APAR status
Closed as program error.
Error description
A WebSphere MQ V7.5.0.1 Managed File Transfer agent has configured with a user sandbox that allows all users to read to, and write from, the directory C:\temp. The agent has also been set up with the agent property commandPath set to the value "C:\". In this configuration, the agent can perform managed transfers that move transfer items files to and from the directory C:\temp. After migrating to the MQ V8 Managed File Transfer component, and using the same configuration, the agent is unable to perform managed transfers which move transfer items to and from C:\temp. When the agent tries to do this, the transfer item fails with errors similar to the one shown below: BFGIO0056E: Attempt to read file "C:\temp\myFile.txt" has been denied. The file is located outside of the restricted transfer sandbox.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the: - The MQ V8 Managed File Transfer component who have migrated from: - A WebSphere MQ V7.5.0.1 (or earlier) installation - or WebSphere MQ V7.5.0.2 (or later) installation that does not have the installation property enableFunctionalFixPack=7502 set and have agents that: - Have been configured to use either user sandboxes or an agent sandbox. - and have the agent property commandPath set. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The agent property: commandPath is used to specify the directories where the Managed File Transfer agents and managed calls can run commands from. Setting this property has implications for any user sandboxes or agent sandboxes that might have been configured for the agent. ************************************************************ Agent Sandboxes: ---------------------- When using either: - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and earlier) - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set if an agent is not configured with an agent sandbox, because the agent property: sandboxRoot is not set, then a new agent sandbox is automatically set up for the agent, and the directories specified by the commandPath property are added to the list of denied directories. If the agent is configured with an agent sandbox, and the sandbox does not contain any allowed directories, then the directories specified by the commandPath property are added to the list of denied directories. However, if the agent sandbox contains at least one allowed directory, then the directories specified by the commandPath are not added to the list of denied directories. When using either: - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that has the installation property enableFunctionalFixPack=7502 set - the MQ V8.0 Managed File Transfer component if an agent is not configured to use an agent sandbox, then a new sandbox is set up automatically, and the directories specified by the commandPath are added to the denied directories. If the agent is configured with an agent sandbox, then the directories specified by the commandPath property are added to the list of denied directories. ************************************************************ User Sandboxes: ---------------------- When using either: - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and earlier) - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set if an agent is configured with a user sandbox, then the directories specified by the commandPath are not added to the read and write exclude lists for all of the user sandboxes. However, when using either: - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that has the installation property enableFunctionalFixPack=7502 set - the MQ V8.0 Managed File Transfer component the directories specified by the commandPath property (and all of their subdirectories) are automatically added to the read and write exclude lists for all of the user sandboxes. ************************************************************ The behavioural differences between the way the commandPath was handled meant that it was not possible to override it using either an agent sandbox or user sandboxes when using either: - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that has the installation property enableFunctionalFixPack=7502 set - the MQ V8.0 Managed File Transfer component If the commandPath was set for an agent, then the directories specified by the commandPath property (and all of their subdirectories) were automatically added to the denied directories for either the agent sandbox or, the user sandboxes associated with the agent. As a result, the agent could not perform any managed transfers into any of these directories. This caused a migration issue from customers who had upgraded from either: - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and earlier) - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set
Problem conclusion
In order to resolve this issue, a new agent property: addCommandPathToSandbox has been added to the MQ V8 Managed File Transfer component. This property is used to determine whether the directories specified by the commandPath property (and all of their subdirectories) should be added to the denied paths for both user sandboxes and the agent sandbox. The default value of this property is true, which means that V8 agents which are running on an installation that contains the fix for this APAR will continue to work as they currently do today. When the property is set to the value: false then V8 agents will behave in the following way: - If the agent is not configured with an agent sandbox, then a new sandbox is automatically set up and the directories specified by the commandPath are added to the list of denied directories. - If the agent is configured with an agent sandbox, and the sandbox does not contain any allowed directories, then the directories specified by the commandPath are added to the list of denied directories for the sandbox. - If the agent is configured with an agent sandbox, and the sandbox contains at least one allowed directory, then the directories specified by the commandPath property are not added to the list of denied directories. - If the agent is configured to use user sandboxes, then the directories specified by the commandPath are not added to the read and write exclude lists. This allows V8 agents to behave in the same way as agents running using: - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and earlier) - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.5 The latest available FTE maintenance can be obtained from 'Fix List for WebSphere MQ File Transfer Edition 7.0' http://www-01.ibm.com/support/docview.wss?uid=swg27015313 The latest available MQ maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT12728
Reported component name
WMQ MFT V8.0
Reported component ID
5724H7252
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-12-10
Closed date
2016-03-11
Last modified date
2016-03-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ MFT V8.0
Fixed component ID
5724H7252
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 March 2016