IBM Support

IT11645: AN IBM MQ V8 CLIENT CONNECTION IS INCORRECTLY ALLOWED WHEN PASSWORDPROTECTION=ALWAYS AND USER_AUTHENTICATION_MQCSP=FALSE.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using an IBM MQ v8 server and IBM MQ v8 Java or JMS client,
    if
    PasswordProtection attribute under the qm.ini Channels stanza is
    set to 'always' and USER_AUTHENTICATION_MQCSP is not set
    or specifically set to false (compatibility mode), the
    connection
    is authenticated and allowed.
    
    As PasswordProtection=always, we would expect the connection to
    fail in the same way that a pre-v8 client would.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of the PasswordProtection attribute under the qm.ini
    Channels stanza may be affected by this issue.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    An IBM MQ v8 JMS client is able to connect to an IBM MQ v8 queue
    manager if the PasswordProtection attribute under the qm.ini
    Channels stanza is set to 'always', and the
    USER_AUTHENTICATION_MQCSP connection property is either unset,
    or set to false.
    
    This behaviour is not expected since the default behaviour for
    an IBM MQ v8 JMS client is to send user identifiers and
    passwords in plain text, unless USER_AUTHENTICATION_MQCSP is set
    to true.  Setting PasswordProtection=always should prohibit the
    connection from succeeding unless either SSL/TLS is being used,
    or MQCSP password protection is enabled.
    

Problem conclusion

  • The code has been modified so that connections from IBM MQ v8
    JMS client connections are rejected if the following are true:
    
    1. PasswordProtection=always in qm.ini AND
    2. The client has provided an MQCD password and userid AND
    3. SSL/TLS is not being used AND
    4. The queue manager has not seen an MQCSP flow from the client
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.5
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT11645

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-08

  • Closed date

    2016-01-28

  • Last modified date

    2016-02-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7251

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
04 February 2016