PM10331: AFTER APPLYING 6.1.0.29 CONNECTIONS TO WMQ FAIL WITH MQRC 2035

Fixes are available

APAR status

Closed as program error.

Error description

After applying fix pack 6.1.0.29, XA Connections to WebSphere
MQ fail with a JMSSecurityException indicating that the Queue
Manager has rejected a connection request made by the
WebSphere Application Server process user.

Local fix

Either:

- configure an authentication alias with user credentials that
do have authority to connect to the QM (note there is no
authentication of that user without additional configuration).
- set the MCAUSER of the SVRCONN channel at the QM to a user
that has sufficient authority to perform the actions required
by the WAS application.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server 6.1 with WebSphere MQ                *
****************************************************************
* PROBLEM DESCRIPTION: After applying fix pack 6.1.0.29, XA    *
*                      Connections made to WMQ fail with       *
*                      JMSSecurityException MQRC 2035 (MQRC_   *
*                      NOT_AUTHORIZED)                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere MQ APAR IZ17062 included in WebSphere MQ (WMQ) fix
pack 6.0.2.8 is delivered to WebSphere Application Server
in fix pack 6.1.0.29.  IZ17062 causes client mode XA
Connections, that have no username and password specified
either on the createConnection() call or via an authentication
alias set on the Connection Factory, to have the user of the
WebSphere Application Server process passed to the Queue
Manager (QM).

If the QM has not had security configured the default behavior
is to accept connections with no user credentials specified,
but to reject any specified user credentials that do not have
authority.  Thus, the effect of IZ17062 is that the user of
the WebSphere Application Server process is passed to the QM,
and if that user either does not exist on the QM server or does
not have authority to connect, then the connection attempt is
rejected with MQRC 2035.

XA Connections are not typically created by JMS applications
but rather on their behalf, so this problem can affect Message
Driven Beans or any other JMS application running in an EJB
for example.

Another possible problem after applying 6.1.0.29 is an
AccessControlException when attempting to create an XA
Connection and Java 2 Security is enabled.  The stack will show
that the WMQ client is attempting to get the user of the Java
process.

Note this problem also exists in all versions of WebSphere
Application Server 7.x.  PM09742 resolves this problem in 7.x
and is targeted for 7.0.0.13.

Problem conclusion

This APAR delivers WMQ APAR IZ72486 which  restores the
original behavior; if no user is specified then no user is
sent to the QM.

This APAR also resolves the AccessControlException problem.


The fix for this APAR is currently targeted for inclusion in
fix pack 6.1.0.31.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Either:

- configure an authentication alias with user credentials that
do have authority to connect to the QM (note there is no
authentication of that user without additional configuration).
- set the MCAUSER of the SVRCONN channel at the QM to a user
that has sufficient authority to perform the actions required
by the WAS application.

Comments

APAR Information

APAR number
PM10331
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
61A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-19
Closed date
2010-03-26
Last modified date
2010-04-13

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PM10331: AFTER APPLYING 6.1.0.29 CONNECTIONS TO WMQ FAIL WITH MQRC 2035

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Document Information

Share your feedback

Need support?