IBM Support

IT24916: Authorization service fails. FDC with Probe ZF272010 and rc=MQRC_SERVICE_ERROR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • This problem was first seen on the MQ Appliance but the issue
also affects other MQ installations.

The MQ LDAP authorization service fails. Failure Data Capture
(FDC) records are generated as follows:

FDC details:

Probe Ids:
- ZF272010 (zfuLdapGetUserDn)
- ZF292010 (zfuFindGroupsByMember)
- ZF291010 (zfuFindGroupsByDNAttr)

and  Major Errorcode :- MQRC_SERVICE_ERROR

Attempts to authenticate users making connections to the queue
manager may fail, even if valid credentials are presented.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Users of any queue manager where an AUTHINFO object has been
configured to contact LDAP repositories for authentication
and/or authorization checks.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
Within the MQ OAM code that deals with connections to the LDAP
repository, threads were not adequately protected while
accessing shared data.

On one queue manager thread, a connection attempt was made to
the LDAP server, but this attempt failed.  The MQ code did not
clean up some context information, so another thread acted on
the basis that the connection had been successful.  But a little
later in the logic, the second thread noticed the connection was
not valid, which caused this FDC to be written.

This might be noticed only if a connection to the LDAP server
breaks.  Reasons for the connection to break include:
- network problems
- problems on the LDAP server
- user runs REFRESH SECURITY

Therefore the FDC is a sign that there are breaks in LDAP
connectivity, but these might be temporary, and if they clear
quickly, then this MQ code bug will not be noticed.

    



Problem conclusion


    

  • The MQ OAM code has been changed to protect shared data
adequately, so that this FDC no longer appears in cases where
LDAP connectivity has been lost in the scenario described.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.12
v9.0 LTS   9.0.0.6
v9.1 CD    9.1.2
v9.1 LTS   9.1.0.2

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT24916
    • 

  • Reported component name
    IBM MQ APPL M20
    • 

  • Reported component ID
    5725Z0900
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-05-01
    • 

  • Closed date
    2019-01-03
    • 

  • Last modified date
    2019-01-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ APPL M20
    • 

  • Fixed component ID
    5725Z0900
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 January 2019
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback