IBM Support

IV75404: WMQ JAVA/JMS APPLICATION USING JAVA SECURITY THROW ACCESSCONTROLEXCEPTION ERROR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After migration from WMQ 7.0.1.* to WMQ 7.1 or V7.5,
    WMQ Java/JMS application which are set to use java security in
    Oracle Java JVM or other JVM, started to throw the following
    exception:
    
    Exception in thread "main" java.lang.ExceptionInInitializerError
            at
    com.ibm.msg.client.commonservices.propertystore.PropertyStore.in
    tializePropertyStoreControl(PropertyStore.java:751)
            at
    com.ibm.msg.client.commonservices.propertystore.PropertyStore.in
    itialize(PropertyStore.java:515)
    : : : : : : : : : : : : : : : :
    Caused by: java.security.AccessControlException: access denied
    ("javax.management.MBeanServerPermission" "createMBeanServer")
    
    
    
    Additional Symptom(s) Search
    Keyword(s):AccessControlException;migration;MQ Java/JMS V
    7.1/V7.5/V8.0
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of:
    
    - The WebSphere MQ V7.1 classes for Java
    - The WebSphere MQ V7.1 classes for JMS
    - The WebSphere MQ V7.1 OSGi bundles
    - The WebSphere MQ V7.1 resource adapter
    
    - The WebSphere MQ V7.5 classes for Java
    - The WebSphere MQ V7.5 classes for JMS
    - The WebSphere MQ V7.5 OSGi bundles
    - The WebSphere MQ V7.5 resource adapter
    
    - The IBM MQ V8 classes for Java
    - The IBM MQ V8 classes for JMS
    - The IBM MQ V8 OSGi bundles
    - The IBM MQ V8 resource adapter
    
    who have applications which are running inside a Java Runtime
    Environment that has the Java security manager enabled.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    There were two issues here.
    
    Issue 1:
    ---------------
    The WebSphere MQ V7.1 and V7.5 classes for Java and classes for
    JMS provide a MBean (Manage Bean) which can be used to
    dynamically enable and disable trace, and require access to a
    MBean server running inside the Java Runtime Environment in
    order to register the MBean.
    
    The calls that the WebSphere MQ classes for Java and classes for
    JMS made to access the MBean server were not made inside a
    AccessController.doPrivileged block. As a result of this, if the
    WebSphere MQ classes for Java and classes for JMS were running
    inside of a Java Runtime Environment that had the Java security
    manager enabled and tried to access the MBean server, the
    security manager rejected the request.
    
    This issue did not affect IBM MQ v8.
    
    Issue 2:
    ---------------
    The topics:
    
    - Running WebSphere MQ classes for Java applications under the
    Java security manager
    - Running WebSphere MQ classes for JMS applications under the
    Java security manager
    
    in the WebSphere MQ V7.1, V7.5 and V8.0 sections of IBM
    Knowledge Center contained details of the entries that needed to
    be added to the policy configuration file for a Java Runtime
    Environment in order for the Java security manager to grant the
    appropriate permissions required to allow the WebSphere MQ
    classes for Java and classes for JMS to run. Unfortunately, the
    information in these topics was incomplete.
    

Problem conclusion

  • The WebSphere MQ V7.1 and V7.5 classes for Java and classes for
    JMS have been updated to ensure that whenever they require
    access to an MBean server provided by a Java Runtime
    Environment, the access is performed inside
    AccessController.doPrivileged blocks.
    
    In addition to this, a number of configuration and documentation
    updates are applicable and these are described below.
    
    Configuration and documentation updates for WebSphere MQ v7.1
    and V7.5:
    ----------------------------------------------------------------
    ---------------------
    ----------------------------------------------------------------
    ---------------------
    The following permissions need to be specified in the policy
    configuration file for the Java Runtime Environment (in addition
    to those documented in the topics "Running WebSphere MQ classes
    for Java applications under the Java security manager" and
    "Running WebSphere MQ classes for JMS applications under the
    Java security manager" in the WebSphere MQ V7.1 and V7.5
    sections of IBM Knowledge Center) in order to grant the
    appropriate permissions to allows the WebSphere MQ classes for
    Java and classes for JMS to run:
    
    Permission 1:
    ----------------
    permission javax.management.MBeanServerPermission
    "createMBeanServer";
    permission javax.management.MBeanPermission "*", "*";
    Notes: These two permissions are required to allow the WebSphere
    MQ classes for Java and classes for JMS to access the MBean
    server for the Java Runtime Environment they are running in.
    
    Permission 2:
    ----------------
    permission java.util.PropertyPermission "file.separator",
    "read";
    Notes: This permission is required to allow the WebSphere MQ
    classes for Java and classes for JMS to access the
    "file.separator" property, for tracing purposes.
    
    
    Permission 3:
    ----------------
    permission java.util.PropertyPermission
    "com.ibm.jsse2.usefipsprovider","read,write";
    permission java.util.PropertyPermission
    "com.ibm.jsse2.JSSEFIPS","read,write";
    Notes: These permissions are required to determine if an IBM
    Java Runtime Environment is running in FIPS mode, and modify the
    property values status based on the requirements of the
    WebSphere MQ classes for Java and classes for JMS.
    
    Permission 4:
    ----------------
    permission java.net.SocketPermission "*","connect,resolve";
    Notes: The "Running WebSphere MQ classes for Java applications
    under the Java security manager" and "Running WebSphere MQ
    classes for Java applications under the Java security manager"
    topics in the WebSphere MQ V7.1 and V7.5 sections of IBM
    Knowledge Center already document that the "connect" permission
    is required for this property. However, "resolve" is also
    required to allow hostname lookups to be performed.
    
    Permission 5:
    ----------------
    permission java.io.FilePermission
    "<MQ_DATA_DIRECTORY>/exits64/*","read";
    Notes: If an application uses exits that have been installed
    into the <MQ_DATA_DIRECTORY>/exits64" directory, then this
    permission is required.
    
    Permission 6:
    ----------------
    permission java.security.SecurityPermission
    "insertProvider.IBMJCEFIPS";
    Notes: This permission is required if an IBM FIPS provider has
    to be used for SSL communication.
    
    Permission 7:
    ----------------
    permission java.util.PropertyPermission "com.ibm.mq.cfg.*",
    "read";
    Notes: This permission is needed to allow the WebSphere MQ
    configuration properties to be read.
    
    Permission 8:
    ----------------
    permission java.util.PropertyPermission
    "jboss.global.jnp.disableDiscovery","read";
    Notes: This permission is optional. It is only needed for the
    WebSphere MQ V7.1 or V7.5 resource adapter if it has been
    installed into JBoss Application Server, and users want to
    control the auto-discovery behaviour of the Java Runtime
    Environment used by the application server.
    
    
    Configuration and documentation updates for IBM MQ v8:
    ----------------------------------------------------------------
    ----------------------------------------------------------------
    The following permissions need to be specified in the policy
    configuration file for the Java Runtime Environment (in addition
    to those documented in the topics "Running IBM MQ classes for
    Java applications under the Java security manager" and "Running
    IBM MQ classes for JMS applications under the Java security
    manager" in the IBM MQ V8 sections of the IBM Knowledge Center)
    in order to grant the appropriate permissions to allows the IBM
    MQ classes for Java and classes for JMS to run:
    
    Permission 1:
    ----------------
    permission java.util.PropertyPermission "file.separator",
    "read";
    Notes: This permission is required to allow the IBM MQ classes
    for Java and classes for JMS to access the "file.separator"
    property, for tracing purposes.
    
    
    Permission 2:
    ----------------
    permission java.util.PropertyPermission
    "com.ibm.jsse2.usefipsprovider","read,write";
    permission java.util.PropertyPermission
    "com.ibm.jsse2.JSSEFIPS","read,write";
    Notes: These permissions are required to determine if an IBM
    Java Runtime Environment is running in FIPS mode, and modify the
    property values status based on the requirements of the IBM MQ
    classes for Java and classes for JMS.
    
    Permission 3:
    ----------------
    permission java.net.SocketPermission "*","connect,resolve";
    Notes: The "Running IBM MQ classes for Java applications under
    the Java security manager" and "Running IBM MQ classes for JMS
    applications under the Java security manager" topics in the IBM
    MQ V8 sections of IBM Knowledge Center already document that the
    "connect" permission is required for this property. However,
    "resolve" is also required to allow hostname lookups to be
    performed.
    
    Permission 4:
    ----------------
    permission java.io.FilePermission
    "<MQ_DATA_DIRECTORY>/exits64/*","read";
    Notes: If an application uses exits that have been installed
    into the <MQ_DATA_DIRECTORY>/exits64" directory, then this
    permission is required.
    
    Permission 5:
    ----------------
    permission java.security.SecurityPermission
    "insertProvider.IBMJCEFIPS";
    Notes: This permission is required if an IBM FIPS provider has
    to be used for SSL communication.
    
    Permission 6:
    ----------------
    permission java.util.PropertyPermission "com.ibm.mq.cfg.*",
    "read";
    Notes: This permission is needed to allow the IBM MQ
    configuration properties to be read.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.1       7.1.0.8
    v7.5       7.5.0.6
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV75404

  • Reported component name

    WMQ AIX V7

  • Reported component ID

    5724H7221

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-07-23

  • Closed date

    2015-09-25

  • Last modified date

    2016-04-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ AIX V7

  • Fixed component ID

    5724H7221

Applicable component levels

  • R710 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]

Document Information

Modified date:
08 March 2021