PQ89073: SERVANT REGION IS ENDED UNEXPECTEDLY. SECJ0208E MESSAGES IN JOB LOG ACCOMPANY THE FAILURE. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description A WebSphere for z/OS version 5.0 servant region ends unexpectedly. The following messages appear in the job log: BBOO0220E SECJ0208E: An unexpected exception occurred when attempting to authenticate the server's id during security initialization. The exception is Internal Error. Thread Id reset on request exit. Some methods may have not reset thread identities, contact your IBM support. BBOO0220E SECJ0208E: An unexpected exception occurred when attempting to authenticate the server's id during security initialization. The exception is Fatal Error. Killing thread because security Identity on thread cannot be reset. With tracing activated: ras_trace_detail=(3,4,E) and com.ibm.ws.security.*=all=enabled, it is evident that the server OPI control block has been freed. This generates RunAsxxxx errors, such as RunAsBuildUToken, RunAsFreeCred, RunAsSetSpecCred, RunAsGetPrincipal and so on. The RunAsBuildUToken errors are reported by message BBOS0111E UTOKEN handling function RunAsBuildUtoken failed in request with SAF Return Code (hex): 0, RACF Return Code (hex): 0, and RACF Reason Code (hex): 0. In this message since the return codes are zero and the request is all spaces, we can infer that the OPI has been freed.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Various symptoms occur because the OPI * * for the server credential has been * * deleted. Among them: 1) ABEND 0C4 in * * BOSSOUT 2) BBOO0220E SECJ0208E: An * * unexpected exception occurred when * * attempting to authenticate the * * server's id during security * * initialization. 3) BBOS0107E * * Credential handling function * * <function name> failed. Various RunAs * * functions may fail. The server may run * * for quite a while after the server OPI * * is deleted before symptoms of a * * failure appear. * **************************************************************** * RECOMMENDATION: * **************************************************************** There are several ways to delete an OPI using RunAs::freeCredential(). A problem can occur if an OPI is deleted and then re-used. If an outbound request fails, its credentials (including the OPI) will be deleted before the failed request is re-driven. An OPI can also be deleted if its reference count becomes zero. There are problems with handling the reference count for the server credential, which should not be deleted except when the servant region ends. One likely cause of msg. BBOS0107E for a failure in RunAsSpecLatentCred, RunAsFreeCred, RunAsGetPrincipal, or RunAsBuildUtoken is a missing OPI.Problem conclusion Several fixes are included. Code is added to WSCredentialImpl.finalize() to protect the server credential from being freed. Code is also added to referenceNSC() and freeNSC() to not change the reference count for the server's OPI, and to not free it. Code to delete a cloned NSC token is moved from bboocomm.cpp to bbooejsb.cpp, so the OPI is not deleted until after the request is re-driven (if needed). Code in bbooorsx.mac that copies a native security context from the SR to the CR is modified to only do so if security is enabled. Code is added to ContextManagerImpl.buildLocalOSSubject() to mark the server credential, so it is protected from being deleted by destroy() and finalize() operations. Code is added to WSLocalzOSExtensionImpl.getLocalOSOwnSubject() to save and re-use the server subject obtained from the context manager. APAR PQ89073 is associated with SERVICE LEVEL W502011 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ89288 PQ89483 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ89073.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89073
IBM Group: Software Group
Modified date: Jul 2, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.