IBM Support

IC90697: AMQ8074 GENERATED FOR WINDOWS QUEUE MANAGER WHEN PCF COMMANDS ARE ROUTED THROUGH A UNIX QUEUE MANAGER

Fixes are available

WebSphere MQ V7.0 Fix Pack 7.0.1.11
Fix Pack 7.1.0.4 for WebSphere MQ V7.1
WebSphere MQ V7.5 Fix Pack 7.5.0.3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Configuration:

Windows         Intermediate                      Windows
Application --> Queue Manager                 --> Target

UseridA     --> MCAUSER UseridB on Unix       --> UseridB Fail
AMQ8074

UseridA     --> MCAUSER UseridB on Windows    --> UseridB Pass

UseridA     --> MCAUSER UseridA on Unix       --> UseridA Pass

A Windows application or MQ Explorer using PCF commands to a
target Windows queue manager generates AMQ8074 error when
routed through a Unix queue manager configured with a MCAUSER
id on the SVRCONN channel that is different than what is passed
by the application. The Windows application uses the logged
on Userid (UseridA) which resolves the SID (Windows Security
Identifier) correctly. This is passed to the UNIX queue manager
using a server connection channel. The channel definition on
the Unix queue manager has a different id set for the MCAUSER
field (UseridB).

The Unix queue manager then uses a regular sender/receiver
pair to communicate with the target Windows queue manager.
The target Windows queue manager tries to authenticate the
Userid that was specified for the MCAUSER and fails with a
AMQ8074 error even though that Userid is valid on this Windows
system.

AMQ8074
MESSAGE:
Authorization failed as the SID '<insert one>' does not match
the entity '<insert two>'.
EXPLANATION:
The Object Authority Manager received inconsistent data -
the supplied SID does not match that of the supplied entity
information.

Traces also show 2035 (MQRC_NOT_AUTHORIZED) to open the
SYSTEM.ADMIN.COMMAND.QUEUE.

The Windows queue manager is trying to resolve the SID
of the local user (UseridA) from the client application with
the Userid in the MCAUSER field - (UseridB) passed by
the Unix queue manager and they do not match. SIDs are unique
to Windows and it looks like this is passed to the intermediate
queue manager and then sent on along with userid UseridB using
the sender channel.

This does work if the intermediate queue manager is a Windows
queue manger as the new Userid is resolved with the correct
SID. This also works if the MCAUSER field is left blank on the
UNIX queue manager or the MCAUSER field is set to the same
Userid as the application is sending.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Users of WebSphere MQ v7 and above routing PCF messages through
Unix machines.

Platforms affected:
All Unix

****************************************************************
PROBLEM SUMMARY:
A Windows client communicating via an intermediate queue
manager on Unix, sends its SID value at connect time. When the
client puts messages, the agent process at the Unix queue
manager sets the user id as the MCAUSER set on the server
connection channel. When default context is used, the UNIX
machine copies the SID value from the client who sent the
message and then passes this value to the destination windows
queue manager.

On the destination windows queue manager we get the error
"Authorization failed as SID S-x-x-xx-xxxxxxxxxx does not
match that of entity abcd". The SID shown here is that of the
originating client machine and abcd is the mcauser set on the
SVRCONN channel at the UNIX machine.

In the case of a Windows hub, the UserId is filled with the
value of the mcauser and since the SID value of this mcauser is
calculated and sent it puts the message successfully to the
destination windows queue manager.

This happens when the put authority on the receiver channel
at the windows is set to context security. This results in an
MQOPEN issued with the authority of the user set by the MQPUT
and hence the MQOPEN call fails with the above authorization
error.

In the case of put authority set to default the same
authorization error happens but this time it happens at the
command server when it tries to put the reply of the PCF to the
reply queue. Here again, the Userid is filled from the MQMD of
the message received  from the intermediate hub which has the
Userid filled with the MCAUSER set on the SVRCONN channel.

    



Problem conclusion


    

  • WebSphere MQ has been modified so that UNIX queue managers do
not populated the SID field with the SID value taken from the
client machine which was sent with the PCF request. Since UNIX
does not have a concept of SID, this value is rather left blank
and checks at the destination windows queue manager no longer
fail.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

                   v7.0
Platform           Fix Pack 7.0.1.11
--------           --------------------
AIX                7.0.1.11
HP-UX (PA-RISC)    7.0.1.11
HP-UX (Itanium)    7.0.1.11
Solaris (SPARC)    7.0.1.11
Solaris (x86-64)   7.0.1.11
Linux (x86)        7.0.1.11
Linux (x86-64)     7.0.1.11
Linux (zSeries)    7.0.1.11
Linux (Power)      7.0.1.11

                   v7.1
Platform           Fix Pack 7.1.0.4
--------           --------------------
AIX                7.1.0.4
HP-UX (Itanium)    7.1.0.4
Solaris (SPARC)    7.1.0.4
Solaris (x86-64)   7.1.0.4
Linux (x86)        7.1.0.4
Linux (x86-64)     7.1.0.4
Linux (zSeries)    7.1.0.4
Linux (Power)      7.1.0.4

Platform           v7.5
--------           --------------------
Multiplatforms     7.5.0.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC90697
    • 

  • Reported component name
    WMQ WINDOWS V7
    • 

  • Reported component ID
    5724H7220
    • 

  • Reported release
    701
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-03-07
    • 

  • Closed date
    2013-05-30
    • 

  • Last modified date
    2013-05-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ WINDOWS V7
    • 

  • Fixed component ID
    5724H7220
    • 



Applicable component levels


    

  • R701  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback