Security manager messages (CSQH...)

    CSQH001I

    Security using uppercase classes

    Severity
    0

    Explanation

    This message is issued to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

    CSQH002I

    Security using mixed case classes

    Severity
    0

    Explanation

    This message is issued to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

    CSQH003I

    Security refresh did not take place for class class-name

    Severity
    4

    Explanation

    This message follows message CSQH004I when an attempt to refresh class MQPROC, MQNLIST, or MQQUEUE was unsuccessful because of a return code from a SAF RACROUTE REQUEST=STAT call. The return code is given in message CSQH004I.

    System action

    The refresh does not occur.

    System programmer response

    Check that the class in question (class-name) is set up correctly. See message CSQH004I for the reason for the problem.

    CSQH004I

    csect-name STAT call failed for class class-name, SAF return code= saf-rc, ESM return code=esm-rc

    Severity
    8

    Explanation
    This message is issued as a result of a SAF RACROUTE REQUEST=STAT call to your external security manager (ESM) returning a non-zero return code at one of the following times:

    • During initialization, or in response to a REFRESH SECURITY command If the return codes from SAF and your ESM are not zero, and are unexpected, this will cause abnormal termination with one of the following reason codes:

      • X'00C8000D'
      • X'00C80032'
      • X'00C80038'

    • In response to a REFRESH SECURITY command.

      If the return codes from SAF and your ESM are not zero (for example, because a class is not active because we are not going to use it) this message is returned to the issuer of the command to advise that the STAT call failed.

    Possible causes of this problem are:

    • The class is not installed
    • The class is not active
    • The external security manager (ESM) is not active
    • The RACF z/OS router table is incorrect

    System programmer response

    To determine if we need to take any action, see the Security Server External Security Interface (RACROUTE) Macro Reference for more information about the return codes.

    CSQH005I

    csect-name resource-type In-storage profiles successfully listed

    Severity
    0

    Explanation

    This message is issued in response to a REFRESH SECURITY command that caused the in-storage profiles to be RACLISTED (that is, rebuilt); for example, when the security switch for a resource is set on, or a refresh for a specific class is requested that requires the in-storage tables to be rebuilt.

    System programmer response

    This message is issued so that we can check the security configuration of our queue manager.

    CSQH006I

    Error returned from CSQTTIME, security timer not started

    Severity
    8

    Explanation

    An error was returned from the MQ timer component, so the security timer was not started.

    System action

    The queue manager terminates abnormally, with a reason code of X'00C80042'.

    System programmer response

    See Security manager codes (X'C8') for an explanation of the reason code.

    CSQH007I

    Reverify flag not set for user-id userid, no entry found

    Severity
    0

    Explanation

    A user identifier (user-id) specified in the RVERIFY SECURITY command was not valid because there was no entry found for it in the internal control table. This could be because the identifier was entered incorrectly in the command, or because it was not in the table (for example, because it had timed-out).

    System action

    The user identifier (user-id) is not flagged for reverify.

    System programmer response

    Check that the identifier was entered correctly.

    CSQH008I

    Subsystem security not active, no userids processed

    Severity
    0

    Explanation

    The RVERIFY SECURITY command was issued, but the subsystem security switch is off, so there are no internal control tables to flag for reverification.

    CSQH009I

    Errors occurred during security timeout processing

    Severity
    8

    Explanation
    This message is sent to the system log either:

    • If an error occurs during security timeout processing (for example, a nonzero return code from the external security manager (ESM) during delete processing)
    • Prior to a message CSQH010I if a nonzero return code is received from the timer (CSQTTIME) during an attempt to restart the security timer

    System action

    Processing continues.

    System programmer response

    Contact the IBM support center to report the problem.

    CSQH010I

    csect-name Security timeout timer not restarted

    Severity
    8

    Explanation
    This message is issued to inform you that the security timeout timer is not operational. The reason for this depends on which of the following messages precedes this one:

      CSQH009I
      An error occurred during timeout processing

      CSQH011I
      The timeout interval has been set to zero

    System action
    If this message follows message CSQH009I, the queue manager ends abnormally with one of the following reason codes:

      csect-name
      Reason code

      CSQHTPOP
      X'00C80040'

      CSQHPATC
      X'00C80041'

    System programmer response

    See Security manager codes (X'C8') for information about the reason code.

