IBM Support

IT12728: WITHIN MFT, USER SANDBOXES AND COMMANDPATH DO NOT WORK PROPERLY WHEN USED TOGETHER.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A WebSphere MQ V7.5.0.1 Managed File Transfer agent has
    configured with a user sandbox that allows all users to read to,
    and write from, the directory C:\temp. The agent has also been
    set up with the agent property commandPath set to the value
    "C:\".
    
    In this configuration, the agent can perform managed transfers
    that move transfer items files to and from the directory
    C:\temp.
    
    After migrating to the MQ V8 Managed File Transfer component,
    and using the same configuration, the agent is unable to perform
    managed transfers which move transfer items to and from C:\temp.
    When the agent tries to do this, the transfer item fails with
    errors similar to the one shown below:
    
    BFGIO0056E: Attempt to read file "C:\temp\myFile.txt" has been
    denied. The file is located outside of the restricted transfer
    sandbox.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the:
    
    - The MQ V8 Managed File Transfer component
    
    who have migrated from:
    
    - A WebSphere MQ V7.5.0.1 (or earlier) installation
    - or WebSphere MQ V7.5.0.2 (or later) installation that does not
    have the installation property enableFunctionalFixPack=7502 set
    
    and have agents that:
    
    - Have been configured to use either user sandboxes or an agent
    sandbox.
    - and have the agent property commandPath set.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The agent property:
    
      commandPath
    
    is used to specify the directories where the Managed File
    Transfer agents and managed calls can run commands from. Setting
    this property has implications for any user sandboxes or agent
    sandboxes that might have been configured for the agent.
    
    ************************************************************
    Agent Sandboxes:
    ----------------------
    When using either:
    
    - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
    earlier)
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that does not have the installation
    property enableFunctionalFixPack=7502 set
    
    if an agent is not configured with an agent sandbox, because the
    agent property:
    
      sandboxRoot
    
    is not set, then a new agent sandbox is automatically set up for
    the agent, and the directories specified by the commandPath
    property are added to the list of denied directories.
    
    If the agent is configured with an agent sandbox, and the
    sandbox does not contain any allowed directories, then the
    directories specified by the commandPath property are added to
    the list of denied directories. However, if the agent sandbox
    contains at least one allowed directory, then the directories
    specified by the commandPath are not added to the list of denied
    directories.
    
    
    When using either:
    
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that has the installation property
    enableFunctionalFixPack=7502 set
    - the MQ V8.0 Managed File Transfer component
    
    if an agent is not configured to use an agent sandbox, then a
    new sandbox is set up automatically, and the directories
    specified by the commandPath are added to the denied
    directories.
    
    If the agent is configured with an agent sandbox, then the
    directories specified by the commandPath property are added to
    the list of denied directories.
    
    ************************************************************
    User Sandboxes:
    ----------------------
    When using either:
    
    - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
    earlier)
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that does not have the installation
    property enableFunctionalFixPack=7502 set
    
    if an agent is configured with a user sandbox, then the
    directories specified by the commandPath are not added to the
    read and write exclude lists for all of the user sandboxes.
    
    However, when using either:
    
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that has the installation property
    enableFunctionalFixPack=7502 set
    - the MQ V8.0 Managed File Transfer component
    
    the directories specified by the commandPath property (and all
    of their subdirectories) are automatically added to the read and
    write exclude lists for all of the user sandboxes.
    
    ************************************************************
    
    The behavioural differences between the way the commandPath was
    handled meant that it was not possible to override it using
    either an agent sandbox or user sandboxes when using either:
    
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that has the installation property
    enableFunctionalFixPack=7502 set
    - the MQ V8.0 Managed File Transfer component
    
    If the commandPath was set for an agent, then the directories
    specified by the commandPath property (and all of their
    subdirectories) were automatically added to the denied
    directories for either the agent sandbox or, the user sandboxes
    associated with the agent. As a result, the agent could not
    perform any managed transfers into any of these directories.
    
    This caused a migration issue from customers who had upgraded
    from either:
    
    - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
    earlier)
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that does not have the installation
    property enableFunctionalFixPack=7502 set
    

Problem conclusion

  • In order to resolve this issue, a new agent property:
    
      addCommandPathToSandbox
    
    has been added to the MQ V8 Managed File Transfer component.
    This property is used to determine whether the directories
    specified by the commandPath property (and all of their
    subdirectories) should be added to the denied paths for both
    user sandboxes and the agent sandbox. The default value of this
    property is true, which means that V8 agents which are running
    on an installation that contains the fix for this APAR will
    continue to work as they currently do today.
    
    When the property is set to the value:
    
      false
    
    then V8 agents will behave in the following way:
    
    - If the agent is not configured with an agent sandbox, then a
    new sandbox is automatically set up and the directories
    specified by the commandPath are added to the list of denied
    directories.
    - If the agent is configured with an agent sandbox, and the
    sandbox does not contain any allowed directories, then the
    directories specified by the commandPath are added to the list
    of denied directories for the sandbox.
    - If the agent is configured with an agent sandbox, and the
    sandbox contains at least one allowed directory, then the
    directories specified by the commandPath property are not added
    to the list of denied directories.
    
    - If the agent is configured to use user sandboxes, then the
    directories specified by the commandPath are not added to the
    read and write exclude lists.
    
    This allows V8 agents to behave in the same way as agents
    running using:
    
    - the WebSphere MQ V7.5.0.1 Managed File Transfer component (and
    earlier)
    - the WebSphere MQ V7.5.0.2 Managed File Transfer component (or
    later) on an installation that does not have the installation
    property enableFunctionalFixPack=7502 set
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.5
    
    The latest available FTE maintenance can be obtained from
    'Fix List for WebSphere MQ File Transfer Edition 7.0'
    http://www-01.ibm.com/support/docview.wss?uid=swg27015313
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT12728

  • Reported component name

    WMQ MFT V8.0

  • Reported component ID

    5724H7252

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-12-10

  • Closed date

    2016-03-11

  • Last modified date

    2016-03-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ MFT V8.0

  • Fixed component ID

    5724H7252

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
11 March 2016