Fixes are available
PM10331; 6.1.0.29: after applying 6.1.0.29 connections to WebSphere MQ fail
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
After applying fix pack 6.1.0.29, XA Connections to WebSphere MQ fail with a JMSSecurityException indicating that the Queue Manager has rejected a connection request made by the WebSphere Application Server process user.
Local fix
Either: - configure an authentication alias with user credentials that do have authority to connect to the QM (note there is no authentication of that user without additional configuration). - set the MCAUSER of the SVRCONN channel at the QM to a user that has sufficient authority to perform the actions required by the WAS application.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server 6.1 with WebSphere MQ * **************************************************************** * PROBLEM DESCRIPTION: After applying fix pack 6.1.0.29, XA * * Connections made to WMQ fail with * * JMSSecurityException MQRC 2035 (MQRC_ * * NOT_AUTHORIZED) * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere MQ APAR IZ17062 included in WebSphere MQ (WMQ) fix pack 6.0.2.8 is delivered to WebSphere Application Server in fix pack 6.1.0.29. IZ17062 causes client mode XA Connections, that have no username and password specified either on the createConnection() call or via an authentication alias set on the Connection Factory, to have the user of the WebSphere Application Server process passed to the Queue Manager (QM). If the QM has not had security configured the default behavior is to accept connections with no user credentials specified, but to reject any specified user credentials that do not have authority. Thus, the effect of IZ17062 is that the user of the WebSphere Application Server process is passed to the QM, and if that user either does not exist on the QM server or does not have authority to connect, then the connection attempt is rejected with MQRC 2035. XA Connections are not typically created by JMS applications but rather on their behalf, so this problem can affect Message Driven Beans or any other JMS application running in an EJB for example. Another possible problem after applying 6.1.0.29 is an AccessControlException when attempting to create an XA Connection and Java 2 Security is enabled. The stack will show that the WMQ client is attempting to get the user of the Java process. Note this problem also exists in all versions of WebSphere Application Server 7.x. PM09742 resolves this problem in 7.x and is targeted for 7.0.0.13.
Problem conclusion
This APAR delivers WMQ APAR IZ72486 which restores the original behavior; if no user is specified then no user is sent to the QM. This APAR also resolves the AccessControlException problem. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.31. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Either: - configure an authentication alias with user credentials that do have authority to connect to the QM (note there is no authentication of that user without additional configuration). - set the MCAUSER of the SVRCONN channel at the QM to a user that has sufficient authority to perform the actions required by the WAS application.
Comments
APAR Information
APAR number
PM10331
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
61A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-19
Closed date
2010-03-26
Last modified date
2010-04-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
29 December 2021