PM77408: JAVA CLIENT RECEIVING A SECURITY VIOLATION "MQRC_NOT_AUTHORIZED"(MQRC2035) WHEN QMGR HAS TOPIC SECURITY OP 12/11/27 PTF PECHANGE

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When using a Java client to connect to z/OS WMQ QMGR with
    TOPIC security set to off (disable).
    .
    Profiles for topic security
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/
    com.ibm.mq.csqsav.doc/zs14020_.htm
    .
    You can receive a security violation "MQRC_NOT_AUTHORIZED"
    (MQRC2035).
    .
    The customer reporting the issue was using Top Secret (TSS),
    but WMQ Change Team was able to recreate using RACF.
    .
    While opening an alias queue where the target is a topic,
    CSQMOPEN tries to locate each admin node in the target
    topic's hierarchy so that it can check security against
    each node.
    When the target topic is a cluster topic, it appears that
    the mhnd doesn't contain enough information to find the
    parent admin nodes.
    As no node has been found against which a security check
    could be done, CSQMOPEN returns MQRC_NOT_AUTHORIZED without
    actually doing any security checking.
    .
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
    *                 Release 0 Modification 1 and Release 1       *
    *                 Modification 0.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Applications putting to a Topic Alias   *
    *                      which resolves to a Cluster Topic       *
    *                      defined on another queue manager in the *
    *                      cluster receive MQRC 2035               *
    *                      (MQRC_NOT_AUTHORIZED) after applying    *
    *                      UK81817/UK81818.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When opening a topic alias (i.e. an alias queue with
    TARGTYPE(TOPIC)), CSQMOAQ1 searches for a local topic definition
    with the specified base name. If none is found, the cluster
    repository is queried to locate any clustered topic definition.
    An error in this lookup means the that remote cluster topics
    will not be found successfully. On return from CSQMOPEN,
    CSQMTOPN is called to extract the topic string from the located
    topic. As no topic object was located, this means no topic
    string is found. CSQMOPEN then attempts to find the appropriate
    admin node for the topic string in order to perform a security
    check, however because no topic string was found, no node is
    found and the call fails MQRC_NOT_AUTHORIZED.
    

Problem conclusion

  • CSQMTOPN is changed to correctly locate cluster topics when
    called during MQOPEN of a topic alias.
    010Y
    100Y
    CSQMOAQ1
    CSQMTOPN
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM77408

  • Reported component name

    WMQ Z/OS V7

  • Reported component ID

    5655R3600

  • Reported release

    010

  • Status

    CLOSED PER

  • PE

    YesPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-20

  • Closed date

    2012-11-28

  • Last modified date

    2013-02-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK83826 UK83827

Modules/Macros

  • CSQMOAQ1 CSQMTOPN
    

Fix information

  • Fixed component name

    WMQ Z/OS V7

  • Fixed component ID

    5655R3600

Applicable component levels

  • R010 PSY UK83826

       UP13/01/16 P F301

  • R100 PSY UK83827

       UP13/01/16 P F301

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

z/OS family

Software version:

7.0.1

Reference #:

PM77408

Modified date:

2013-02-04

Translate my page

Machine Translation

Content navigation