In our shop we have recently upgrade WMQ for z/OS from v9.0 to v9.1 on our production lpar. We have many applications uses same Queue Manager. But one of the application is not able to make connection or send any messages to MF MQ. We are seeing the below RACF message right after the upgrade.

ICH408I USER(system  ) GROUP(        ) NAME(???                 ) 

  LOGON/JOB INITIATION - USER AT TERMINAL          NOT RACF-DEFINED 

IRR012I  VERIFICATION FAILED. USER PROFILE NOT FOUND. 

The user system is the user name where middleware application used on their side. In fact we have upgraded MQ on our development lpar and no issues or any RACF check initiated. We are seeing this RACF authentication only right after the 9.1 upgrade on our prod lpar. Also we don't have any user id called SYSTEM is defined ever. I am not sure why this RACF authentication is happening right after the upgrade.

The application runs on Weblogic ( I guess version 9) and they are using some of the MQ Client jars coded within the application to make connection with Mainframe. Below is the error message application team seeing from their web logic server. 

 MQ Authentication failing -

javax.jms.JMSSecurityException: MQJMS2013: invalid security authentication supplied for MQQueueManager

        at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2050)

        at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1532)

        at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:150)

        at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:185)

        at com.sigma.samp.imp.rogers.bss.ss.mqjmsinit.MQJMSInit.importQueue(MQJMSInit.java:139)

        at com.sigma.samp.imp.rogers.bss.ss.mqjmsinit.MQJMSInit.startup(MQJMSInit.java:95)

Part of trouble shooting I have found one differences while displaying the security all command. In our DEV environment its showing Client Checks:NONE but in our PROD environment its showing Client Checks:OPTIONAL. Do you think this could be one of the reason. Any help or your input to resolve this issue is greatly appreciated.

DEV:

:DISPLAY SECURITY ALL                                      

CSQH015I :MQDU Security timeout = 54 minutes                    

CSQH016I :MQDU Security interval = 12 minutes                   

CSQH037I :MQDU Security using uppercase classes                 

CSQH030I :MQDU Security switches ...                            

CSQH031I :MQDU SUBSYSTEM: OFF, 'MQDU.NO.SUBSYS.SECURITY' found  

CSQH040I :MQDU Connection authentication ...                    

CSQH041I :MQDU Client checks: NONE                              

CSQH042I :MQDU Local bindings checks: NONE                      

CSQ9022I :MQDU CSQHPDTC ' DISPLAY SECURITY' NORMAL COMPLETION   

PROD:

:DISPLAY SECURITY ALL                                      

CSQH015I :MQOP Security timeout = 54 minutes                    

CSQH016I :MQOP Security interval = 12 minutes                   

CSQH037I :MQOP Security using uppercase classes                  

CSQH030I :MQOP Security switches ...                            

CSQH031I :MQOP SUBSYSTEM: OFF, 'MQPR.NO.SUBSYS.SECURITY' found  

CSQH040I :MQOP Connection authentication ...                    

CSQH041I :MQOP Client checks: OPTIONAL                           

CSQH042I :MQOP Local bindings checks: OPTIONAL                  

CSQ9022I :MQOP CSQHPDTC ' DISPLAY SECURITY' NORMAL COMPLETION   

ICH408I USER(system  ) GROUP(        ) NAME(???                 ) 
  LOGON/JOB INITIATION - USER AT TERMINAL          NOT RACF-DEFINED 
IRR012I  VERIFICATION FAILED. USER PROFILE NOT FOUND. 

This error message shows that the queue manager attempted to logon the user ID "system" and failed.

CSQH041I :MQOP Client checks: OPTIONAL                           
CSQH042I :MQOP Local bindings checks: OPTIONAL                  

These settings mean that if an application provides a user id (and hopefully a password) in the MQCSP structure, then this user id will be authenticated. If the password was incorrect, or not supplied, then this authentication will fail.

You have two choices

1. Ensure the application provides a user ID that exists in your RACF database, along with the password that goes with it.
2. Turn off password checking in the queue manager with the following commands:

   ALTER QMGR CONNAUTH(' ')
   REFRESH SECURITY TYPE(CONNAUTH)

Cheers,
Morag

ICH408I USER(system  ) GROUP(        ) NAME(???                 )   LOGON/JOB INITIATION - USER AT TERMINAL          NOT RACF-DEFINED IRR012I  VERIFICATION FAILED. USER PROFILE NOT FOUND. 

This error message shows that the queue manager attempted to logon the user ID "system" and failed.

CSQH041I :MQOP Client checks: OPTIONAL                           CSQH042I :MQOP Local bindings checks: OPTIONAL                  

These settings mean that if an application provides a user id (and hopefully a password) in the MQCSP structure, then this user id will be authenticated. If the password was incorrect, or not supplied, then this authentication will fail.

You have two choices

1. Ensure the application provides a user ID that exists in your RACF database, along with the password that goes with it.
2. Turn off password checking in the queue manager with the following commands:

   ALTER QMGR CONNAUTH(' ')REFRESH SECURITY TYPE(CONNAUTH)

Cheers,
Morag

Use the following commands

DISPLAY QMGR CONNAUTH
ALTER AUTHINFO(name-from-display) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)

Suggest you display the whole AUTHINFO object in question (the one named in the QMGR CONNAUTH field) and ensure all it's attributes are the same, not just that one.

Cheers,
Morag