PQ74697: USERS WITH WEBSPHERE MQ JMS CONNECTION FACTORY RESOURCES CREATEDIN BINDINGS MODE WILL NOT RUN WITH 'RUNAS' IDENTITY

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Options are currently limited when performing authentication and
authorization from within WebSphere onto a WebSphere MQ JMS
(i.e., external MQ) provider resource.   It is not presently
possible to use the current RunAs identity (also referred to as
"Thread Identity") as the authentication ID  for authorization
to a WebSphere MQ JMS provider connection factory resource
defined with a Transport Type of "Bindings".
.
Until the full support for the Thread Identity authentication
option is added to WebSphere for z/OS V5, (via this apar)
the server ID will be used in place of the RunAs identity.
Local fix
Users with WebSphere MQ JMS connection factory resources created
in bindings mode (i.e. Transport Type set to "Bindings") should
grant their WebSphere server ID authorization to the appropriate
MQ resources.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: RunAs identity can not be used to       *
*                      perform authentication and              *
*                      authorization to an external WebSphere  *
*                      MQ JMS resource. The userid which the   *
*                      application server runs under is used   *
*                      instead of the RunAs id. Possible       *
*                      MQJMS2013 error code returned from      *
*                      WebSphere MQ if server id has not been  *
*                      granted authority to the MQ resource.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere V5.0 for z/OS provides a variety of options for
selecting the userid to use to perform authentication and
authorization to an EIS resource such as WebSphere MQ.

This problem applies in the following scenario:
* Application declares a resource reference to a JMS Connection
  Factory and chooses Resource Authentication of "Container"
  (and not "Application").
* The resource used to resolve this resource reference:
  *  Is a WebSphere MQ JMS resource (not WebSphere JMS)
  *  Is defined with Transport Type = "BINDINGS"
  *  Does NOT have either a Container-managed or
     Component-managed authentication alias defined.

In such a scenario, the "Thread Identity" authentication
option should take precedence which is another way of saying
that the RunAs identity will be used to perform
authentication and authorization to the WebSphere MQ resource.

Currently, though, the Thread Identity support is not
functional and so the userid of the server will be used in
place of the RunAs id.

This problem could surface as a MQJMS2013 error code returned
from WebSphere MQ if the server id has not been granted
authority to the WebSphere MQ resource.
Problem conclusion
Thread Identity support is now fully functional.  This APAR,
which enables Thread Identity support for WebSphere MQ JMS
resources has a prerequisite of 
PQ74701 (delivered in the same
PTF as this APAR), which enables Thread Identity support on
WebSphere V5.0 for z/OS for connecting to EIS Resources.

APAR PQ74697 is associated with SERVICE LEVEL W500103 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ74697
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-05-30
Closed date 2003-08-01
Last modified date 2003-08-08

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ79131    UP03/08/08 I 1000

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ74697.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ74697
IBM Group: Software Group
Modified date: Aug 8, 2003