PH14428: WMQ Z/OS V9: INCORRECT SECURITY CHECK ON DEFINE SUB

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The DEFINE SUB command with a blank SUBUSER is performing
  incorrect security checks when putting the response message to
  the reply-to queue.
  When the queue manager puts command replies to the reply queue,
  following RACF error occurs:
  10.56.42 STC001  ICH408I JOB(CSQ1MSTR) STEP(CSQ1MSTR)
  CSQ1.SYSTEM.CSQ2SLIST.D47FC0EC4C39FF82 CL(MQQUEUE )
  INSUFFICIENT ACCESS AUTHORITY      FROM CSQ1.* (G)
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(NONE   )
  10.56.42 STC001  CSQN207I (CSQ1 COMMAND SERVER UNABLE TO OPEN
  REPLY TO QUEUE
  10.56.42 STC001  CSQN203I (CSQ1 QUEUE
  SYSTEM.CSQ2SLIST.D47FC0EC4C39FF82, MQCC=2 MQRC=2035
  (MQRC_NOT_AUTHORIZED)
  11.00.50 STC001  ICH408I JOB(CSQ1MSTR) STEP(CSQ1MSTR)
  CSQ1.SYSTEM.CSQ2SLIST.D47FC1E6254D1F84 CL(MQQUEUE )
  INSUFFICIENT ACCESS AUTHORITY  FROM CSQ1.* (G)
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(NONE   )
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 1 Modification 0.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: ICH408I is issued reporting a security  *
  *                      error when opening the reply queue for  *
  *                      a DEFINE SUB/MQCMD_CREATE_SUBSCRIPTION  *
  *                      command that specified the SUBUSER      *
  *                      parameter with a blank value.           *
  ****************************************************************
  During the creation of the subscription, a check is made that
  the user associated with the subscription is authorised to
  access the subscription queue.
  When SUBUSER is specified as blanks, the associated user is the
  issuer of the command, however after performing the check,
  CSQMCNSB incorrectly sets the current user to the passed in
  SUBUSER value of blanks.
  When the command server subsequently opens the reply queue,
  any authority checks for the reply queue are performed using
  this invalid value, and consequently the reply queue fails to
  be opened.
  

Problem conclusion

• CSQMCNSB is changed to correctly restore the current user when
  a SUBUSER of blanks is specified.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PH00126

• APAR is sysrouted TO one or more of the following:

  UI64370

Modules/Macros

• CSQMCNSB
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R100 PSY UI64370

     UP19/09/26 P F909

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.