A fix is available
APAR status
Closed as program error.
Error description
Additional Symptom(s) Search Keyword(s): MQ Advanced Message Security (AMS) is issuing error message CSQ0629E _MQT1 CSQ0DLCL Unable to create security environment for user'CICSUSER', reason 0000009D when you try to put a message to a queue. CSQ0629E occurs when the Unix Systems Service (USS) call pthread_security_np(create) returns a non-zero ERRNO. See https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com. ibm.zos.v2r3.bpxb100/tls.htm 0000009D is actually a return code rather than a reason code and corresponds with Return_code EMVSERR. Errnos are listed at https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com. ibm.zos.v2r1.bpxa800/errno.htm The description of EMVSERR for pthread_security_np says reason codes can accompany the return code. The reason code should be included in the error message.
Local fix
SYSOMVS CTRACE can be used to trace the reason code. Enable it as follows before the recreate: TRACE CT,64M,COMP=SYSOMVS R nn,OPTIONS=(ALL),END Set a SLIP trap to capture a dump and the CTRACE: SLIP SET,MSGID=CSQ0629E, JOBNAME=ssidAMSM,A=SVCD, JOBLIST=(ssidMSTR,ssidAMSM,OMVS,appljob), DSPNAME=('OMVS'.B*,'OMVS'.S*),AL=(H,P,S), SDATA=(CSA,RGN,PSA,SQA,LSQA,TRT,SUM,GRSQ), MATCHLIM=1,END where "ssid" is the subsystem name for the queue manager and "appljob" is replaced with the name of the connecting job that is getting the error. To turn off the OMVS CTRACE: TRACE CT,OFF,COMP=SYSOMVS In the reported case, OMVS L2 formatted the trace and found RC=9D EMVSERR and Reason code=0BE800FD (JRSAFNoGID) returned by the pthread_security syscall. This particular reason code means that the userid is in a group that has NO GID. In order to set a userid to use Unix System Services, both the userid and the groups that the user is connected to MUST have valid OMVS segments (valid UID for the user and valid GID for the groups that the user is connected to). errno2 / errnojr reason codes are described at https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com. ibm.zos.v2r1.bpxa800/errnojrs.htm
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 0 Modification 0 * * using Advanced Message Security (AMS). * **************************************************************** * PROBLEM DESCRIPTION: When an application access AMS * * protected queues and it is running * * under a User ID that does not have all * * required permissions to access OMVS * * generates error message CSQ0629E and * * the MQOPEN fails with * * MQRC_CONNECTION_NOT_AUTHORIZED (2217). * **************************************************************** AMS requires application User IDs to have OMVS UID and GID assigned. If UID or GID are missing AMS cannot establish the thread security environment generating error message CSQ0629E. When function pthread_security_np() is unable to create the security environment it returns three values: Return Value, Return Code and Reason Code. The Return Value indicates if the function was successful or not while return and reason codes describe the specific reason for the failure. Message CSQ0624E only shows the return code value which is not enough to determine the cause of the failure.
Problem conclusion
Message CSQ0269E has been updated to include pthread_security_np return and reason codes. In IBM MQ 9.0.0 Knowledge Center update message CSQ0629E: > IBM MQ >> Reference >>> Diagnostic messages >>>> Messages and reason codes for z/OS >>>>> Messages >>>>>> Advanced message security (CSQ0...) CSQ0629E csect-name Unable to create security environment for user 'userid', return code errno, reason errno2 Severity 8 Explanation An attempt by the IBM WebSphere MQ Advanced Message Security task to create a thread-level security environment using pthread_security_np() for user userid failed for the reason indicated by errno and errno2. System action The thread-level security environment is not created, and the AMS function being processed cannot be completed. The MQI call fails. System programmer response Examine the errno and errno2 values in conjunction with pthread_security_np() documentation to determine the cause of the failure.
Temporary fix
Comments
APAR Information
APAR number
PI88449
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-05
Closed date
2017-10-11
Last modified date
2017-12-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI50999 UI51000 UI51001 UI51002 UI51003 UI51004
Modules/Macros
CSQ0DLCL CSQF0TXC CSQF0TXE CSQF0TXF CSQF0TXK CSQF0TXU
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R000 PSY UI50999
UP17/11/21 P F711
R001 PSY UI51000
UP17/11/21 P F711
R002 PSY UI51001
UP17/11/21 P F711
R003 PSY UI51002
UP17/11/21 P F711
R004 PSY UI51003
UP17/11/21 P F711
R005 PSY UI51004
UP17/11/21 P F711
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 December 2017