IBM Support

PI85389: IBM INTEGRATION API CALLS FAIL ADMIN AUTHENTICATION ON Z/OS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Even if administration security is enabled, you should not have
    to explicitly grant permissions for the following administration
    interfaces, authentication is provided only by the system
    login; no additional authentication is carried out by the
    integration node:
    
    . IBM Integration Toolkit
    . IBM Integration API
    . IBM Integration Bus commands
    
    However, on z/OS, this is not working as expected. For example,
    attempting to use the Integration API calls in a Java compute
    node when file based administration security is enabled,
    results in authentication errors, for example:
    
    BIP2852E: The role 'WMQI20' is not authorized to perform the
    requested  operation 'view' against the object 'MQ20BRK' of
    type 'Broker'. The  role 'WMQI20' needs to have 'Read'
    permission on the object 'MQ20BRK' of type 'Broker'.
    

Local fix

  • As a work around, you can create a role named for your brokers
    started task id and grant it the necessary permissions,
    depending on what actions you want to perform on the
    administered objects.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of IBM Integration Bus v10 on z/OS who use file mode
    security.
    
    
    Platforms affected:
    z/OS
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    If using file mode security, you should not have to create a
    role for the integration nodes user and grant permissions when
    using the following administration interfaces:
    
    IBM Integration Toolkit (when making a local connection,
    specifying only the integration node name)
    IBM Integration API
    IBM Integration Bus commands (when making a local connection,
    specifying only the integration node name)
    
    In these cases, authentication is provided only by the system
    login; no additional authentication is
    carried out by the integration node.
    
    However, on IIB z/OS, if a role had not been created and the
    appropriate permissions granted for the integration nodes user
    id, then the following types of errors may be reported:
    
    BIP2852E: The role 'WMQIxx' is not authorized to perform the
    requested
    operation 'view' against the object 'MQxxBRK' of type 'Broker'.
    The
    role 'WMQIxx' needs to have 'Read' permission on the object
    'MQxxBRK'
    of type 'Broker'.
    

Problem conclusion

  • The product has been modified to remove the need for a role to
    be defined for the integration nodes user id when using file
    mode security.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v10.0      10.0.0.12
    
    The latest available maintenance can be obtained from:
    http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041
    
    If the maintenance level is not yet available,information on
    its planned availability can be found on:
    http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI85389

  • Reported component name

    IIB Z/OS

  • Reported component ID

    5655AB100

  • Reported release

    A00

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-08-02

  • Closed date

    2018-03-21

  • Last modified date

    2018-03-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IIB Z/OS

  • Fixed component ID

    5655AB100

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQH8","label":"IBM Integration Bus for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
21 March 2018