APAR status
Closed as program error.
Error description
MQGet call returns error 2063 (MQRC_SECURITY_ERROR) when processing AMS-protected messages. Following errors are reported in error logs:- ---------------------------------------------------------------- --------------- 09/08/2016 06:36:55 PM - Process(11477.82) User(Admin) Program(java) Host(localhost) Installation(Installation1) VRMF(7.5.0.x) QMgr(QM) AMQ9044: The WebSphere MQ security policy interceptor has put a defective message on error handling queue SYSTEM.PROTECTION.ERROR.QUEUE. EXPLANATION: This is an informational message that indicates the WebSphere MQ security policy put a message it could not interpret on the specified error handling queue. ACTION: Make sure only valid messages are put onto queues protected by WebSphere MQ security policies. ----- smqigeta.c : 2218 ------------------------------------------------------- 09/08/2016 06:37:08 PM - Process(11477.82) User(Admin) Program(java) Host(localhost) Installation(Installation1) VRMF(7.5.0.x) QMgr(QM) AMQ9034: Message does not have a valid protection type. EXPLANATION: The WebSphere MQ security policy interceptor detected an invalid protection type in a message header. This usually occurs because the WebSphere MQ message header is not valid. ACTION: Retry the operation. If the problem persists, contact your IBM service representative. ----- smqigeta.c : 447 -------------------------------------------------------- 09/08/2016 06:37:08 PM - Process(11477.82) User(Admin) Program(java) Host(localhost) Installation(Installation1) VRMF(7.5.0.x) QMgr(QM) AMQ9037: The WebSphere MQ security policy interceptor failed to process a message on queue EHX.ORCHS.2023.QRYRESP with CompCode 2 Reason code 2331 EXPLANATION: An unexpected error was encountered whilst applying a security policy to queue EHX.ORCHS.2023.QRYRESP. ACTION: This is an internal error. Contact your IBM service representative. ----- smqigeta.c : 1644 ------------------------------------------------------- These errors are more prone to be reported when the MQ AMS code has to retry the MQGET with a larger buffer. The issue occurs due to a timing windows and when there is contention for messages. Example scenario : Application A gets an AMS protected message, but it is too large for the supplied buffer. So application A makes a second get request, but in the meantime application B has consumed the message from the queue. At this point, application A should just carry on and get the next available message, but the defect means that it considers the next message invalid. This results in the 2063 error seen in the MQ traces, and drives AMS error processing.
Local fix
Increase the buffer size to the largest possible message size.
Problem summary
**************************************************************** USERS AFFECTED: Those using MQ Advanced Message Security Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The internal coding defect causes AMS interceptor to reject the message based on its check of the MQMD format which is expected to be blanked during a MQGET call. This rejection of message is more prone to be seen when multiple getter application are issuing MQGET with a lesser buffer than the message size. This causes contention of messages and a timing condition where the application requests a message, needs to reallocate its buffer, obtains and decrypts a copy of the message and then attempts to remove the message using message token but fails with MQRC_TRUNCATED_MSG_ACCEPTED due incorrect MQMD formats. This failure is in turn relayed to the application as MQRC_SECURITY_ERROR.
Problem conclusion
In IBM MQ version 8, this APAR is resolved by the changes added to the product under APAR IT14031. In version 7.5 This APAR is resolved by the changes added to the product under APARs IT14031 and IT18248. Both APARs are required to fully address the problem at the 7.5 release. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.5 7.5.0.8 v8.0 8.0.0.7 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT17107
Reported component name
WEBSPHERE MQ 7.
Reported component ID
5724H7240
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-19
Closed date
2017-01-24
Last modified date
2017-03-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE MQ 7.
Fixed component ID
5724H7240
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023