Security manager messages (CSQH...)

CSQH001I: Security using uppercase classes
Severity: 0
Explanation: This message is issued to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

CSQH002I: Security using mixed case classes
Severity: 0
Explanation: This message is issued to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

CSQH003I: Security refresh did not take place for class class-name
Severity: 4
Explanation: This message follows message CSQH004I when an attempt to refresh class MQPROC, MQNLIST, or MQQUEUE was unsuccessful because of a return code from a SAF RACROUTE REQUEST=STAT call. The return code is given in message CSQH004I.
System action: The refresh does not occur.
System programmer response: Check that the class in question (class-name) is set up correctly. See message CSQH004I for the reason for the problem.

CSQH004I

csect-name STAT call failed for class class-name, SAF return code= saf-rc, ESM return code=esm-rc

Severity

Explanation

This message is issued as a result of a SAF RACROUTE REQUEST=STAT call to your external security manager (ESM) returning a non-zero return code at one of the following times:

During initialization, or in response to a REFRESH SECURITY command If the return codes from SAF and your ESM are not zero, and are unexpected, this will cause abnormal termination with one of the following reason codes:
- X'00C8000D'
- X'00C80032'
- X'00C80038'
In response to a REFRESH SECURITY command.
If the return codes from SAF and your ESM are not zero (for example, because a class is not active because you are not going to use it) this message is returned to the issuer of the command to advise that the STAT call failed.

Possible causes of this problem are:

The class is not installed
The class is not active
The external security manager (ESM) is not active
The RACF® z/OS® router table is incorrect

System programmer response

To determine if you need to take any action, see the Security Server External Security Interface (RACROUTE) Macro Reference for more information about the return codes.

CSQH005I: csect-name resource-type In-storage profiles successfully listed
Severity: 0
Explanation: This message is issued in response to a REFRESH SECURITY command that caused the in-storage profiles to be RACLISTED (that is, rebuilt); for example, when the security switch for a resource is set on, or a refresh for a specific class is requested that requires the in-storage tables to be rebuilt.
System programmer response: This message is issued so that we can check the security configuration of your queue manager.

CSQH006I: Error returned from CSQTTIME, security timer not started
Severity: 8
Explanation: An error was returned from the MQ timer component, so the security timer was not started.
System action: The queue manager terminates abnormally, with a reason code of X'00C80042'.
System programmer response: See Security manager codes (X'C8') for an explanation of the reason code.

CSQH007I: Reverify flag not set for user-id userid, no entry found
Severity: 0
Explanation: A user identifier (user-id) specified in the RVERIFY SECURITY command was not valid because there was no entry found for it in the internal control table. This could be because the identifier was entered incorrectly in the command, or because it was not in the table (for example, because it had timed-out).
System action: The user identifier (user-id) is not flagged for reverify.
System programmer response: Check that the identifier was entered correctly.

CSQH008I: Subsystem security not active, no userids processed
Severity: 0
Explanation: The RVERIFY SECURITY command was issued, but the subsystem security switch is off, so there are no internal control tables to flag for reverification.

CSQH009I

Errors occurred during security timeout processing

Severity

Explanation

This message is sent to the system log either:

If an error occurs during security timeout processing (for example, a nonzero return code from the external security manager (ESM) during delete processing)
Prior to a message CSQH010I if a nonzero return code is received from the timer (CSQTTIME) during an attempt to restart the security timer

System action

Processing continues.

System programmer response

Contact your IBM® support center to report the problem.

CSQH010I

csect-name Security timeout timer not restarted

Severity

Explanation

This message is issued to inform you that the security timeout timer is not operational. The reason for this depends on which of the following messages precedes this one:

CSQH009I: An error occurred during timeout processing
CSQH011I: The timeout interval has been set to zero

System action

If this message follows message CSQH009I, the queue manager ends abnormally with one of the following reason codes:

csect-name: Reason code
CSQHTPOP: X'00C80040'
CSQHPATC: X'00C80041'

System programmer response

See Security manager codes (X'C8') for information about the reason code.

CSQH011I: csect-name Security interval is now set to zero
Severity: 0
Explanation: The ALTER SECURITY command was entered with the INTERVAL attribute set to 0. This means that no user timeouts will occur.
System programmer response: This message is issued to warn you that no security timeouts will occur. Check that this is what was intended.

CSQH012I: Errors occurred during ALTER SECURITY timeout processing
Severity: 8
Explanation: This message is issued in response to an ALTER SECURITY command if errors have been detected during timeout processing (for example, a nonzero return code from the external security manager (ESM) during timeout processing).
System action: Processing continues.
System programmer response: Contact your IBM support center to report the problem.

CSQH013E: csect-name Case conflict for class class-name
Severity: 8
Explanation: A REFRESH SECURITY command was issued, but the case currently in use for the class class-name differs from the system setting and if refreshed would result in the set of classes using different case settings.
System action: The refresh does not occur.
System programmer response: Check that the class in question (class-name) is set up correctly and that the system setting is correct. If a change in case setting is required, issue the REFRESH SECURITY(*) command to change all classes.

CSQH015I: Security timeout = number minutes
Severity: 0
Explanation: This message is issued in response to the DISPLAY SECURITY TIMEOUT command, or as part of the DISPLAY SECURITY ALL command.

CSQH016I: Security interval = number minutes
Severity: 0
Explanation: This message is issued in response to the DISPLAY SECURITY INTERVAL command, or as part of the DISPLAY SECURITY ALL command.

CSQH017I: Security refresh completed with errors in signoff
Severity: 8
Explanation: This message is issued when an error has been detected in refresh processing; for example, a nonzero return code from the external security manager (ESM) during signoff or delete processing.
System action: Processing continues.
System programmer response: Contact your IBM support center to report the problem.

