Security manager messages (CSQH...)
- CSQH001I
-
Security using uppercase classes
- Severity
- 0
- Explanation
-
This message is issued to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.
- CSQH002I
-
Security using mixed case classes
- Severity
- 0
- Explanation
-
This message is issued to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.
- CSQH003I
-
Security refresh did not take place for class class-name
- Severity
- 4
- Explanation
-
This message follows message CSQH004I when an attempt to refresh class MQPROC, MQNLIST, or MQQUEUE was unsuccessful because of a return code from a SAF RACROUTE REQUEST=STAT call. The return code is given in message CSQH004I.
- System action
-
The refresh does not occur.
- System programmer response
-
Check that the class in question (class-name) is set up correctly. See message CSQH004I for the reason for the problem.
- CSQH004I
-
csect-name STAT call failed for class class-name, SAF return code= saf-rc, ESM return code=esm-rc
- Severity
- 8
- Explanation
-
This message is issued as a result of a SAF RACROUTE REQUEST=STAT call to your external security
manager (ESM) returning a non-zero return code at one of the following times:
- During initialization, or in response to a REFRESH SECURITY command If the return codes from
SAF and your ESM are not zero, and are unexpected, this will cause abnormal termination with one of
the following reason codes:
- X'00C8000D'
- X'00C80032'
- X'00C80038'
- In response to a REFRESH SECURITY command.
If the return codes from SAF and your ESM are not zero (for example, because a class is not active because we are not going to use it) this message is returned to the issuer of the command to advise that the STAT call failed.
Possible causes of this problem are:
- The class is not installed
- The class is not active
- The external security manager (ESM) is not active
- The RACF z/OS router table is incorrect
- During initialization, or in response to a REFRESH SECURITY command If the return codes from
SAF and your ESM are not zero, and are unexpected, this will cause abnormal termination with one of
the following reason codes:
- System programmer response
-
To determine if we need to take any action, see the Security Server External Security Interface (RACROUTE) Macro Reference for more information about the return codes.
- CSQH005I
-
csect-name resource-type In-storage profiles successfully listed
- Severity
- 0
- Explanation
-
This message is issued in response to a REFRESH SECURITY command that caused the in-storage profiles to be RACLISTED (that is, rebuilt); for example, when the security switch for a resource is set on, or a refresh for a specific class is requested that requires the in-storage tables to be rebuilt.
- System programmer response
-
This message is issued so that we can check the security configuration of our queue manager.
- CSQH006I
-
Error returned from CSQTTIME, security timer not started
- Severity
- 8
- Explanation
-
An error was returned from the MQ timer component, so the security timer was not started.
- System action
-
The queue manager terminates abnormally, with a reason code of X'00C80042'.
- System programmer response
-
See Security manager codes (X'C8') for an explanation of the reason code.
- CSQH007I
-
Reverify flag not set for user-id userid, no entry found
- Severity
- 0
- Explanation
-
A user identifier (user-id) specified in the RVERIFY SECURITY command was not valid because there was no entry found for it in the internal control table. This could be because the identifier was entered incorrectly in the command, or because it was not in the table (for example, because it had timed-out).
- System action
-
The user identifier (user-id) is not flagged for reverify.
- System programmer response
-
Check that the identifier was entered correctly.
- CSQH008I
-
Subsystem security not active, no userids processed
- Severity
- 0
- Explanation
-
The RVERIFY SECURITY command was issued, but the subsystem security switch is off, so there are no internal control tables to flag for reverification.
- CSQH009I
-
Errors occurred during security timeout processing
- Severity
- 8
- Explanation
-
This message is sent to the system log either:
- If an error occurs during security timeout processing (for example, a nonzero return code from the external security manager (ESM) during delete processing)
- Prior to a message CSQH010I if a nonzero return code is received from the timer (CSQTTIME) during an attempt to restart the security timer
- System action
-
Processing continues.
- System programmer response
-
Contact the IBM support center to report the problem.
- CSQH010I
-
csect-name Security timeout timer not restarted
- Severity
- 8
- Explanation
-
This message is issued to inform you that the security timeout timer is not operational. The
reason for this depends on which of the following messages precedes this one:
- CSQH009I
- An error occurred during timeout processing
- CSQH011I
- The timeout interval has been set to zero
- System action
-
If this message follows message CSQH009I, the queue manager ends abnormally with one of the
following reason codes:
- csect-name
- Reason code
- CSQHTPOP
- X'00C80040'
- CSQHPATC
- X'00C80041'
- System programmer response
-
See Security manager codes (X'C8') for information about the reason code.
- CSQH011I
-
csect-name Security interval is now set to zero
- Severity
- 0
- Explanation
-
The ALTER SECURITY command was entered with the INTERVAL attribute set to 0. This means that no user timeouts will occur.
