IBM Support

IT08408: MQ V8: WHEN USING THE CONNAUTH FEATURE THE ERROR MESSAGE AMQ9557 COULD CAUSE CONFUSION .

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If a Websphere MQ queue manager is configured to check userid
and password with these settings:

- ALTER QMGR CONNAUTH(LOCAL.ISPW)
- DEF AUTHINFO(LOCAL.ISPW) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
 ADOPTCTX(YES)

and the following is used

- USER_OWNER : user ID used to start the client application (or
 owner of the application)
- USER_MQCSP : user ID passed in MQCSP structure for
 authorization check. The password is also provided in MQCSP
 structure.

In these scenarios the error message AMQ9557 may cause
confusion:

Scenario 1:
 USER_MQCSP has no authority to access the queue manager.
 The client application fails to connect and following error
 messages are generated in queue manager error log:

 AMQ8077: Entity 'USER_MQCSP' has insufficient authority to
 access object 'QM1'.
 EXPLANATION:
 The specified entity is not authorized to access the required
 object.
 The following requested permissions are unauthorized: connect

 AMQ9557: Queue Manager User ID initialization failed for
 'USER_OWNER'.
 EXPLANATION:
 The call to initialize the User ID 'USER_OWNER' failed with
 CompCode 2 and Reason 2035.

Scenario 2:
 USER_MQCSP has authority to connect and open objects on QM1.
 But the password is incorrect.
 The client application fails to connect and following error
 messages are generated in queue manager error log:

 AMQ5534: User ID 'USER_MQCSP' authentication failed
 EXPLANATION:
 The user ID and password supplied by 'amqsputc' could not be
 authenticated.

 AMQ5542: The failed authentication check was caused by the
 queue manager CONNAUTH CHCKCLNT(OPTIONAL)
 configuration.
 EXPLANATION:
 The user ID 'USER_MQCSP' and its password were checked because
 the queue manager connection authority (CONNAUTH)
 configuration refers to an authentication information
 (AUTHINFO) object named 'LOCAL.ISPW' with CHCKCLNT(OPTIONAL).
 This message accompanies a previous error to clarify the
 reason for the user ID


 AMQ9557: Queue Manager User ID initialization failed for
 'USER_OWNER'.
 EXPLANATION:
 The call to initialize the User ID 'USER_OWNER' failed with
 CompCode 2 and Reason 2035.

In both scenarios AMQ9557 presents the asserted User ID not the
attempted User ID

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Users of Websphere MQ v8.0 queue manager using the connauth
feature
who are passing a user ID in MQCSP structure for the
authorization check, where that user ID has no authority to
access the queue manager, or
where the user ID passed in MQCSP structure has authority to
access the queue
manager but the password is incorrect.







Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
A programming error within the queue manager code to generate
this log message meant that the wrong user ID was inserted into
the error logs within the AMQ9557 message

    



Problem conclusion


    

  • The queue manager security component has been updated so that
the AMQ9557 error will show the attempted User ID rather than
the asserted User ID.

In terms of the scenario described above, this means that the
AMQ9557 message will now show USER_MQCSP rather than USER_OWNER
in this case.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT08408
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-04-20
    • 

  • Closed date
    2015-04-30
    • 

  • Last modified date
    2015-05-15
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7251
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            15 May 2015
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback