PM77408: JAVA CLIENT RECEIVING A SECURITY VIOLATION "MQRC_NOT_AUTHORIZED"(MQRC2035) WHEN QMGR HAS TOPIC SECURITY OP 12/11/27 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When using a Java client to connect to z/OS WMQ QMGR with
  TOPIC security set to off (disable).
  .
  Profiles for topic security
  http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/
  com.ibm.mq.csqsav.doc/zs14020_.htm
  .
  You can receive a security violation "MQRC_NOT_AUTHORIZED"
  (MQRC2035).
  .
  The customer reporting the issue was using Top Secret (TSS),
  but WMQ Change Team was able to recreate using RACF.
  .
  While opening an alias queue where the target is a topic,
  CSQMOPEN tries to locate each admin node in the target
  topic's hierarchy so that it can check security against
  each node.
  When the target topic is a cluster topic, it appears that
  the mhnd doesn't contain enough information to find the
  parent admin nodes.
  As no node has been found against which a security check
  could be done, CSQMOPEN returns MQRC_NOT_AUTHORIZED without
  actually doing any security checking.
  .
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
  *                 Release 0 Modification 1 and Release 1       *
  *                 Modification 0.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Applications putting to a Topic Alias   *
  *                      which resolves to a Cluster Topic       *
  *                      defined on another queue manager in the *
  *                      cluster receive MQRC 2035               *
  *                      (MQRC_NOT_AUTHORIZED) after applying    *
  *                      UK81817/UK81818.                        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When opening a topic alias (i.e. an alias queue with
  TARGTYPE(TOPIC)), CSQMOAQ1 searches for a local topic definition
  with the specified base name. If none is found, the cluster
  repository is queried to locate any clustered topic definition.
  An error in this lookup means the that remote cluster topics
  will not be found successfully. On return from CSQMOPEN,
  CSQMTOPN is called to extract the topic string from the located
  topic. As no topic object was located, this means no topic
  string is found. CSQMOPEN then attempts to find the appropriate
  admin node for the topic string in order to perform a security
  check, however because no topic string was found, no node is
  found and the call fails MQRC_NOT_AUTHORIZED.
  

Problem conclusion

• CSQMTOPN is changed to correctly locate cluster topics when
  called during MQOPEN of a topic alias.
  010Y
  100Y
  CSQMOAQ1
  CSQMTOPN
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK83826 UK83827

Modules/Macros

• CSQMOAQ1 CSQMTOPN
  

Fix information

• Fixed component name

  WMQ Z/OS V7

• Fixed component ID

  5655R3600

Applicable component levels

• R010 PSY UK83826

     UP13/01/16 P F301

• R100 PSY UK83827

     UP13/01/16 P F301

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.