Fixes are available
APAR status
Closed as program error.
Error description
Configuration: Windows Intermediate Windows Application --> Queue Manager --> Target UseridA --> MCAUSER UseridB on Unix --> UseridB Fail AMQ8074 UseridA --> MCAUSER UseridB on Windows --> UseridB Pass UseridA --> MCAUSER UseridA on Unix --> UseridA Pass A Windows application or MQ Explorer using PCF commands to a target Windows queue manager generates AMQ8074 error when routed through a Unix queue manager configured with a MCAUSER id on the SVRCONN channel that is different than what is passed by the application. The Windows application uses the logged on Userid (UseridA) which resolves the SID (Windows Security Identifier) correctly. This is passed to the UNIX queue manager using a server connection channel. The channel definition on the Unix queue manager has a different id set for the MCAUSER field (UseridB). The Unix queue manager then uses a regular sender/receiver pair to communicate with the target Windows queue manager. The target Windows queue manager tries to authenticate the Userid that was specified for the MCAUSER and fails with a AMQ8074 error even though that Userid is valid on this Windows system. AMQ8074 MESSAGE: Authorization failed as the SID '<insert one>' does not match the entity '<insert two>'. EXPLANATION: The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information. Traces also show 2035 (MQRC_NOT_AUTHORIZED) to open the SYSTEM.ADMIN.COMMAND.QUEUE. The Windows queue manager is trying to resolve the SID of the local user (UseridA) from the client application with the Userid in the MCAUSER field - (UseridB) passed by the Unix queue manager and they do not match. SIDs are unique to Windows and it looks like this is passed to the intermediate queue manager and then sent on along with userid UseridB using the sender channel. This does work if the intermediate queue manager is a Windows queue manger as the new Userid is resolved with the correct SID. This also works if the MCAUSER field is left blank on the UNIX queue manager or the MCAUSER field is set to the same Userid as the application is sending.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of WebSphere MQ v7 and above routing PCF messages through Unix machines. Platforms affected: All Unix **************************************************************** PROBLEM SUMMARY: A Windows client communicating via an intermediate queue manager on Unix, sends its SID value at connect time. When the client puts messages, the agent process at the Unix queue manager sets the user id as the MCAUSER set on the server connection channel. When default context is used, the UNIX machine copies the SID value from the client who sent the message and then passes this value to the destination windows queue manager. On the destination windows queue manager we get the error "Authorization failed as SID S-x-x-xx-xxxxxxxxxx does not match that of entity abcd". The SID shown here is that of the originating client machine and abcd is the mcauser set on the SVRCONN channel at the UNIX machine. In the case of a Windows hub, the UserId is filled with the value of the mcauser and since the SID value of this mcauser is calculated and sent it puts the message successfully to the destination windows queue manager. This happens when the put authority on the receiver channel at the windows is set to context security. This results in an MQOPEN issued with the authority of the user set by the MQPUT and hence the MQOPEN call fails with the above authorization error. In the case of put authority set to default the same authorization error happens but this time it happens at the command server when it tries to put the reply of the PCF to the reply queue. Here again, the Userid is filled from the MQMD of the message received from the intermediate hub which has the Userid filled with the MCAUSER set on the SVRCONN channel.
Problem conclusion
WebSphere MQ has been modified so that UNIX queue managers do not populated the SID field with the SID value taken from the client machine which was sent with the PCF request. Since UNIX does not have a concept of SID, this value is rather left blank and checks at the destination windows queue manager no longer fail. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: v7.0 Platform Fix Pack 7.0.1.11 -------- -------------------- AIX 7.0.1.11 HP-UX (PA-RISC) 7.0.1.11 HP-UX (Itanium) 7.0.1.11 Solaris (SPARC) 7.0.1.11 Solaris (x86-64) 7.0.1.11 Linux (x86) 7.0.1.11 Linux (x86-64) 7.0.1.11 Linux (zSeries) 7.0.1.11 Linux (Power) 7.0.1.11 v7.1 Platform Fix Pack 7.1.0.4 -------- -------------------- AIX 7.1.0.4 HP-UX (Itanium) 7.1.0.4 Solaris (SPARC) 7.1.0.4 Solaris (x86-64) 7.1.0.4 Linux (x86) 7.1.0.4 Linux (x86-64) 7.1.0.4 Linux (zSeries) 7.1.0.4 Linux (Power) 7.1.0.4 Platform v7.5 -------- -------------------- Multiplatforms 7.5.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IC90697
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
701
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-03-07
Closed date
2013-05-30
Last modified date
2013-05-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
R701 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023