IBM Support

IT14762: JMS and Java applications require the ability to specify the MQdata directory location.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Upon first use, the Java MQI implementation, which underpins the
MQ classes for JMS and MQ classes for Java APIs, initialises and
attempts to locate "mqclient.ini" and "mqs.ini" files.  Once
located, these configuration files are then parsed to determine
configuration parameters.

For the "mqclient.ini" file, the locations searched by the Java
MQI are as follows:

    a) The location specified by the environment variable
       "MQCLNTCF" defined on the system

    b) The current working directory for the JVM

    c) The data directory for IBM MQ, for example:
           "/var/mqm" for UNIX platforms
           "C:\Program Files\IBM\Websphere MQ" for Windows

    d) The home directory of the user that started the JVM


For the "mqs.ini" configuration file, locations b), c) and d)
are searched.


In the case where:

    (1) Classes for JMS or classes for Java application is
        running on the Windows platforms

AND

    (2) The "mqclient.ini" and/or "mqs.ini" file exists in
        the data directory for IBM MQ

The Java MQI will attempt to query the Windows Registry to
determine the data directory used by IBM MQ by invoking the
Windows "reg.exe" application in a separate process.

When the application is running in a Java Runtime that has the
Java Security Manager enabled, the following permission must be
set in order for the Windows "reg.exe" application to be invoked
without an AccessControlException:

permission java.io.FilePermission "<<ALL FILES>>","execute";


For example:

grant codeBase
"file:MQ_INSTALLATION_PATH/java/lib/com.ibm.mq.allclient.jar" {
  permission java.io.FilePermission "<<ALL FILES>>","execute";
 };

This APAR adds the ability to set either a Java System Property
or system environment variable that
specifies the location of the MQ Data Directory.

As such, the above <<ALL FILES>> with "execute" Java Security
Manager FilePermission does not need to be granted to the Java
MQI code.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the

  - IBM MQ V8 classes for JMS
  - IBM MQ V8 classes for Java

who are using the Java Security Manager and have specific
configuration properties within the "mqclient.ini" and/or
"mqs.ini" files which are located in the MQ data directory.


Platforms affected:
Windows

****************************************************************
PROBLEM DESCRIPTION:
On Windows platforms, the Java MQI attempted to determine the
IBM MQ data path by issuing a query against the Windows
Registry.  Once the IBM MQ data path was known, the Java MQI
attempted to find the "mqclient.ini" and "mqs.ini" configuration
files it contained to parse.

When running an application within a Java Runtime that enabled
the Java Security Manager, the following Permission was required
in order for the Java MQI to invoke the Windows Registry and
issue the required query:

permission java.io.FilePermission "<<ALL FILES>>","execute";

This permission was required for the "com.ibm.mq.jmqi.jar" file
or the "com.ibm.mq.allclient.jar" file, depending on which was
being used by the application, because the Java MQI does not
provide an absolute path to reg.exe which it attempts to invoke.

Setting this FilePermission access may not be desirable within a
secure environment because a file path consisting of special
token "<<ALL FILES>>" matches any file, meaning that malicious
code running within the JVM would have access to be able to run
all executable programs on the system.

    



Problem conclusion


    

  • This APAR adds support for the following Java System Property:

  com.ibm.mq.cfg.MQ_DATA_PATH

and the system environment variable:

  MQ_DATA_PATH

which can be used to specify the location of the IBM MQ Data
Path.  Examples of how to do this on the Windows platform are as
follows:

Java System Property:

java -Dcom.ibm.mq.cfg.MQ_DATA_PATH="C:\Program
Files\IBM\Websphere MQ" MyClass

To use the system environment variable:

set MQ_DATA_PATH="C:\Program Files\IBM\Websphere MQ"
java MyClass


When either of these variables are used, the value provided is
used by the Java MQI when it attempts to locate the
"mqclient.ini" and "mqs.ini" configuration files.  In this case,
on Windows platforms, the Windows Registry is not queried.


The required Java Security Manager Permission to read the
"com.ibm.mq.cfg.MQ_DATA_PATH" Java System Property is:

permission java.util.PropertyPermission
"com.ibm.mq.cfg.*","read";


The required Java Security Manager Permission to read the
"MQ_DATA_PATH" system environment variable is:

permission java.lang.RuntimePermission "getenv.MQ_DATA_PATH";


Note that while this APAR is specifically concerned with the
Java Security Manager permissions needed to to run the "reg.exe"
program on Windows, the above environment and JVM properties are
available for use on all platforms.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.6

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT14762
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-04-12
    • 

  • Closed date
    2016-06-27
    • 

  • Last modified date
    2017-06-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7251
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 June 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback