IBM Support

PI52942: MFT command fteSetAgentTraceLevel has to be run under the userid of the agent otherwise it fails with BFGNV0112E

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An MQ V8.0.0.4 Managed File Transfer agent on z/OS is configured
    to run as a started task. The started task is executed using a
    user identifier that does not have log-on privileges on the z/OS
    system. If another user tries to enable trace for that agent, by
    running the command:
    
    fteSetAgentTraceLevel -traceAgent <trace_specification>
    <agent_name>
    
    the following error occurs:
    
    BFGCL0561E: An attempt to connect to the agent has failed either
    due to the command not having the same user ID as the agent was
    started with or because of a general communication failure. The
    report exception was: BFGNV0112E: Failed to make client
    connection for service <agent name>@<queue manager name> for the
    current user. This is probably because another user is currently
    using the service.
    

Local fix

  • The command will need to be run as the user that the agent is
    running under.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the MQ V8 and V9 Managed File
    Transfer component on z/OS who have agents that are running as a
    started task.
    
    
    Platforms affected:
    z/OS
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When the WebSphere MQ File Transfer Edition product was
    repackaged to be included as a component of the IBM MQ product,
    a number of security enhancements were made. These included
    restricting the commands:
    
    - fteStartAgent
    - fteStopAgent
    - fteSetAgentTraceLevel
    - fteShowAgentDetails
    - fteStartLogger
    - fteStopLogger
    - fteSetLoggerTraceLevel
    
    so that they could only be issued by the user that the agent or
    logger processes were running as.
    
    When using the MQ Managed File Transfer on z/OS, it is possible
    to run agents as a started task. Started tasks typically run as
    an administrative user that does not necessarily have log-on
    privileges. In this situation, it was not possible to log on to
    the z/OS system as the same user that the agent was running
    under, which in turn meant that the commands:
    
    - fteStartAgent
    - fteStopAgent
    - fteSetAgentTraceLevel
    - fteShowAgentDetails
    
    could not be issued for that agent.
    

Problem conclusion

  • A new agent property:
    
    adminGroup
    
    has been added for use with MQ Managed File Transfer V8 agents
    on z/OS. When this property is set to the name of an existing
    group, members of that group can execute the following commands
    for that agent:
    
    - fteStartAgent
    - fteStopAgent
    - fteSetAgentTraceLevel
    - fteShowAgentDetails
    
    and the following message will be written to the agent's event
    log
    
    BFGNV0176I: Members of the group '<group name>' can perform
    administrative tasks on the agent.
    
    If the property is set to the name of a group that does not
    exist, then the message:
    
    BFGNV0175W: The group '<group name>'', specified by the agent
    property "adminGroup", does not exist.
    
    will be written to the agent's event log and only the user that
    the agent process is running under can issue the four commands
    mentioned above.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.7
    v9.0 LTS   9.0.0.1
    
    The latest available FTE maintenance can be obtained from
    'Fix List for WebSphere MQ File Transfer Edition 7.0'
    http://www-01.ibm.com/support/docview.wss?uid=swg27015313
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI52942

  • Reported component name

    WMQ MFT Z/OS

  • Reported component ID

    5655MFT00

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-11-23

  • Closed date

    2016-11-25

  • Last modified date

    2017-07-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ MFT Z/OS

  • Fixed component ID

    5655MFT00

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
06 July 2017