IBM Support

IC90697: AMQ8074 GENERATED FOR WINDOWS QUEUE MANAGER WHEN PCF COMMANDS ARE ROUTED THROUGH A UNIX QUEUE MANAGER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Configuration:
    
    Windows         Intermediate                      Windows
    Application --> Queue Manager                 --> Target
    
    UseridA     --> MCAUSER UseridB on Unix       --> UseridB Fail
    AMQ8074
    
    UseridA     --> MCAUSER UseridB on Windows    --> UseridB Pass
    
    UseridA     --> MCAUSER UseridA on Unix       --> UseridA Pass
    
    A Windows application or MQ Explorer using PCF commands to a
    target Windows queue manager generates AMQ8074 error when
    routed through a Unix queue manager configured with a MCAUSER
    id on the SVRCONN channel that is different than what is passed
    by the application. The Windows application uses the logged
    on Userid (UseridA) which resolves the SID (Windows Security
    Identifier) correctly. This is passed to the UNIX queue manager
    using a server connection channel. The channel definition on
    the Unix queue manager has a different id set for the MCAUSER
    field (UseridB).
    
    The Unix queue manager then uses a regular sender/receiver
    pair to communicate with the target Windows queue manager.
    The target Windows queue manager tries to authenticate the
    Userid that was specified for the MCAUSER and fails with a
    AMQ8074 error even though that Userid is valid on this Windows
    system.
    
    AMQ8074
    MESSAGE:
    Authorization failed as the SID '<insert one>' does not match
    the entity '<insert two>'.
    EXPLANATION:
    The Object Authority Manager received inconsistent data -
    the supplied SID does not match that of the supplied entity
    information.
    
    Traces also show 2035 (MQRC_NOT_AUTHORIZED) to open the
    SYSTEM.ADMIN.COMMAND.QUEUE.
    
    The Windows queue manager is trying to resolve the SID
    of the local user (UseridA) from the client application with
    the Userid in the MCAUSER field - (UseridB) passed by
    the Unix queue manager and they do not match. SIDs are unique
    to Windows and it looks like this is passed to the intermediate
    queue manager and then sent on along with userid UseridB using
    the sender channel.
    
    This does work if the intermediate queue manager is a Windows
    queue manger as the new Userid is resolved with the correct
    SID. This also works if the MCAUSER field is left blank on the
    UNIX queue manager or the MCAUSER field is set to the same
    Userid as the application is sending.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of WebSphere MQ v7 and above routing PCF messages through
    Unix machines.
    
    Platforms affected:
    All Unix
    
    ****************************************************************
    PROBLEM SUMMARY:
    A Windows client communicating via an intermediate queue
    manager on Unix, sends its SID value at connect time. When the
    client puts messages, the agent process at the Unix queue
    manager sets the user id as the MCAUSER set on the server
    connection channel. When default context is used, the UNIX
    machine copies the SID value from the client who sent the
    message and then passes this value to the destination windows
    queue manager.
    
    On the destination windows queue manager we get the error
    "Authorization failed as SID S-x-x-xx-xxxxxxxxxx does not
    match that of entity abcd". The SID shown here is that of the
    originating client machine and abcd is the mcauser set on the
    SVRCONN channel at the UNIX machine.
    
    In the case of a Windows hub, the UserId is filled with the
    value of the mcauser and since the SID value of this mcauser is
    calculated and sent it puts the message successfully to the
    destination windows queue manager.
    
    This happens when the put authority on the receiver channel
    at the windows is set to context security. This results in an
    MQOPEN issued with the authority of the user set by the MQPUT
    and hence the MQOPEN call fails with the above authorization
    error.
    
    In the case of put authority set to default the same
    authorization error happens but this time it happens at the
    command server when it tries to put the reply of the PCF to the
    reply queue. Here again, the Userid is filled from the MQMD of
    the message received  from the intermediate hub which has the
    Userid filled with the MCAUSER set on the SVRCONN channel.
    

Problem conclusion

  • WebSphere MQ has been modified so that UNIX queue managers do
    not populated the SID field with the SID value taken from the
    client machine which was sent with the PCF request. Since UNIX
    does not have a concept of SID, this value is rather left blank
    and checks at the destination windows queue manager no longer
    fail.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.0
    Platform           Fix Pack 7.0.1.11
    --------           --------------------
    AIX                7.0.1.11
    HP-UX (PA-RISC)    7.0.1.11
    HP-UX (Itanium)    7.0.1.11
    Solaris (SPARC)    7.0.1.11
    Solaris (x86-64)   7.0.1.11
    Linux (x86)        7.0.1.11
    Linux (x86-64)     7.0.1.11
    Linux (zSeries)    7.0.1.11
    Linux (Power)      7.0.1.11
    
                       v7.1
    Platform           Fix Pack 7.1.0.4
    --------           --------------------
    AIX                7.1.0.4
    HP-UX (Itanium)    7.1.0.4
    Solaris (SPARC)    7.1.0.4
    Solaris (x86-64)   7.1.0.4
    Linux (x86)        7.1.0.4
    Linux (x86-64)     7.1.0.4
    Linux (zSeries)    7.1.0.4
    Linux (Power)      7.1.0.4
    
    Platform           v7.5
    --------           --------------------
    Multiplatforms     7.5.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC90697

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-07

  • Closed date

    2013-05-30

  • Last modified date

    2013-05-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R701 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCPQ63","label":"APAR \/ Maintenance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
30 May 2013