APAR status
Closed as program error.
Error description
After migration from WMQ 7.0.1.* to WMQ 7.1 or V7.5, WMQ Java/JMS application which are set to use java security in Oracle Java JVM or other JVM, started to throw the following exception: Exception in thread "main" java.lang.ExceptionInInitializerError at com.ibm.msg.client.commonservices.propertystore.PropertyStore.in tializePropertyStoreControl(PropertyStore.java:751) at com.ibm.msg.client.commonservices.propertystore.PropertyStore.in itialize(PropertyStore.java:515) : : : : : : : : : : : : : : : : Caused by: java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "createMBeanServer") Additional Symptom(s) Search Keyword(s):AccessControlException;migration;MQ Java/JMS V 7.1/V7.5/V8.0
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - The WebSphere MQ V7.1 classes for Java - The WebSphere MQ V7.1 classes for JMS - The WebSphere MQ V7.1 OSGi bundles - The WebSphere MQ V7.1 resource adapter - The WebSphere MQ V7.5 classes for Java - The WebSphere MQ V7.5 classes for JMS - The WebSphere MQ V7.5 OSGi bundles - The WebSphere MQ V7.5 resource adapter - The IBM MQ V8 classes for Java - The IBM MQ V8 classes for JMS - The IBM MQ V8 OSGi bundles - The IBM MQ V8 resource adapter who have applications which are running inside a Java Runtime Environment that has the Java security manager enabled. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: There were two issues here. Issue 1: --------------- The WebSphere MQ V7.1 and V7.5 classes for Java and classes for JMS provide a MBean (Manage Bean) which can be used to dynamically enable and disable trace, and require access to a MBean server running inside the Java Runtime Environment in order to register the MBean. The calls that the WebSphere MQ classes for Java and classes for JMS made to access the MBean server were not made inside a AccessController.doPrivileged block. As a result of this, if the WebSphere MQ classes for Java and classes for JMS were running inside of a Java Runtime Environment that had the Java security manager enabled and tried to access the MBean server, the security manager rejected the request. This issue did not affect IBM MQ v8. Issue 2: --------------- The topics: - Running WebSphere MQ classes for Java applications under the Java security manager - Running WebSphere MQ classes for JMS applications under the Java security manager in the WebSphere MQ V7.1, V7.5 and V8.0 sections of IBM Knowledge Center contained details of the entries that needed to be added to the policy configuration file for a Java Runtime Environment in order for the Java security manager to grant the appropriate permissions required to allow the WebSphere MQ classes for Java and classes for JMS to run. Unfortunately, the information in these topics was incomplete.
Problem conclusion
The WebSphere MQ V7.1 and V7.5 classes for Java and classes for JMS have been updated to ensure that whenever they require access to an MBean server provided by a Java Runtime Environment, the access is performed inside AccessController.doPrivileged blocks. In addition to this, a number of configuration and documentation updates are applicable and these are described below. Configuration and documentation updates for WebSphere MQ v7.1 and V7.5: ---------------------------------------------------------------- --------------------- ---------------------------------------------------------------- --------------------- The following permissions need to be specified in the policy configuration file for the Java Runtime Environment (in addition to those documented in the topics "Running WebSphere MQ classes for Java applications under the Java security manager" and "Running WebSphere MQ classes for JMS applications under the Java security manager" in the WebSphere MQ V7.1 and V7.5 sections of IBM Knowledge Center) in order to grant the appropriate permissions to allows the WebSphere MQ classes for Java and classes for JMS to run: Permission 1: ---------------- permission javax.management.MBeanServerPermission "createMBeanServer"; permission javax.management.MBeanPermission "*", "*"; Notes: These two permissions are required to allow the WebSphere MQ classes for Java and classes for JMS to access the MBean server for the Java Runtime Environment they are running in. Permission 2: ---------------- permission java.util.PropertyPermission "file.separator", "read"; Notes: This permission is required to allow the WebSphere MQ classes for Java and classes for JMS to access the "file.separator" property, for tracing purposes. Permission 3: ---------------- permission java.util.PropertyPermission "com.ibm.jsse2.usefipsprovider","read,write"; permission java.util.PropertyPermission "com.ibm.jsse2.JSSEFIPS","read,write"; Notes: