IZ61338: WEBSPHERE MQ (WMQ V7.0.1.0) CLUSRCVR CHANNELS REPORT AMQ9586, AMQ9999, REASON CODE 2035

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • If the MCAUSER attribute of a CLUSRCVR channel is configured
    with a non-administrative user ID (not part of the mqm group)
    then during channel startup, MQ may report the following errors
    in the error log and the channel will fail to start:
    
    AMQ9586: Program cannot create queue manager object. The
    attempt to create object '%CHLBATCH.6' on queue manager 'TEST'
    failed with reason code 2035.
    
    AMQ9999: Channel program ended abnormally.
    Channel program 'TEST.TEST' ended abnormally.
    
    AMQ8077 may also be reported with reason:
    Entity fred has insufficient authority to access object
    SYSTEM.CHANNEL.SYNCQ
    The following requested permissions are unauthorized: crt
    
    High-detail trace of the problem will show
    zlaSPICreateScratchPad returns MQRC_NOT_AUTHORIZED.
    
    Return codes rrcE_CREATE_SCRATCHPAD_FAILED and
    rrcE_ABNORMAL_CHANNEL_END will also be present in the trace.
    
    This problem may occur despite the same configuration working
    correctly before 7.0.1.0 was installed
    

Local fix

  • The +crt authority must be granted to the non-administrative ID
    on the queue SYSTEM.CHANNEL.SYNCQ. The +all authority does not
    grant +crt authority automatically.
    
    Example usage:
    
    setmqaut -m TEST -g (non_administrative_ID)  -n
    'SYSTEM.CHANNEL.SYNCQ' -t q -all +put +inq +setall +crt +get
    +browse
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of CLUSRCVR channels whose MCAUSER attribute is configured
    with a non-administrative user ID. The problem was introduced in
    WebSphere MQ V7.0.1.0.
    
    Platforms affected:
     All Distributed (iSeries, all Unix and Windows)
    ****************************************************************
    PROBLEM SUMMARY:
    A change was made which went into WMQ v7.0.1.0 in order to
    tighten security on MQ internal scratchpad objects.
    
    A side-effect of this change is that +crt authority is now
    needed on the SYSTEM.CHANNEL.SYNCQ in order to create the
    scratchpad object.
    
    Scratchpad object creation is performed at CLUSRCVR channel
    startup and uses the MCAUSER context for authorization.
    Typically, MCAUSER users will not have +crt authority on the
    SYSTEM.CHANNEL.SYNCQ and so would no longer be authorized to
    start a CLUSRCVR channel.
    

Problem conclusion

  • A review of the change determined that +put authority to the
    SYSTEM.CHANNEL.SYNCQ would be sufficient.  A minimum set of
    authorizations for a non-administrative user will typically
    include +put on the SYSTEM.CHANNEL.SYNCQ and so the change
    should be transparent for the majority of users.
    
    A temporary workaround for this problem is to specifically grant
    +crt authority to the SYSTEM.CHANNEL.SYNCQ for any affected
    user.  Any security implications should be understood before
    making a change such as this.
    
    | MDVREGR 7.0-WS-MQ-AixPPC64-RP0001         |
    | MDVREGR 7.0-WS-MQ-HpuxIA64-RP0001         |
    | MDVREGR 7.0-WS-MQ-HpuxPaRISC64-RP0001     |
    | MDVREGR 7.0-WS-MQ-LinuxIA32-RP0001        |
    | MDVREGR 7.0-WS-MQ-LinuxPPC64-RP0001       |
    | MDVREGR 7.0-WS-MQ-LinuxS390X-RP0001       |
    | MDVREGR 7.0-WS-MQ-LinuxX64-RP0001         |
    | MDVREGR 7.0-WS-MQ-SolarisSparc64-RP0001   |
    | MDVREGR 7.0-WS-MQ-SolarisX64-RP0001       |
    | MDVREGR 7.0-WS-MQ-Windows-RP0001          |
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.0
    Platform           Fix Pack 7.0.1.1
    --------           --------------------
    Windows            U200310
    AIX                U827232
    HP-UX (PA-RISC)    U826485
    HP-UX (Itanium)    U826884
    Solaris (SPARC)    U827125
    Solaris (x86-64)   U827374
    iSeries            tbc_p700_0_1_1
    Linux (x86)        U826321
    Linux (x86-64)     U827231
    Linux (zSeries)    U827105
    Linux (Power)      U826779
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available, information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ61338

  • Reported component name

    WMQ AIX V7

  • Reported component ID

    5724H7221

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-09-22

  • Closed date

    2009-10-14

  • Last modified date

    2010-05-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ AIX V7

  • Fixed component ID

    5724H7221

Applicable component levels

  • R701 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
APAR / Maintenance

Software version:

7.0.1

Reference #:

IZ61338

Modified date:

2010-05-10

Translate my page

Machine Translation

Content navigation