    CSQH011I

    csect-name Security interval is now set to zero

    Severity
    0

    Explanation

    The ALTER SECURITY command was entered with the INTERVAL attribute set to 0. This means that no user timeouts will occur.

    System programmer response

    This message is issued to warn you that no security timeouts will occur. Check that this is what was intended.

    CSQH012I

    Errors occurred during ALTER SECURITY timeout processing

    Severity
    8

    Explanation

    This message is issued in response to an ALTER SECURITY command if errors have been detected during timeout processing (for example, a nonzero return code from the external security manager (ESM) during timeout processing).

    System action

    Processing continues.

    System programmer response

    Contact the IBM support center to report the problem.

    CSQH013E

    csect-name Case conflict for class class-name

    Severity
    8

    Explanation

    A REFRESH SECURITY command was issued, but the case currently in use for the class class-name differs from the system setting and if refreshed would result in the set of classes using different case settings.

    System action

    The refresh does not occur.

    System programmer response

    Check that the class in question (class-name) is set up correctly and that the system setting is correct. If a change in case setting is required, issue the REFRESH SECURITY(*) command to change all classes.

    CSQH015I

    Security timeout = number minutes

    Severity
    0

    Explanation

    This message is issued in response to the DISPLAY SECURITY TIMEOUT command, or as part of the DISPLAY SECURITY ALL command.

    CSQH016I

    Security interval = number minutes

    Severity
    0

    Explanation

    This message is issued in response to the DISPLAY SECURITY INTERVAL command, or as part of the DISPLAY SECURITY ALL command.

    CSQH017I

    Security refresh completed with errors in signoff

    Severity
    8

    Explanation

    This message is issued when an error has been detected in refresh processing; for example, a nonzero return code from the external security manager (ESM) during signoff or delete processing.

    System action

    Processing continues.

    System programmer response

    Contact the IBM support center to report the problem.

    CSQH018I

    csect-name Security refresh for resource-type not processed, security switch set OFF

    Severity
    0

    Explanation

    A REFRESH SECURITY command was issued for resource type resource-type. However, the security switch for this type or the subsystem security switch is currently set off.

    Note: This message is issued only for resource types MQQUEUE, MQPROC, and MQNLIST, because MQADMIN is always available for refresh.

    System programmer response

    Ensure that the REFRESH SECURITY request was issued for the correct resource type.

    CSQH019I

    Keyword values are incompatible

    Severity
    8

    Explanation

    The REFRESH SECURITY command was issued, but the command syntax is incorrect because a keyword value that is specified conflicts with the value for another keyword.

    System action

    The command is not executed.

    System programmer response

    See REFRESH SECURITY for more information.

    CSQH021I

    csect-name switch-type security switch set OFF, profile 'profile-type' found

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has been found.

    System action

    If the subsystem security switch is set off, we will get only one message (for that switch).

    System programmer response

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

    CSQH022I

    csect-name switch-type security switch set ON, profile 'profile-type' found

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has been found.

    System programmer response

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

    CSQH023I

    csect-name switch-type security switch set OFF, profile 'profile-type' not found

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has not been found.

    System action

    If the subsystem security switch is set off, we will get only one message (for that switch).

    System programmer response

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

    CSQH024I

    csect-name switch-type security switch set ON, profile 'profile-type' not found

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has not been found.

    System programmer response

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

    CSQH025I

    csect-name switch-type security switch set OFF, internal error

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because an error occurred.

    System action

    The message might be issued with message CSQH004I when an unexpected setting is encountered for a switch.

    System programmer response

    See message CSQH004I for more information.

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager.

    CSQH026I

    csect-name switch-type security switch forced ON, profile 'profile-type' overridden

    Severity
    0

    Explanation

    This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.

    System programmer response

    Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

    Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.

    CSQH030I

    Security switches ...

    Severity
    0

    Explanation

    This is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command and is followed by messages CSQH031I through CSQH036I for each security switch to show its setting and the security profile used to establish it.