CSQH018I: csect-name Security refresh for resource-type not processed, security switch set OFF
Severity: 0
Explanation: A REFRESH SECURITY command was issued for resource type resource-type. However, the security switch for this type or the subsystem security switch is currently set off.
Note: This message is issued only for resource types MQQUEUE, MQPROC, and MQNLIST, because MQADMIN is always available for refresh.
System programmer response: Ensure that the REFRESH SECURITY request was issued for the correct resource type.

CSQH019I: Keyword values are incompatible
Severity: 8
Explanation: The REFRESH SECURITY command was issued, but the command syntax is incorrect because a keyword value that is specified conflicts with the value for another keyword.
System action: The command is not executed.
System programmer response: See REFRESH SECURITY for more information.

CSQH021I: csect-name switch-type security switch set OFF, profile 'profile-type' found
Severity: 0
Explanation: This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has been found.
System action: If the subsystem security switch is set off, you will get only one message (for that switch).
System programmer response: Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

CSQH022I: csect-name switch-type security switch set ON, profile 'profile-type' found
Severity: 0
Explanation: This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has been found.
System programmer response: Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

CSQH023I: csect-name switch-type security switch set OFF, profile 'profile-type' not found
Severity: 0
Explanation: This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has not been found.
System action: If the subsystem security switch is set off, you will get only one message (for that switch).
System programmer response: Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

CSQH024I: csect-name switch-type security switch set ON, profile 'profile-type' not found
Severity: 0
Explanation: This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has not been found.
System programmer response: Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

CSQH025I

csect-name switch-type security switch set OFF, internal error

Severity

Explanation

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because an error occurred.

System action

The message might be issued with message CSQH004I when an unexpected setting is encountered for a switch.

System programmer response

See message CSQH004I for more information.

Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager.

CSQH026I

csect-name switch-type security switch forced ON, profile 'profile-type' overridden

Severity

Explanation

This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.

System programmer response

Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

CSQH030I: Security switches ...
Severity: 0
Explanation: This is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command and is followed by messages CSQH031I through CSQH036I for each security switch to show its setting and the security profile used to establish it.
System action: If the subsystem security switch is set off, you will get only one message (for that switch). Otherwise, a message is issued for each security switch.

CSQH031I: switch-type OFF, 'profile-type' found
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has been found.
System action: If the subsystem security switch is set off, you will get only one message (for that switch).

CSQH032I: switch-type ON, 'profile-type' found
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has been found.

CSQH033I: switch-type OFF, 'profile-type' not found
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has not been found.
System action: If the subsystem security switch is set off, you will get only one message (for that switch).

CSQH034I: switch-type ON, 'profile-type' not found
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has not been found.

CSQH035I

switch-type OFF, internal error

Severity

Explanation

This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because an error occurred during initialization or when refreshing security.

System action

The message is be issued when an unexpected setting is encountered for a switch.

System programmer response

Check all your security switch settings. Review the z/OS system log file for other CSQH messages for errors during IBM MQ startup or when running RUNMQSC security refresh commands.

If required, correct them and refresh your security.

CSQH036I: switch-type ON, 'profile-type' overridden
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.
System programmer response: Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

CSQH037I: Security using uppercase classes
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

CSQH038I: Security using mixed case classes
Severity: 0
Explanation: This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

CSQH040I: Connection authentication ...
Severity: 0
Explanation: This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It is followed by messages CSQH041I and CSQH042I to show the value of the connection authentication settings.

CSQH041I

Client checks: check-client-value

Severity

Explanation

This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication client checks.

If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.

CSQH042I

Local bindings checks: check-local-value

Severity

Explanation

CSQH043E

csect-name Object AUTHINFO(object-name) does not exist or has wrong type

Severity

Explanation

During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field was referenced. It was found to either not exist, or not have AUTHTYPE(IDPWOS).

System action

If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

System programmer response

Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

CSQH044E

csect-name Access to AUTHINFO(object-name) object failed, reason=mqrc (mqrc-text)

Severity

Explanation

During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field could not be accessed for the reason given by mqrc (mqrc-text provides the MQRC in textual form).

System action

If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

System programmer response

Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Refer to API completion and reason codes for information about mqrc to determine why the object cannot be accessed. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

CSQH045E

csect-name application did not provide a password

Severity

Explanation

An application connected without supplying a user ID and password for authentication and the queue manager is configured to require this type of application to supply one.

If this is a client application, the configuration attribute CHCKCLNT is set to REQUIRED. application is identified by channel name/connection details.

If this is a locally bound application, the configuration attribute CHCKLOCL is set to REQUIRED. application is identified by user id/application name.

If the connection authentication configuration was unable to be read, this message will also be seen. See messages CSQH041I and CSQH042I.

System action

The connection fails and the application is returned MQRC_NOT_AUTHORIZED.

System programmer response

Ensure all applications are updated to supply a user ID and password, or alter the connection authentication configuration to OPTIONAL instead of REQUIRED, to allow applications to connect that have not supplied a user ID and password.

If the connection authentication configuration was unable to be read, check for earlier error messages and make corrections based on what is reported.

After making configuration changes, issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

If the application is a client application, the user ID and password can be supplied without changing the application code, by using a security exit, such as mqccred, which is supplied with the IBM MQ MQI client.

CSQH046E

csect-name application supplied a password for user ID userid that has expired

Severity

Explanation

An application connected and supplied a user ID userid and password for authentication. The password supplied has expired.

If this is a client application, application is identified as 'channel name'/'connection details'.

If this is a locally bound application, application is identified as 'running user id'/'application name'.

System action

The connection fails and the application is returned MQRC_NOT_AUTHORIZED.

System programmer response

Set a new password for userid using O/S facilities and retry the connect from the application using the new password.