PQ90464: Unexpected failures during EJBROLE checks that generate messages BBOS0103E and SECJ0129E

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer application uses RunAs rolename and has authenticated
with a user id which is permitted to EJBROLE X. The
server intermittently fails the EJBROLE check even though
the user id is permitted to the EJBROLE. The following
messages appear in the SYSPRINT:
BBOS0103E MSG_BBOSENUS_SEC_EJBROLES_CHECK_FAILED:  The requested
          EJBROLESAUTHCHECK(RACROUTE) function User  not
          permitted to method CI via Allowed roles (CIRL,.)
SECJ0129E: Authorization failed for USER while invoking GET on
default_host: /webapp/apps/path/webname/view.do, Authorization
failed, Not granted any of the required roles: CIRL
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Customer application uses RunAs         *
*                      rolename and has authenticated with a   *
*                      user id which is permitted to an        *
*                      EJBROLE. The server intermittently      *
*                      fails the EJBROLE check even though     *
*                      the user id is permitted to the         *
*                      EJBROLE. The following messages         *
*                      appear in the SYSPRINT: BBOS0103E       *
*                      MSG_                                    *
*                      BBOSENUS_SEC_EJBROLES_CHECK_FAILED:     *
*                      The requested                           *
*                      EJBROLESAUTHCHECK(RACROUTE) function    *
*                      User  not permitted to method YY via    *
*                      Allowed roles (XXXX,.) SECJ0129E:       *
*                      Authorization failed for USERID while   *
*                      invoking GET on default_host:           *
*                      /application_path/methodid.do,          *
*                      Authorization failed, Not granted any   *
*                      of the required roles: XXXX             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem is a missing OPI for the user. This is due to
a problem with the reference count for this OPI - it has gone
to zero either because it was decremented too often, or
because it wrapped to zero. Once it became zero, the OPI was
deleted because it appeared it was no longer being used.
Problem conclusion
First, ContextManagerImpl.java was changed to mark the server
credential in initializeSystemContext(). Second, the reference
counter limit was increased from 255 to 64K. Third,
getNSCFromSSAIS was fixed to properly manage the reference
counts.

The following publication was revised as a result
of APAR PQ90464:
________________________________________________________________
WebSphere Application Server V5 for z/OS
Messages and Codes
GA22-7915-01
_______________________________________________________________

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

www.ibm.com/software/webservers/appserv/zos_os390/library.html
________________________________________________________________
Chapter 04, pg. 213 (new message)
Abend code DC3 reason 020D0001
Explanation: IBM Internal Use Only
User Response: Contact the IBM Support Center
________________________________________________________________

APAR PQ90464 is associated with SERVICE LEVEL W502014 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ90464
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-06-22
Closed date 2004-08-05
Last modified date 2004-09-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ91415 PQ91553 PQ91556

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ91441    UP04/08/23 P F408

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ90464.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ90464
IBM Group: Software Group
Modified date: Sep 3, 2004