    System action

    If the subsystem security switch is set off, we will get only one message (for that switch). Otherwise, a message is issued for each security switch.

    CSQH031I

    switch-type OFF, 'profile-type' found

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has been found.

    System action

    If the subsystem security switch is set off, we will get only one message (for that switch).

    CSQH032I

    switch-type ON, 'profile-type' found

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has been found.

    CSQH033I

    switch-type OFF, 'profile-type' not found

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has not been found.

    System action

    If the subsystem security switch is set off, we will get only one message (for that switch).

    CSQH034I

    switch-type ON, 'profile-type' not found

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has not been found.

    CSQH035I

    switch-type OFF, internal error

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because an error occurred during initialization or when refreshing security.

    System action

    The message is be issued when an unexpected setting is encountered for a switch.

    System programmer response

    Check all your security switch settings. Review the z/OS system log file for other CSQH messages for errors during IBM MQ startup or when running RUNMQSC security refresh commands.

    If required, correct them and refresh your security.

    CSQH036I

    switch-type ON, 'profile-type' overridden

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.

    System programmer response

    Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.

    CSQH037I

    Security using uppercase classes

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.

    CSQH038I

    Security using mixed case classes

    Severity
    0

    Explanation

    This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.

    CSQH040I

    Connection authentication ...

    Severity
    0

    Explanation

    This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It is followed by messages CSQH041I and CSQH042I to show the value of the connection authentication settings.

    CSQH041I

    Client checks: check-client-value

    Severity
    0

    Explanation

    This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication client checks.

    If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.

    CSQH042I

    Local bindings checks: check-local-value

    Severity
    0

    Explanation

    This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication local bindings checks.

    If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.

    CSQH043E

    csect-name Object AUTHINFO(object-name) does not exist or has wrong type

    Severity
    8

    Explanation

    During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field was referenced. It was found to either not exist, or not have AUTHTYPE(IDPWOS).

    System action

    If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

    If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

    System programmer response

    Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

    CSQH044E

    csect-name Access to AUTHINFO(object-name) object failed, reason=mqrc (mqrc-text)

    Severity
    8

    Explanation

    During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field could not be accessed for the reason given by mqrc (mqrc-text provides the MQRC in textual form).

    System action

    If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.

    If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.

    System programmer response

    Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Refer to API completion and reason codes for information about mqrc to determine why the object cannot be accessed. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

    CSQH045E

    csect-name application did not provide a password

    Severity
    8

    Explanation

    An application connected without supplying a user ID and password for authentication and the queue manager is configured to require this type of application to supply one.

    If this is a client application, the configuration attribute CHCKCLNT is set to REQUIRED. application is identified by channel name/connection details.

    If this is a locally bound application, the configuration attribute CHCKLOCL is set to REQUIRED. application is identified by user id/application name.

    If the connection authentication configuration was unable to be read, this message will also be seen. See messages CSQH041I and CSQH042I.

    System action

    The connection fails and the application is returned MQRC_NOT_AUTHORIZED.

    System programmer response

    Ensure all applications are updated to supply a user ID and password, or alter the connection authentication configuration to OPTIONAL instead of REQUIRED, to allow applications to connect that have not supplied a user ID and password.

    If the connection authentication configuration was unable to be read, check for earlier error messages and make corrections based on what is reported.

    After making configuration changes, issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.

    If the application is a client application, the user ID and password can be supplied without changing the application code, by using a security exit, such as mqccred, which is supplied with the IBM MQ MQI client.

    CSQH046E

    csect-name application supplied a password for user ID userid that has expired

    Severity
    8

    Explanation

    An application connected and supplied a user ID userid and password for authentication. The password supplied has expired.

    If this is a client application, application is identified as 'channel name'/'connection details'.

    If this is a locally bound application, application is identified as 'running user id'/'application name'.

    System action

    The connection fails and the application is returned MQRC_NOT_AUTHORIZED.

    System programmer response

    Set a new password for userid using O/S facilities and retry the connect from the application using the new password.

Parent topic: Messages for IBM MQ for z/OS