These permissions are required to determine if an IBM Java Runtime Environment is running in FIPS mode, and modify the property values status based on the requirements of the WebSphere MQ classes for Java and classes for JMS. Permission 4: ---------------- permission java.net.SocketPermission "*","connect,resolve"; Notes: The "Running WebSphere MQ classes for Java applications under the Java security manager" and "Running WebSphere MQ classes for Java applications under the Java security manager" topics in the WebSphere MQ V7.1 and V7.5 sections of IBM Knowledge Center already document that the "connect" permission is required for this property. However, "resolve" is also required to allow hostname lookups to be performed. Permission 5: ---------------- permission java.io.FilePermission "<MQ_DATA_DIRECTORY>/exits64/*","read"; Notes: If an application uses exits that have been installed into the <MQ_DATA_DIRECTORY>/exits64" directory, then this permission is required. Permission 6: ---------------- permission java.security.SecurityPermission "insertProvider.IBMJCEFIPS"; Notes: This permission is required if an IBM FIPS provider has to be used for SSL communication. Permission 7: ---------------- permission java.util.PropertyPermission "com.ibm.mq.cfg.*", "read"; Notes: This permission is needed to allow the WebSphere MQ configuration properties to be read. Permission 8: ---------------- permission java.util.PropertyPermission "jboss.global.jnp.disableDiscovery","read"; Notes: This permission is optional. It is only needed for the WebSphere MQ V7.1 or V7.5 resource adapter if it has been installed into JBoss Application Server, and users want to control the auto-discovery behaviour of the Java Runtime Environment used by the application server. Configuration and documentation updates for IBM MQ v8: ---------------------------------------------------------------- ---------------------------------------------------------------- The following permissions need to be specified in the policy configuration file for the Java Runtime Environment (in addition to those documented in the topics "Running IBM MQ classes for Java applications under the Java security manager" and "Running IBM MQ classes for JMS applications under the Java security manager" in the IBM MQ V8 sections of the IBM Knowledge Center) in order to grant the appropriate permissions to allows the IBM MQ classes for Java and classes for JMS to run: Permission 1: ---------------- permission java.util.PropertyPermission "file.separator", "read"; Notes: This permission is required to allow the IBM MQ classes for Java and classes for JMS to access the "file.separator" property, for tracing purposes. Permission 2: ---------------- permission java.util.PropertyPermission "com.ibm.jsse2.usefipsprovider","read,write"; permission java.util.PropertyPermission "com.ibm.jsse2.JSSEFIPS","read,write"; Notes: These permissions are required to determine if an IBM Java Runtime Environment is running in FIPS mode, and modify the property values status based on the requirements of the IBM MQ classes for Java and classes for JMS. Permission 3: ---------------- permission java.net.SocketPermission "*","connect,resolve"; Notes: The "Running IBM MQ classes for Java applications under the Java security manager" and "Running IBM MQ classes for JMS applications under the Java security manager" topics in the IBM MQ V8 sections of IBM Knowledge Center already document that the "connect" permission is required for this property. However, "resolve" is also required to allow hostname lookups to be performed. Permission 4: ---------------- permission java.io.FilePermission "<MQ_DATA_DIRECTORY>/exits64/*","read"; Notes: If an application uses exits that have been installed into the <MQ_DATA_DIRECTORY>/exits64" directory, then this permission is required. Permission 5: ---------------- permission java.security.SecurityPermission "insertProvider.IBMJCEFIPS"; Notes: This permission is required if an IBM FIPS provider has to be used for SSL communication. Permission 6: ---------------- permission java.util.PropertyPermission "com.ibm.mq.cfg.*", "read"; Notes: This permission is needed to allow the IBM MQ configuration properties to be read. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.1 7.1.0.8 v7.5 7.5.0.6 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IV75404
Reported component name
WMQ AIX V7
Reported component ID
5724H7221
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-07-23
Closed date
2015-09-25
Last modified date
2016-04-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ AIX V7
Fixed component ID
5724H7221
Applicable component levels
R710 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
Document Information
Modified date:
08 March 2021