IBM Support

IT26512: CHLAUTH USERMAP rules not applied when ChlauthEarlyAdopt=y and client user missing +connect

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When using ChlauthEarlyAdopt=y then CHLAUTH USERMAP
    rules proved ineffective when the user asserted by the client
    did not have +connect authority to the queue manager.
    
    When the client application tried to connect to the queue
    manager then the CHLAUTH USERMAP rules should have
    mapped the asserted user to a valid user id, but instead
    the following error message was written to the MQ error log:
    
    "AMQ8077 NOT AUTHORIZED missing +connect authority"
    
    ...and the CHLAUTH USERMAP rule(s) were not applied to the
    asserted
    user.  A generic CHLAUTH ADDRESSMAP rule was applied which
    blocked the connection and the client connection failed with
    return code 2035 (MQRC_NOT_AUTHORIZED).
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of ChlauthEarlyAdopt=y and CHLAUTH USERMAP rules.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    A client attempted to connect to a queue manager configured with
    ChlauthEarlyAdopt=y and CHLAUTH USERMAP rules.
    The CHLAUTH USERMAP rules were intended to operate on the
    asserted user id that the client had supplied in the MQCSP
    structure but the CHLAUTH USERMAP rules proved ineffective when
    the asserted user id did not have +connect authority to the
    queue manager.
    
    This was because the queue manager checked that the asserted
    user id had +connect authority before evaluating the CHLAUTH
    rules.
    If the client did not have +connect authority then the CHLAUTH
    USERMAP
    rule(s) were applied to the user id that the client was running
    as instead
    of the asserted user and the following error message was written
    to the
    MQ error log:
    
    "AMQ8077 NOT AUTHORIZED missing +connect authority"
    
    Consequently a generic CHLAUTH ADDRESSMAP rule was applied which
    blocked the connection and the connection failed with return
    code 2035
    (MQRC_NOT_AUTHORIZED).
    

Problem conclusion

  • The +connect authority check in the queue manager code has been
    moved so that the check takes place after the CHLAUTH rules have
    been evaluated.  This allows the CHLAUTH rules to operate on the
    asserted user id that the client had supplied in the MQCSP
    structure.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.14
    v9.0 LTS   9.0.0.9
    v9.1 CD    9.1.5
    v9.1 LTS   9.1.0.5
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT26512

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-04

  • Closed date

    2019-10-28

  • Last modified date

    2019-10-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7251

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
28 October 2019