APAR status
Closed as program error.
Error description
Stopping a server from the console fails with security enabled
when using RMI as the transport.
The following error is received when trying to stop the server
from the Admin Console - the server fails to stop,
ADMN0022E: Access denied for the stop operation on Server MBean
due to insufficient or empty credentials.
at
com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServic
eImpl.java:1354)
at
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceIm
pl.java:657)
at
com.ibm.ws.management.connector.AdminServiceDelegator.invoke(
;AdminServiceDelegator.java:130)
at
com.ibm.ws.management.connector.rmi.RMIConnectorService.invoke&#
40;RMIConnectorService.java:175)
at
com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie.inv
oke(Unknown Source)
at
com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie._in
voke(Unknown Source)
at
com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv
erDelegate.java:608)
at
com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja
va:461)
at com.ibm.rmi.iiop.ORB.process(ORB.java:432)
at com.ibm.CORBA.iiop.ORB.process(ORB.java:1728)
at
com.ibm.rmi.iiop.Connection.doWork(Connection.java:2227)
at
com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:65
1;
at
com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:95)
at
com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:912
1;<< END server: 1198777258 at host <host>
at
com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilD
elegateImpl.java:166)
at javax.rmi.CORBA.Util.mapSystemException(Util.java:65)
at
com.ibm.ws.management.connector.rmi._RMIConnector_Stub.invoke
0;Unknown Source)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.invoke
0;RMIConnectorClient.java:488)
at
com.ibm.ws.management.AdminClientImpl.invoke(AdminClientImpl
.java:162)
at
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceIm
pl.java:663)
at
com.ibm.ws.management.connector.AdminServiceDelegator.invoke(
;AdminServiceDelegator.java:130)
at
com.ibm.ws.management.connector.rmi.RMIConnectorService.invoke&#
40;RMIConnectorService.java:175)
at
com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie.inv
oke(Unknown Source)
at
com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie._in
voke(Unknown Source)
at
com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv
erDelegate.java:608)
at
com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja
va:461)
at com.ibm.rmi.iiop.ORB.process(ORB.java:432)
at com.ibm.CORBA.iiop.ORB.process(ORB.java:1728)
at com.rmi.iiop.Connection.doWork(Connection.java:2227)
at
com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:65
1;
at
com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:95)
at
com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:912
1;<< END server: 298002686 at host <host>
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server v5.x users who *
* use RMI connector with security enabled *
****************************************************************
* PROBLEM DESCRIPTION: When RMI connector is used with *
* global security turned on, JMX *
* operations may fail with ADMN0022E *
* (Access denied due to insufficient or *
* empty credentials), for example, *
* stopping a server from the *
* administrative console. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
The RMI connector code needs to ensure proper credentials are
set for JMX calls issued from server to server (ie. dmgr to
node agent, or vice versa), such that a JMX call origniated
from dmgr (console) will be able to pass access checks in node
agent.
Problem conclusion
Updated the RMI connector client code to properly handle the
credentials setup for server-to-server JMX requests.
Temporary fix Comments
APAR information |
APAR number |
PQ91262 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
10S |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-07-12 |
Closed date |
2004-08-23 |
Last modified date |
2004-08-23 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK11343
Modules/Macros
Publications Referenced
Applicable component levels |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|