IBM Support

IT25591: Connection to queue manager fails after upgrade to MQ 8.0.0.10 error log reports user missing CTRL authority on qmgr (AMQ8077)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After upgrading queue manager to MQ v8.0.0.10, clients are not
    able to connect to the queue manager anymore.
    The queue manager error logs show that ctrl authority is
    missing on the queue manager object type.
    See below error:
    ----
    AMQ8077: Entity 'User' has insufficient authority to access
    object
    'QueueManagerName'.
    EXPLANATION:
    The specified entity is not authorized to access the required
    object.
    The following requested permissions are unauthorized: ctrl
    ACTION:
    Ensure that the correct level of authority has been set for
    this entity against the required object, or ensure that the
    entity is a member of a privileged group.
    ----
    
    The application performing the connection reports
    MQRC_NOT_AUTHORIZED (2035)
    
    ----
    
    The Entity named in the AMQ8077 error message varies depending
    on whether the queue
    manager is using the LDAP or OS authorization model.
    
    When using the OS authorization model then the AMQ8077 error
    reports that the adopted user has insufficient authority to
    access the Qmgr object.  This will typically be the client
    end-user or the user named in the MCAUSER property of the
    channel.
    
    When using the LDAP authorization model then the AMQ8077 error
    reports that the user running the SVRCONN has insufficient
    authority to access the Qmgr object.  Typically this will be the
    user that started the queue manager (and so will often be mqm or
    mqsystem on the MQ appliance).
    

Local fix

  • Set ChlauthEarlyAdopt=Y in the CHANNELS  stanza of the queue
    manager's qm.ini file.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of who have a client channel that is
    configured to adopt user authorities, and have
    ChlauthEarlyAdopt=N in the CHANNELS  stanza of the qm.ini file.
     (Note that ChlauthEarlyAdopt=N is the default value for queue
    managers created before V9.1).
    
    The issue affects MQ v8.0.0.10, v9.0.0.5 and v9.1.0.1, however
    at MQ v9.0.0.5 and v9.1.0.1 only users making use of LDAP
    authentication with ChlauthEarlyAdopt=N are affected.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    APAR IT20275 made a number of changes to the user adoption
    routines, which are involved in the adopting of user context as
    a result of CONNAUTH, CHLAUTH or channel MCAUSER configurations.
    
    A defect within the changes added by this APAR caused the
    adopted user's permissions to be evaluated incorrectly while the
    user was being adopted, resulting in the unexpected AMQ8077
    error message.
    

Problem conclusion

  • The issue was caused by a programming error which has been
    fixed, such that adopted users are no longer checked for CTRL
    authority on the queue manager.
    
    It is NOT required for users connecting to the queue manager to
    have CTRL authority on the queue manager.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.11
    v9.0 LTS   9.0.0.7
    v9.1 CD    9.1.5
    v9.1 LTS   9.1.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT25591

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-07-05

  • Closed date

    2018-11-29

  • Last modified date

    2020-07-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7251

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
11 July 2020