IBM Support

IT11742: MFT is not reporting error when transfer request contains wildcard path outside sandbox

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the user had set up a sandbox environment, there was a
    difference in behaviour when transferring single files outside
    of the sandbox, compared to a wildcard transfer outside the
    sandbox. The single file transfer would return a Failure:
    
    BFGIO0056E: Attempt to read file "<FILE>" has been denied. The
    file is located outside of the restricted transfer sandbox.
    
    Whereas the wildcard transfer would return a Success message
    with no files transferred:
    
    BFGRP0036I: The transfer request has successfully completed,
    although no files were transferred.
    
    The user noted that this was unexpected as the wildcard transfer
    attempted to match files outside of the sandbox locations,
    therefore a failure was expected.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    The issue affect users of:
    
    - WebSphere MQ File Transfer Edition (FTE) V7.0.4
    - WebSphere MQ Managed File Transfer (MFT) V7.5
    - IBM MQ Managed File Transfer (MFT) V8.0
    - IBM MQ Managed File Transfer (MFT) V9.0
    
    when using the User Sandbox and Agent Sandbox features with
    transfers defined using a wildcard character.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    If an agent had been configured with a user or agent sandbox (to
    restrict the locations that an agent could transfer files to and
    from), the behaviour of the agent was inconsistent when
    processing managed transfers that referenced transfer items
    outside of the sandbox. When a managed transfer containing a
    single transfer item for a specific file was attempted, where
    the transfer item was located outside of the user or agent
    sandbox, the managed transfer failed with the following error:
    
    BFGIO0056E: Attempt to read file "<FILE>" has been denied. The
    file is located outside of the restricted transfer sandbox.
    
    However, when a managed transfer containing a wildcard was
    attempted, where the wildcard caused the agent to look in
    directories located outside the sandbox, the managed transfer
    would complete successfully and the following message was
    returned:
    
    BFGRP0036I: The transfer request has successfully completed,
    although no files were transferred.
    
    This behaviour was incorrect. In the wildcard case, the managed
    transfer should have been marked as failed as it required the
    agent to look in directories outside of the user sandbox.
    

Problem conclusion

  • The issue has been corrected by adjusting the checks made on
    wildcard transfers when sandboxing has been enabled. New return
    messages are now produced when a wildcard transfer request is
    made to a location outside a configured sandbox location.
    
    The following message occurs when a wildcard file path in a
    transfer request is located outside of the restricted sandbox:
    
    BFGSS0077E: Attempt to read file path: <path> has been denied.
    The file path is located outside of the restricted transfer
    sandbox.
    
    
    The following message occurs when a transfer within a multiple
    transfer request contains a wildcard transfer request where the
    path is located outside of the restricted sandbox:
    
    BFGSS0078E: Attempt to read file path: <path> has been ignored
    as another transfer item in the managed transfer attempted to
    read outside of the restricted transfer sandbox.
    
    
    The following message occurs when a file is located outside of
    the restricted sandbox:
    
    BFGSS0079E: Attempt to read file <file path> has been denied.
    The file is located outside of the restricted transfer sandbox.
    
    
    The following message occurs in a multiple transfer request
    where another wildcard transfer request has caused this one to
    be ignored:
    
    BFGSS0080E: Attempt to read file: <file path> has been ignored
    as another transfer item in the managed transfer attempted to
    read outside of the restricted transfer sandbox.
    
    
    To protect customers who may have working transfers that include
    wildcards outside the sandbox the new function has been
    protected by a new agent property
    "additionalWildcardSandboxChecking". When this is set to true,
    the additional checking will be enabled and wildcards transfer
    attempts outside the sandbox will fail. If the property is
    omitted or set to false then the original behaviour will remain
    unchanged.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.4.7
    v7.5       7.5.0.8
    v8.0       8.0.0.6
    v9.0 CD    9.0.1
    v9.0 LTS   9.0.0.1
    
    The latest available FTE maintenance can be obtained from
    'Fix List for WebSphere MQ File Transfer Edition 7.0'
    http://www-01.ibm.com/support/docview.wss?uid=swg27015313
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT11742

  • Reported component name

    WMQ FILE TRANSF

  • Reported component ID

    5724R1000

  • Reported release

    704

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-13

  • Closed date

    2016-08-16

  • Last modified date

    2017-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ FILE TRANSF

  • Fixed component ID

    5724R1000

Applicable component levels

  • R704 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEP7X","label":"WebSphere MQ File Transfer Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.4","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
01 June 2017