- System programmer response
-
This message is issued to warn you that no security timeouts will occur. Check that this is what was intended.
- CSQH012I
-
Errors occurred during ALTER SECURITY timeout processing
- Severity
- 8
- Explanation
-
This message is issued in response to an ALTER SECURITY command if errors have been detected during timeout processing (for example, a nonzero return code from the external security manager (ESM) during timeout processing).
- System action
-
Processing continues.
- System programmer response
-
Contact the IBM support center to report the problem.
- CSQH013E
-
csect-name Case conflict for class class-name
- Severity
- 8
- Explanation
-
A REFRESH SECURITY command was issued, but the case currently in use for the class class-name differs from the system setting and if refreshed would result in the set of classes using different case settings.
- System action
-
The refresh does not occur.
- System programmer response
-
Check that the class in question (class-name) is set up correctly and that the system setting is correct. If a change in case setting is required, issue the REFRESH SECURITY(*) command to change all classes.
- CSQH015I
-
Security timeout = number minutes
- Severity
- 0
- Explanation
-
This message is issued in response to the DISPLAY SECURITY TIMEOUT command, or as part of the DISPLAY SECURITY ALL command.
- CSQH016I
-
Security interval = number minutes
- Severity
- 0
- Explanation
-
This message is issued in response to the DISPLAY SECURITY INTERVAL command, or as part of the DISPLAY SECURITY ALL command.
- CSQH017I
-
Security refresh completed with errors in signoff
- Severity
- 8
- Explanation
-
This message is issued when an error has been detected in refresh processing; for example, a nonzero return code from the external security manager (ESM) during signoff or delete processing.
- System action
-
Processing continues.
- System programmer response
-
Contact the IBM support center to report the problem.
- CSQH018I
-
csect-name Security refresh for resource-type not processed, security switch set OFF
- Severity
- 0
- Explanation
-
A REFRESH SECURITY command was issued for resource type resource-type. However, the security switch for this type or the subsystem security switch is currently set off.
Note: This message is issued only for resource types MQQUEUE, MQPROC, and MQNLIST, because MQADMIN is always available for refresh. - System programmer response
-
Ensure that the REFRESH SECURITY request was issued for the correct resource type.
- CSQH019I
-
Keyword values are incompatible
- Severity
- 8
- Explanation
-
The REFRESH SECURITY command was issued, but the command syntax is incorrect because a keyword value that is specified conflicts with the value for another keyword.
- System action
-
The command is not executed.
- System programmer response
-
See REFRESH SECURITY for more information.
- CSQH021I
-
csect-name switch-type security switch set OFF, profile 'profile-type' found
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has been found.
- System action
-
If the subsystem security switch is set off, we will get only one message (for that switch).
- System programmer response
-
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.
- CSQH022I
-
csect-name switch-type security switch set ON, profile 'profile-type' found
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has been found.
- System programmer response
-
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.
- CSQH023I
-
csect-name switch-type security switch set OFF, profile 'profile-type' not found
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because the named security profile has not been found.
- System action
-
If the subsystem security switch is set off, we will get only one message (for that switch).
- System programmer response
-
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.
- CSQH024I
-
csect-name switch-type security switch set ON, profile 'profile-type' not found
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set ON because the named security profile has not been found.
- System programmer response
-
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.
- CSQH025I
-
csect-name switch-type security switch set OFF, internal error
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that is set OFF because an error occurred.
- System action
-
The message might be issued with message CSQH004I when an unexpected setting is encountered for a switch.
- System programmer response
-
See message CSQH004I for more information.
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager.
- CSQH026I
-
csect-name switch-type security switch forced ON, profile 'profile-type' overridden
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization and in response to a REFRESH SECURITY command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.
- System programmer response
-
Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.
Messages CSQH021I through CSQH026I are issued so that we can check the security configuration of your queue manager. See Switch profiles for information about setting security switches.
- CSQH030I
-
Security switches ...
- Severity
- 0
- Explanation
-
This is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command and is followed by messages CSQH031I through CSQH036I for each security switch to show its setting and the security profile used to establish it.
- System action
-
If the subsystem security switch is set off, we will get only one message (for that switch). Otherwise, a message is issued for each security switch.
- CSQH031I
-
switch-type OFF, 'profile-type' found
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has been found.
- System action
-
If the subsystem security switch is set off, we will get only one message (for that switch).
- CSQH032I
-
switch-type ON, 'profile-type' found
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has been found.
- CSQH033I
-
switch-type OFF, 'profile-type' not found
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because the named security profile has not been found.
- System action
-
If the subsystem security switch is set off, we will get only one message (for that switch).
- CSQH034I
-
switch-type ON, 'profile-type' not found
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set ON because the named security profile has not been found.
- CSQH035I
-
switch-type OFF, internal error
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that is set OFF because an error occurred during initialization or when refreshing security.
