PM96242: WMQ MQRC_NOT_AUTHORIZED ( MQRC 2035 ) IS RETURN ON TOPIC OPEN BUT NO OTHER MESSAGES ARE GENERATED TO INDICATE A FAILURE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• On topic open only MQRC_NOT_AUTHORIZED ( MQRC 2035 ) is returned
  without any other messages to indicate what object an
  application is not authorized for. In the APARed instance it
  appears that the reason for this was that there were no
  suitable topic nodes to perform a security check against thus no
  security check was issued. No ICH408I messages were generated
  by RACF.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
  *                 Release 0 Modification 1 and Release 1       *
  *                 Modification 0.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: No security check occurs on the root    *
  *                      node of the topic tree if authority was *
  *                      not granted by any topic objects, and   *
  *                      SYSTEM.BASE.TOPIC does not exist.       *
  *                      No ICH408I message is issued for the    *
  *                      xxxx.PUBLISH.SYSTEM.BASE.TOPIC or       *
  *                      xxxx.SUBSCRIBE.SYSTEM.BASE.TOPIC.       *
  *                                                              *
  *                      The application opening the topic fails *
  *                      with MQRC_NOT_AUTHOIRZED.               *
  *                      If no relevant topic objects exist for  *
  *                      the topic being opened, no ICH408I      *
  *                      messages appear to indicate what        *
  *                      authority is needed.                    *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When opening a topic, a security check takes place on each
  administrative topic node (i.e. node with an associated TOPIC
  object) between the topic and the root node of the topic tree,
  until access is granted, or the root node is reached.
  If the root node is reached, because no suitable topic objects
  existed, or access had not been granted by a suitable topic
  object, authorization should be based on the profile for
  object 'SYSTEM.BASE.TOPIC'.
  If this topic object does not exist, the queue manager should
  behave as if it exists with default values, however in this
  situation no security check is issued and the call fails
  MQRC_NOT_AUTHORIZED, even if the application has the
  correct access to the profile for SYSTEM.BASE.TOPIC.
  

Problem conclusion

• Open processing is changed to always check if an application has
  access to SYSTEM.BASE.TOPIC if access has not already been
  granted by a topic object lower in the topic tree, even if topic
  object SYSTEM.BASE.TOPIC does not exist.
  010Y
  100Y
  CSQMOPEN
  CSQMOPNI
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK97472 UK97473

Modules/Macros

• CSQMOPEN CSQMOPNI
  

Fix information

• Fixed component name

  WMQ Z/OS V7

• Fixed component ID

  5655R3600

Applicable component levels

• R010 PSY UK97472

     UP13/10/16 P F310

• R100 PSY UK97473

     UP13/10/16 P F310

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.