APAR status
Closed as program error.
Error description
When the MQOutput node opens a queue for output, it opens it with the "Alternate User" in the MQMD if the flag is specified, but it only does this when it first opens the queue. So if the queue is already opened (the handle is cached), when a subsequent message is written, it will use the "Alternate User" that was in place when the queue was first opened.
Local fix
Not Applicable
Problem summary
**************************************************************** USERS AFFECTED: Using MQOutput node with "Alternate User Authority" advanced property enabled with WebSphere Message Broker v6.1 or later Platforms Affected: All Platforms **************************************************************** PROBLEM SUMMARY: When the MQOutput node opens a queue for output, it opens it with the "Alternate User" in the MQMD if the flag is specified, but it only does this when it first opens the queue. So if the queue is already opened (the handle is cached), when a subsequent message is written, it will use the "Alternate User" that was in place when the queue was first opened.
Problem conclusion
When using the Alternate User Authority on the MQOutput node, it should be noted that MQ always performs security checking for the Context and Identity permissions using the UserID of the application opening the handle to the queue, which in this case is the Broker. Therefore, as the MQOutput node needs the ability to set the identity and the context of the message it is PUTting to the queue, the Broker UserID must have permission to set the Identity (setid) and set the Context (setall) to the queue to which it is putting the message. However, the Broker's UserID does not need any other permissions (such as permission to PUT or GET a message) as the authority to PUT is checked by MQ against the supplied Alternate User Authority. After this APAR fix, each time a different Alternate User name is specified to PUT a message to a given queue, a new handle to the queue is opened for the alternate authority, assuming that the alternate user name has the permission access the queue and a previously opened cached handle is not available --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: V6.1 - Maintenance Level 6.1.0.8 V7.0 - Maintenance Level 7.0.0.1 The latest available maintenance can be obtained from 'WebSphere Message Broker Recommended Fixes' http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006041 If the maintenance level is not yet available, information on its planned availability can be found in 'WebSphere Message Broker Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IZ68324
Reported component name
MSSG BROKER AIX
Reported component ID
5724J0501
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-01-19
Closed date
2010-03-29
Last modified date
2010-04-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MSSG BROKER AIX
Fixed component ID
5724J0501
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSKM8N","label":"WebSphere Message Broker"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
15 April 2010