IBM Support

IC66224: JAVA SECURITY MANAGER CONFIGURATION DOES NOT CONTAIN COMPREHENSIVE PERMISSIONS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When configuring the Java Security Manager to work with
    WebSphere MQ clients, the sample permissions provided in the
    manual are not comprehensive.  With the current permissions, the
    AccessControlException errors occur.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the WebSphere MQ classes for
    Java and the WebSphere MQ classes for Java Message Service (JMS)
    who enable a Java Security Manager.
    
    Platforms affected:
    All Distributed (iSeries, all Unix and Windows) +Java
    ****************************************************************
    PROBLEM SUMMARY:
    The problem was caused by 2 factors:
    
    1. The WebSphere MQ classes for Java/JMS client requires more
    permissions than detailed in the manuals.
    
    2. The WebSphere MQ classes for Java/JMS client did not always
    make calls that require security manager clearance within a
    AccessController.doPrivileged block, and so the security manager
    rejected the request.
    

Problem conclusion

  • The MQ Java client has been updated to correctly issue requests
    that require security permissions.
    
    The permissions required by the WebSphere MQ classes for
    Java/JMS have been determined as follows, and the Using Java
    manual will be updated accordingly:
    
    
    //Section required for both WebSphere MQ classes for Java
    and JMS
    
    grant codeBase "file:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar" {
      //Required
      permission java.util.PropertyPermission "user.name","read";
      permission java.util.PropertyPermission "os.name","read";
      //For the client transport type.
      permission java.net.SocketPermission "*","connect";
      //For the bindings transport type.
      permission java.lang.RuntimePermission "loadLibrary.*";
      //For applications that use CCDT tables (access to the CCDT
    AMQCLCHL.TAB)
      permission java.io.FilePermission
    "/var/mqm/qmgrs/QMGR/@ipcc/AMQCLCHL.TAB","read";
      //For applications that use User Exits
      permission java.io.FilePermission "/var/mqm/exits/*","read";
      permission java.lang.RuntimePermission "createClassLoader";
      //Required for the z/OS platform
      permission java.util.PropertyPermission
    "com.ibm.vm.bitmode","read";
      //Required if mqclient.ini/mqs.ini configuration files are use
      permission java.io.FilePermission "/var/mqm/mqclient.ini",
        "read";
      permission java.io.FilePermission "/var/mqm/mqs.ini","read";
    };
    
    
    //Only required for WebSphere MQ classes for JMS applications
    
    grant codeBase "file:/opt/mqm/java/lib/com.ibm.mqjms.jar" {
      permission java.util.PropertyPermission "user.name","read";
      permission java.util.PropertyPermission "os.name","read";
      permission java.util.PropertyPermission "console.encoding",
        "read";
      permission java.lang.RuntimePermission "setContextClassLoader"
      //tracing permissions
      permission java.util.PropertyPermission
    "com.ibm.msg.client.commonservices.*","read";
      permission java.util.PropertyPermission
    "MQJMS_TRACE_LEVEL","read";
      permission java.util.logging.LoggingPermission "control";
      //Wherever trace output is expected
      permission java.io.FilePermission "/tmp/*","read,write";
      //Required for the z/OS platform
      permission java.util.PropertyPermission
    "com.ibm.vm.bitmode","read";
    };
    
    
    //Only required for WebSphere MQ classes for Java applications
    
    grant codeBase
    "file:/opt/mqm/java/lib/com.ibm.mq.commonservices.jar" {
      permission java.util.PropertyPermission "user.dir","read";
      permission java.util.PropertyPermission "line.separator","read
      //tracing permissions
      permission java.util.logging.LoggingPermission "control";
      permission java.util.PropertyPermission
    "com.ibm.mq.commonservices", "read";
      //For access to the trace properties file.
      permission java.io.FilePermission
        "/tmp/trace.properties", "read";
      //For access to the trace output files.
      permission java.io.FilePermission "/tmp/*", "read,write";
    };
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Windows            U200320
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Windows            U200320
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    AIX                U834987
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    AIX                U834987
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    HP-UX (PA-RISC)    U834414
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    HP-UX (PA-RISC)    U834414
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    HP-UX (Itanium)    U834413
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    HP-UX (Itanium)    U834413
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Solaris (SPARC)    U834986
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Solaris (SPARC)    U834986
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Solaris (x86-64)   U834210
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Solaris (x86-64)   U834210
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    iSeries            tbc_p700_0_1_3
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    iSeries            tbc_p700_0_1_3
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (x86)        U834415
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (x86)        U834415
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (x86-64)     U834985
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (x86-64)     U834985
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (zSeries)    U834412
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (zSeries)    U834412
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (Power)      U835662
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Linux (Power)      U835662
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available, information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC66224

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-02-11

  • Closed date

    2010-04-28

  • Last modified date

    2010-08-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R701 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCPQ63","label":"APAR \/ Maintenance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
10 August 2010