file is located outside of the restricted transfer
sandbox.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the:

- The MQ V8 Managed File Transfer component

who have migrated from:

- A WebSphere MQ V7.5.0.1 (or earlier) installation
- or WebSphere MQ V7.5.0.2 (or later) installation that does not
have the installation property enableFunctionalFixPack=7502 set

and have agents that:

- Have been configured to use either user sandboxes or an agent
sandbox.
- and have the agent property commandPath set.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
The agent property:

  commandPath

is used to specify the directories where the Managed File
Transfer agents and managed calls can run commands from. Setting
this property has implications for any user sandboxes or agent
sandboxes that might have been configured for the agent.

************************************************************
Agent Sandboxes:
----------------------
When using either:

- the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
earlier)
- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that does not have the installation
property enableFunctionalFixPack=7502 set

if an agent is not configured with an agent sandbox, because the
agent property:

  sandboxRoot

is not set, then a new agent sandbox is automatically set up for
the agent, and the directories specified by the commandPath
property are added to the list of denied directories.

If the agent is configured with an agent sandbox, and the
sandbox does not contain any allowed directories, then the
directories specified by the commandPath property are added to
the list of denied directories. However, if the agent sandbox
contains at least one allowed directory, then the directories
specified by the commandPath are not added to the list of denied
directories.


When using either:

- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that has the installation property
enableFunctionalFixPack=7502 set
- the MQ V8.0 Managed File Transfer component

if an agent is not configured to use an agent sandbox, then a
new sandbox is set up automatically, and the directories
specified by the commandPath are added to the denied
directories.

If the agent is configured with an agent sandbox, then the
directories specified by the commandPath property are added to
the list of denied directories.

************************************************************
User Sandboxes:
----------------------
When using either:

- the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
earlier)
- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that does not have the installation
property enableFunctionalFixPack=7502 set

if an agent is configured with a user sandbox, then the
directories specified by the commandPath are not added to the
read and write exclude lists for all of the user sandboxes.

However, when using either:

- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that has the installation property
enableFunctionalFixPack=7502 set
- the MQ V8.0 Managed File Transfer component

the directories specified by the commandPath property (and all
of their subdirectories) are automatically added to the read and
write exclude lists for all of the user sandboxes.

************************************************************

The behavioural differences between the way the commandPath was
handled meant that it was not possible to override it using
either an agent sandbox or user sandboxes when using either:

- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that has the installation property
enableFunctionalFixPack=7502 set
- the MQ V8.0 Managed File Transfer component

If the commandPath was set for an agent, then the directories
specified by the commandPath property (and all of their
subdirectories) were automatically added to the denied
directories for either the agent sandbox or, the user sandboxes
associated with the agent. As a result, the agent could not
perform any managed transfers into any of these directories.

This caused a migration issue from customers who had upgraded
from either:

- the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
earlier)
- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that does not have the installation
property enableFunctionalFixPack=7502 set

    



Problem conclusion


    

  • In order to resolve this issue, a new agent property:

  addCommandPathToSandbox

has been added to the MQ V8 Managed File Transfer component.
This property is used to determine whether the directories
specified by the commandPath property (and all of their
subdirectories) should be added to the denied paths for both
user sandboxes and the agent sandbox. The default value of this
property is true, which means that V8 agents which are running
on an installation that contains the fix for this APAR will
continue to work as they currently do today.

When the property is set to the value:

  false

then V8 agents will behave in the following way:

- If the agent is not configured with an agent sandbox, then a
new sandbox is automatically set up and the directories
specified by the commandPath are added to the list of denied
directories.
- If the agent is configured with an agent sandbox, and the
sandbox does not contain any allowed directories, then the
directories specified by the commandPath are added to the list
of denied directories for the sandbox.
- If the agent is configured with an agent sandbox, and the
sandbox contains at least one allowed directory, then the
directories specified by the commandPath property are not added
to the list of denied directories.

- If the agent is configured to use user sandboxes, then the
directories specified by the commandPath are not added to the
read and write exclude lists.

This allows V8 agents to behave in the same way as agents
running using:

- the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
earlier)
- the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
later) on an installation that does not have the installation
property enableFunctionalFixPack=7502 set

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.5

The latest available FTE maintenance can be obtained from
'Fix List for WebSphere MQ File Transfer Edition 7.0'
http://www-01.ibm.com/support/docview.wss?uid=swg27015313

The latest available MQ maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT12728
    • 

  • Reported component name
    WMQ MFT V8.0
    • 

  • Reported component ID
    5724H7252
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-12-10
    • 

  • Closed date
    2016-03-11
    • 

  • Last modified date
    2016-03-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ MFT V8.0
    • 

  • Fixed component ID
    5724H7252
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 March 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback