APAR status
Closed as program error.
Error description
When using ChlauthEarlyAdopt=y then CHLAUTH USERMAP rules proved ineffective when the user asserted by the client did not have +connect authority to the queue manager. When the client application tried to connect to the queue manager then the CHLAUTH USERMAP rules should have mapped the asserted user to a valid user id, but instead the following error message was written to the MQ error log: "AMQ8077 NOT AUTHORIZED missing +connect authority" ...and the CHLAUTH USERMAP rule(s) were not applied to the asserted user. A generic CHLAUTH ADDRESSMAP rule was applied which blocked the connection and the client connection failed with return code 2035 (MQRC_NOT_AUTHORIZED).
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of ChlauthEarlyAdopt=y and CHLAUTH USERMAP rules. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: A client attempted to connect to a queue manager configured with ChlauthEarlyAdopt=y and CHLAUTH USERMAP rules. The CHLAUTH USERMAP rules were intended to operate on the asserted user id that the client had supplied in the MQCSP structure but the CHLAUTH USERMAP rules proved ineffective when the asserted user id did not have +connect authority to the queue manager. This was because the queue manager checked that the asserted user id had +connect authority before evaluating the CHLAUTH rules. If the client did not have +connect authority then the CHLAUTH USERMAP rule(s) were applied to the user id that the client was running as instead of the asserted user and the following error message was written to the MQ error log: "AMQ8077 NOT AUTHORIZED missing +connect authority" Consequently a generic CHLAUTH ADDRESSMAP rule was applied which blocked the connection and the connection failed with return code 2035 (MQRC_NOT_AUTHORIZED).
Problem conclusion
The +connect authority check in the queue manager code has been moved so that the check takes place after the CHLAUTH rules have been evaluated. This allows the CHLAUTH rules to operate on the asserted user id that the client had supplied in the MQCSP structure. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.14 v9.0 LTS 9.0.0.9 v9.1 CD 9.1.5 v9.1 LTS 9.1.0.5 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT26512
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-10-04
Closed date
2019-10-28
Last modified date
2019-10-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7251
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
28 October 2019