Direct links to fixes
Interim fix for IBM MQ Appliance 8.0.0.10 with APAR(s) IT25591. Build ID: p800-010-180607-IT25591_P
8.0.0.10-WS-MQ-SolarisX64-LAIT25591
8.0.0.10-WS-MQ-SolarisSparc64-LAIT25591
8.0.0.10-WS-MQ-LinuxX64-LAIT25591
8.0.0.10-WS-MQ-LinuxPPCLE64-LAIT25591
8.0.0.10-WS-MQ-LinuxPPC64-LAIT25591
8.0.0.10-WS-MQ-Linux_z64-LAIT25591
8.0.0.10-WS-MQ-HPUXIA64-LAIT25591
8.0.0.10-WS-MQ-AIXPPC64-LAIT25591
APAR status
Closed as program error.
Error description
After upgrading queue manager to MQ v8.0.0.10, clients are not able to connect to the queue manager anymore. The queue manager error logs show that ctrl authority is missing on the queue manager object type. See below error: ---- AMQ8077: Entity 'User' has insufficient authority to access object 'QueueManagerName'. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: ctrl ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group. ---- The application performing the connection reports MQRC_NOT_AUTHORIZED (2035) ---- The Entity named in the AMQ8077 error message varies depending on whether the queue manager is using the LDAP or OS authorization model. When using the OS authorization model then the AMQ8077 error reports that the adopted user has insufficient authority to access the Qmgr object. This will typically be the client end-user or the user named in the MCAUSER property of the channel. When using the LDAP authorization model then the AMQ8077 error reports that the user running the SVRCONN has insufficient authority to access the Qmgr object. Typically this will be the user that started the queue manager (and so will often be mqm or mqsystem on the MQ appliance).
Local fix
Set ChlauthEarlyAdopt=Y in the CHANNELS stanza of the queue manager's qm.ini file.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of who have a client channel that is configured to adopt user authorities, and have ChlauthEarlyAdopt=N in the CHANNELS stanza of the qm.ini file. (Note that ChlauthEarlyAdopt=N is the default value for queue managers created before V9.1). The issue affects MQ v8.0.0.10, v9.0.0.5 and v9.1.0.1, however at MQ v9.0.0.5 and v9.1.0.1 only users making use of LDAP authentication with ChlauthEarlyAdopt=N are affected. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: APAR IT20275 made a number of changes to the user adoption routines, which are involved in the adopting of user context as a result of CONNAUTH, CHLAUTH or channel MCAUSER configurations. A defect within the changes added by this APAR caused the adopted user's permissions to be evaluated incorrectly while the user was being adopted, resulting in the unexpected AMQ8077 error message.
Problem conclusion
The issue was caused by a programming error which has been fixed, such that adopted users are no longer checked for CTRL authority on the queue manager. It is NOT required for users connecting to the queue manager to have CTRL authority on the queue manager. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.11 v9.0 LTS 9.0.0.7 v9.1 CD 9.1.5 v9.1 LTS 9.1.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT25591
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-05
Closed date
2018-11-29
Last modified date
2020-07-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7251
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 July 2020