PQ81809: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
This APAR addresses defects in WebSphere Application Server
V5.0 for z/OS.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: APAR PQ81809 addresses various defects  *
*                      in WebSphere Application Server V5.0    *
*                      for z/OS.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
APAR PQ81809 addresses the following defects in
WebSphere Application Server V5.0 for z/OS:

(MD18731) Add Node and Remove Node via the Admin Console fail
when security is enabled. The symptom as appears in the Remove
Node stack trace in removeNode.log is:
 SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening
socket: java.net.SocketException: SSL implementation not
available; targetException=java.lang.IllegalArgumentException:
Error opening socket: java.net.SocketException:
SSL implementation not available .
at org.apache.soap.transport.http.SOAPHTTPConnection.
 send(Unknown Source)

The cause is that the Add Node and Remove Node functions
run under the WebSphere Asynchronous Administration Task
user id as specified in the z/OS WebSphere Customization
Dialog's Security Domain Configuration section, and that
user id does not have an SSL keyring that is required
when global security is enabled.

(MD18734) The Data Replication Service may cease to function if
JVM garbage collection takes too long to complete. It is
possible in a severely resource-constrained system that JVM
garbage collection takes more time than the internal Data
replication connection staleness check interval.If this occurs,
the Replicator will decide that its connection has ceased to
function and it will mark this connection as down. When the
client attempts to send or receive using this connection next,an
IllegalStateException is thrown by the underlying broker once
for every send or receive attempt. This causes the client to
then attempt to connect to an alternate replicator and this
process may be incorrectly repeated once for every Illegal
State Exception that is caught. This behaviour results in an
inconsistent state where in replication done by all the data
replication clients in the jvm fails, and the recovery logic
is unable to recover from this state.

(MD18737) When the Recovery Node property is enabled the
symlinks for the servers are created in incorrect primordial
root. The symlinks are created in the root matching the other
servers, rather than the Node, that was enabled as the Recovery
Node. This creates problems if your HFS is not shared, as the
path for the symlink will not be found and the following error
will be seen on the MVS Operator Console when an attempt at
restarting the server out of place is made.

IEE132I START COMMAND DEVICE ALLOCATION ERROR

Recovery Nodes are set in the following manner through
the Administrative Console, using the recoveryNode = true
custom property.

(Administrative Console > System Administration > Node Agents >
nodeagents > File Synchronization Service > Custom Properties)

If Node1's primordial root is: /WebSphere/Node1,
and Node2's primordial root is /WebSphere/Node2
and if Node1 is the recoveryNode, the symlinks for Node2
will be created in /WebSphere/Node2, but the should have
been created in /WebSphere/Node1.

(MD18742) The message ADMS0016I: Configuration synchronization
failed will be found on the MVS Operator Console if a sync
is attempted and there is a variable of the form: $(VAR)/path
or $VAR/path the standard form ${VAR} (Note the curly braces)
will work.

The transformer was unable to resolve variable of the form:
$(VAR)/path or $VAR/path and would through a null pointer
exception. The standard for using curly braces worked: ${VAR}.
The other two, while valid caused a failure.

(MD18743) NotSerializableException occurs for
CFExtendProperties class. During EJB passivation, a
NotSerializableException occurred when passivate processing
attempted to serialize a datasource  pointed to by the EJB.
During the serialization of the datasource, the WAS
ConnectionManager was serialized and during this processing it
was determined that the MCFExtendedProperties contained in the
ConnectionManager was not serializable thus causing the
exception that occurred. Further examination of the
ConnectionManager, also showed that the SecurityHelper pointed
to by the ConnectionManager is also not serializable.

(WS14965.02) WeSphere V5.0 for z/OS GA Dynacache does not
support cache replication with multiple Servants per
Controller. This support is being added by this feature.

(WS15621.01) This is the runtime portion of multi-node
(multiple cell) support. Customers wish to run multiple cells
within a single z/OS system and isolate them from one another
for security purposes.

