Security manager messages (CSQH...)

Security using uppercase classes

This message is issued to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

Security using mixed case classes

This message is issued to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

Security refresh did not take place for class class-name

This message follows message CSQH004I when an attempt to refresh class MQPROC, MQNLIST, or MQQUEUE was unsuccessful because of a return code from a SAF RACROUTE REQUEST=STAT call. The return code is given in message CSQH004I.

The refresh does not occur.

Check that the class in question (class-name) is set up correctly. See message CSQH004I for the reason for the problem.

csect-name STAT call failed for class class-name, SAF return code= saf-rc, ESM return code=esm-rc

To determine if you need to take any action, see RACROUTE REQUEST=STAT (standard form) for more information about the return codes.

csect-name resource-type In-storage profiles successfully listed

This message is issued in response to a REFRESH SECURITY command that caused the in-storage profiles to be RACLISTED (that is, rebuilt); for example, when the security switch for a resource is set on, or a refresh for a specific class is requested that requires the in-storage tables to be rebuilt.

This message is issued so that you can check the security configuration of your queue manager.

Error returned from CSQTTIME, security timer not started

An error was returned from the MQ timer component, so the security timer was not started.

The queue manager terminates abnormally, with a reason code of X'00C80042'.

See Security manager codes (X'C8') for an explanation of the reason code.

Reverify flag not set for user-id userid, no entry found

A user identifier (user-id) specified in the RVERIFY SECURITY command was not valid because there was no entry found for it in the internal control table. This could be because the identifier was entered incorrectly in the command, or because it was not in the table (for example, because it had timed-out).

The user identifier (user-id) is not flagged for reverify.

Check that the identifier was entered correctly.

Subsystem security not active, no userids processed

The RVERIFY SECURITY command was issued, but the subsystem security switch is off, so there are no internal control tables to flag for reverification.

Errors occurred during security timeout processing

Processing continues.

Contact your IBM® support center to report the problem.

csect-name Security timeout timer not restarted

See Security manager codes (X'C8') for information about the reason code.

csect-name Security interval is now set to zero

The ALTER SECURITY command was entered with the INTERVAL attribute set to 0. This means that no user timeouts will occur.

This message is issued to warn you that no security timeouts will occur. Check that this is what was intended.

Errors occurred during ALTER SECURITY timeout processing

This message is issued in response to an ALTER SECURITY command if errors have been detected during timeout processing (for example, a nonzero return code from the external security manager (ESM) during timeout processing).

Processing continues.

Contact your IBM support center to report the problem.

csect-name Case conflict for class class-name

A REFRESH SECURITY command was issued, but the case currently in use for the class class-name differs from the system setting and if refreshed would result in the set of classes using different case settings.

The refresh does not occur.

Check that the class in question (class-name) is set up correctly and that the system setting is correct. If a change in case setting is required, issue the REFRESH SECURITY(*) command to change all classes.

Security timeout = number minutes

This message is issued in response to the DISPLAY SECURITY TIMEOUT command, or as part of the DISPLAY SECURITY ALL command.

Security interval = number minutes

This message is issued in response to the DISPLAY SECURITY INTERVAL command, or as part of the DISPLAY SECURITY ALL command.

Security refresh completed with errors in signoff

This message is issued when an error has been detected in refresh processing; for example, a nonzero return code from the external security manager (ESM) during signoff or delete processing.

Processing continues.

Contact your IBM support center to report the problem.

csect-name Security refresh for resource-type not processed, security switch set OFF

A REFRESH SECURITY command was issued for resource type resource-type. However, the security switch for this type or the subsystem security switch is currently set off.

Ensure that the REFRESH SECURITY request was issued for the correct resource type.

Keyword values are incompatible

The REFRESH SECURITY command was issued, but the command syntax is incorrect because a keyword value that is specified conflicts with the value for another keyword.

The command is not executed.

See REFRESH SECURITY for more information.

csect-name switch-type security switch set OFF, profile 'profile-type' found

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has been found.

If the subsystem security switch is set off, you will get only one message (for that switch).

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

csect-name switch-type security switch set ON, profile 'profile-type' found

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has been found.

