IBM Support

IT22099: MQ MFT: Unexpected AMQ8077 error when trying to cancel a transfer started by the same user.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • An IBM MQ queue manager reports that a user identifier is
    missing "browse" authority on the
    "SYSTEM.FTE.AUTHOPS1.<agent_name>" queue for both the source and
    destination agents when that user attempts to cancel a file
    transfer which it previously requested.
    
    As per the Knowledge Center, when the Managed File Transfer
    (MFT) user authority checking function has been enabled, the
    following MQ authorities must be granted for each user that
    wishes to cancel a transfer request that the same user
    previously requested:
    
        - BROWSE on queue SYSTEM.FTE.AUTHTRN1.source_agent_name
        - PUT on queue SYSTEM.FTE.AUTHTRN1.destination_agent_name
    
    Even though the above authorities are granted to user 'userA',
     the following errors are found on the queue manager error logs:
    
    	AMQ8077: Entity 'userA' has insufficient authority to
    access object 'SYSTEM.FTE.AUTHOPS1.source_agent_name.
    	AMQ8077: Entity 'userA' has insufficient authority to
    access object 'SYSTEM.FTE.AUTHOPS1.destination_agent_name'.
    
    If the agent property:
    
    	logAuthorityChecks
    
    is set to a valid value other than "None", then the following
    warning message is also found in the MFT agent event log, the
    "output0.log" file:
    
    	[timestamp] [thread] WMQAuthorityChecker BFGAG0106W: The
    authority check for user 'userA' and authority
    'TRANSFER_OPERATIONS' has failed.
    
    
    The transfer gets cancelled successfully regardless of the error
    messages reported.
    

Local fix

  • To prevent the error messages reported by the source and
    destination agent queue managers, grant the users cancelling
    transfers browse authority on the queues:
    
      - SYSTEM.FTE.AUTHOPS1.source_agent_name
      - SYSTEM.FTE.AUTHOPS1.destination_agent_name
    
    
    To prevent the agent logging the BFGAG0106W message in its event
    log, disable the logAuthorityChecks function in the
    agent.properties file by setting it to the default value "None":
    
      logAuthorityChecks=None
    
    Alternatively, remove the property from the agent.properties
    file.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of IBM MQ Managed File Transfer who
    enabled agent property "authortyChecking" and are cancelling a
    file transfer previously started by the same user.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The error and warning messages noted in the Problem Description
    section of this APAR were logged due to an incorrect order in
    which authority checks were performed.
    
    When an agent received a request to cancel a transfer that was
    previously started by the same user, it first checked whether
    the user requesting the "cancel" command has sufficient
    authority.  To do this the agent checked whether the user has
    ?browse? authority on its SYSTEM.FTE.AUTHOPS1.<agent_name> queue
    by attempting to open it with MQOO_BROWSE option. However, the
    user is expected to have "browse" authority on
    SYSTEM.FTE.AUTHOPS1.agent_name queues only if cancelling a
    transfer started by a different user.  Therefore user was not
    given this authority on the agent queue managers so both the
    queue manager and agent reported a failure in the authority
    check.
    
    After the first authority check failed, the agent then checked
    whether the user cancelling the transfer was the same user who
    started the transfer.  Since it was the same user, it checked
    whether user has the required permissions on
    SYSTEM.FTE.AUTHTRN1.<agent_name> queue.  The user did have the
    required permissions on those authority queues therefore the
    transfer was cancelled successfully.
    

Problem conclusion

  • The product code for IBM MQ Managed File Tranafer (MFT) has been
    updated to change the order in which authority checks are
    performed to avoid unexpected errors in agent and queue manager
    error logs.
    
    After this APAR, when an agent receives a request to cancel a
    file transfer, it will first check whether the user requesting
    the "cancel" command is the same user who started the transfer.
     If the user cancelling the transfer is not the same as the user
    that requested it, the agents will then check if the cancelling
    user has ?browse? permission on SYSTEM.FTE.AUTHOPS1.<agent_name>
    queues.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 CD    9.0.4
    v9.0 LTS   9.0.0.3
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT22099

  • Reported component name

    IBM MQ MFT V9.0

  • Reported component ID

    5724H7262

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-08-22

  • Closed date

    2017-09-29

  • Last modified date

    2017-09-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ MFT V9.0

  • Fixed component ID

    5724H7262

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
29 September 2017