- System action
-
The message is be issued when an unexpected setting is encountered for a switch.
- System programmer response
-
Check all your security switch settings. Review the z/OS system log file for other CSQH messages for errors during IBM MQ startup or when running RUNMQSC security refresh commands.
If required, correct them and refresh your security.
- CSQH036I
-
switch-type ON, 'profile-type' overridden
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command for each security switch that was forced ON. This happens when an attempt was made to turn off both the queue manager and queue sharing group security switches for the named profile, which is not allowed.
- System programmer response
-
Correct the profiles for the queue manager and queue sharing group security switches, and refresh security if required.
- CSQH037I
-
Security using uppercase classes
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the uppercase classes MQPROC, MQNLIST, MQQUEUE and MQADMIN.
- CSQH038I
-
Security using mixed case classes
- Severity
- 0
- Explanation
-
This message is issued in response to a DISPLAY SECURITY ALL or DISPLAY SECURITY SWITCHES command to inform you that security is currently using the mixed case classes MXPROC, MXNLIST, MXQUEUE and MXADMIN.
- CSQH040I
-
Connection authentication ...
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It is followed by messages CSQH041I and CSQH042I to show the value of the connection authentication settings.
- CSQH041I
-
Client checks: check-client-value
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication client checks.
If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.
- CSQH042I
-
Local bindings checks: check-local-value
- Severity
- 0
- Explanation
-
This message is issued during queue manager initialization, in response to a DISPLAY SECURITY command, and in response to a REFRESH SECURITY TYPE(CONNAUTH) command. It shows the current value of connection authentication local bindings checks.
If the value shown is '????' this means that the connection authentication settings were not able to be read. Preceding error messages will explain why. Any applications which connect while the queue manager is in this state will result in error message CSQH045E.
- CSQH043E
-
csect-name Object AUTHINFO(object-name) does not exist or has wrong type
- Severity
- 8
- Explanation
-
During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field was referenced. It was found to either not exist, or not have AUTHTYPE(IDPWOS).
- System action
-
If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.
If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.
- System programmer response
-
Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.
- CSQH044E
-
csect-name Access to AUTHINFO(object-name) object failed, reason=mqrc (mqrc-text)
- Severity
- 8
- Explanation
-
During queue manager initialization or while processing a REFRESH SECURITY TYPE(CONNAUTH) command, the authentication information object named in the queue manager's CONNAUTH field could not be accessed for the reason given by mqrc (mqrc-text provides the MQRC in textual form).
- System action
-
If this message is issued in response to a REFRESH SECURITY TYPE(CONNAUTH) command, the command fails and the connection authentication settings remain unchanged.
If this message is issued during queue manager initialization, all connection attempts are refused with reason MQRC_NOT_AUTHORIZED until the connection authentication settings have been corrected.
- System programmer response
-
Ensure the authentication information object object-name has been defined correctly. Ensure the queue manager's CONNAUTH field is referencing the correct object name. Refer to API completion and reason codes for information about mqrc to determine why the object cannot be accessed. Correct the configuration, then issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.
- CSQH045E
-
csect-name application did not provide a password
- Severity
- 8
- Explanation
-
An application connected without supplying a user ID and password for authentication and the queue manager is configured to require this type of application to supply one.
If this is a client application, the configuration attribute CHCKCLNT is set to REQUIRED. application is identified by channel name/connection details.
If this is a locally bound application, the configuration attribute CHCKLOCL is set to REQUIRED. application is identified by user id/application name.
If the connection authentication configuration was unable to be read, this message will also be seen. See messages CSQH041I and CSQH042I.
- System action
-
The connection fails and the application is returned MQRC_NOT_AUTHORIZED.
- System programmer response
-
Ensure all applications are updated to supply a user ID and password, or alter the connection authentication configuration to OPTIONAL instead of REQUIRED, to allow applications to connect that have not supplied a user ID and password.
If the connection authentication configuration was unable to be read, check for earlier error messages and make corrections based on what is reported.
After making configuration changes, issue a REFRESH SECURITY TYPE(CONNAUTH) command for the changes to become active.
If the application is a client application, the user ID and password can be supplied without changing the application code, by using a security exit, such as mqccred, which is supplied with the IBM MQ MQI client.
- CSQH046E
-
csect-name application supplied a password for user ID userid that has expired
- Severity
- 8
- Explanation
-
An application connected and supplied a user ID userid and password for authentication. The password supplied has expired.
If this is a client application, application is identified as 'channel name'/'connection details'.
If this is a locally bound application, application is identified as 'running user id'/'application name'.
- System action
-
The connection fails and the application is returned MQRC_NOT_AUTHORIZED.
- System programmer response
-
Set a new password for userid using O/S facilities and retry the connect from the application using the new password.
Parent topic: Messages for IBM MQ for z/OS