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

csect-name switch-type security switch set OFF, profile 'profile-type' not found

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has not been found.

If the subsystem security switch is set off, you will get only one message (for that switch).

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

csect-name switch-type security switch set ON, profile 'profile-type' not found

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has not been found.

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

csect-name switch-type security switch set OFF, internal error

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because an error occurred.

The message might be issued with message CSQH004I when an unexpected setting is encountered for a switch.

See message CSQH004I for more information.

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager.

csect-name switch-type security switch forced ON, profile 'profile-type' overridden

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.

Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

Messages CSQH021I through CSQH026I are issued so that you can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

Security switches ...

This is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command and is followed by messages CSQH031I through CSQH036I for each security switch to show its setting and the security profile used to establish it.

If the subsystem security switch is set off, you will get only one message (for that switch). Otherwise, a message is issued for each security switch.

switch-type OFF, 'profile-type' found

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has been found.

If the subsystem security switch is set off, you will get only one message (for that switch).

switch-type ON, 'profile-type' found

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has been found.

switch-type OFF, 'profile-type' not found

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has not been found.

If the subsystem security switch is set off, you will get only one message (for that switch).

switch-type ON, 'profile-type' not found

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has not been found.

switch-type OFF, internal error

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because an error occurred during initialization or when refreshing security.

The message is be issued when an unexpected setting is encountered for a switch.

Check all your security switch settings. Review the z/OS system log file for other CSQH messages for errors during IBM MQ startup or when running RUNMQSC security refresh commands.

If required, correct them and refresh your security.

switch-type ON, 'profile-type' overridden

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.

Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

Security using uppercase classes

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

Security using mixed case classes

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

Connection authentication ...

This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It is followed by messages CSQH041I and CSQH042I to show the value of the connection authentication settings.

Client checks: check-client-value

This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication client checks.

If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.

Local bindings checks: check-local-value

This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication local bindings checks.

If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.

csect-name Object AUTHINFO(object-name) does not exist or has wrong type

During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field was referenced. It was found to either not exist, or not have AUTHTYPE(IDPWOS).

If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

If this message is issued during queue manager initialization, all connection attempts are refused with reason 2035 (07F3) (RC2035): MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

csect-name Access to AUTHINFO(object-name) object failed, reason=mqrc (mqrc-text)

During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field could not be accessed for the reason given by mqrc (mqrc-text provides the MQRC in textual form).

If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

If this message is issued during queue manager initialization, all connection attempts are refused with reason 2035 (07F3) (RC2035): MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Refer to API completion and reason codes for information about mqrc to determine why the object cannot be accessed. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

csect-name application did not provide a password

An application connected without supplying a user ID and password for authentication and the queue manager is configured to require this type of application to supply one.

If this is a client application, the configuration attribute CHCKCLNT is set to REQUIRED. application is identified by channel name/connection details.

If this is a locally bound application, the configuration attribute CHCKLOCL is set to REQUIRED. application is identified by user id/application name.

If the connection authentication configuration was unable to be read, this message will also be seen. See messages CSQH041I and CSQH042I.

The connection fails and the application is returned 2035 (07F3) (RC2035): MQRC_NOT_AUTHORIZED.

Ensure all applications are updated to supply a user ID and password, or alter the connection authentication configuration to OPTIONAL instead of REQUIRED, to allow applications to connect that have not supplied a user ID and password.

If the connection authentication configuration was unable to be read, check for earlier error messages and make corrections based on what is reported.

After making configuration changes, issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

If the application is a client application, the user ID and password can be supplied without changing the application code, by using a security exit, such as mqccred, which is supplied with the IBM MQ MQI client.

csect-name application supplied a password for user ID userid that has expired

An application connected and supplied a user ID userid and password for authentication. The password supplied has expired.

If this is a client application, application is identified as 'channel name'/'connection details'.

If this is a locally bound application, application is identified as 'running user id'/'application name'.

The connection fails and the application is returned 2035 (07F3) (RC2035): MQRC_NOT_AUTHORIZED.

Set a new password for userid using O/S facilities and retry the connect from the application using the new password.