(WS15621.02) It is not possible to completely isolating cells
which are controlled by different organization in an enterprise.
This is an issue in particular when using EJBROLE profiles to
protect J2EE roles and naming and administrative preset roles.

There are a number of areas in which isolation between
cells on a SYSPLEX cannot be set up easily in SAF.
 - EJBROLE fixed roles - there are preset role names for
administration such as administrator, configurator, et al, and
also naming such as CosNamingRead, CosNamingWrite, et al.
These cannot be separated when SAF authorization is chosen.
 - EJBROLE  application defined roles
There is a need to be able to separate the test and production
domains for roles within a sysplex.
 - PASSTICKET it is a longstanding request to be able to have
   different passtickets for test and production.
 - APPL profiles, if customers wish to use APPL profiles,
   to protect websphere access, they need to separate sets
   of users.

(WS17156.03) Controller region runs out of storage if multiple
large HTTP responses occur at once.

(WS17438) Rollup of WebSphere Distributed code V5.0.2 base
and ND.

(WS17677) AlarmManager framework processes AlarmListener objects
to periodically wake up, perform work and reset themselves. When
a Servant Region is inactive (no active work being dispatched)
these AlarmListener Objects continue to awake, determine that
there is no work to do, and then reset themselves. In the view
of WLM, this is still active work that is occuring in the
Servant Regions, and therefore, the Servants are kept active
by WLM. This consumes processor time when nothing is
being done on behalf of a given application.

(WS17709) JSSE needs to support certificates with keys created
by hardware cryptography.

(WS17710) NO_PERMISSION thrown when using NON-SAF registry while
performing COS Naming requests. NON-SAF registry identities are
not propogated from servant region to controller region. The
server identity is sent instead and may not automatically be
authorized to perform COS Naming requests.

Added the ability to propogate NON-SAF identities from servant
region to controller region.

(WS17742) Support needs to be provided for Direct port broker
SAF Authentication. The JMS Broker calls WebSphere for z/OS
code to authenticate userid using an expensive security service.
Java SAF APIs provide effecient way of authenticating a user.
Problem conclusion
APAR PQ81809 fixes various defects in WebSphere Application
Server V5.0 for z/OS.

(MD18731) The Customization Dialog is changed to generate RACF
commands to create an SSL keyring owned by the Asynchronous
Administration Task user id and to connect the set of
Certificate Authority certificates to that keyring.

(MD18734)  The data replication recovery mechanism has been
changed from being time-based to utilize a retry count
mechanism. The IllegalStateException handler has been changed
to drive the modified recovery mechanism. The staleness check
interval has also been increased to more reasonable numbers
keeping in mind the garbage collection time required by the jvm.

(MD18737) The Transformer was changed to ensure the correct
root is used when generating symbolic links.

(MD18742) Transformer was modified to support these other types
of variable substitution.

(MD18743) The MCFExtendedProperties class will be changed to be
serializable and the Connection Manager will be changed so
the SecurityHelper it points to doesn't need to be serialized.

(WS14965.02) The Replication engine has been moved to the
Controller, so providing a single listener socket per Server.

(WS15621.01) This code adds support to read environment
variables security_zOS_domainType and security_zOS_domainName.
If security_zOS_domainType is set to "cell qualified," the
value in security_zOS_domainName is used as the APPL identifier
and as a prefix in resource names for CBIND, SERVER, and
EJBROLE. These environment variables are set by the
configuration tools.

(WS15621.02) A security domain prefix can be optionally used for
the following SAF profiles:
      APPL - use domain name or default to CBS390
      PTKTDATA - use domain name or default to CBS390
      CBIND - uses domain name as qualifier
      EJBROLE - prepends domain name to role name
The security domain configuration can also be used to separate
SSL Certificate issuers between organizations.

This change was implemented using updates to the runtime,
transformer and updates to the configuration dialog.

The customization process has been modified to substitute a
step where a security domain is created, in lieu of independant
security definitions being done in the Base, Deployment Manager,
and Federate Node panels.  The security customization is loaded
first, and these values are used in generating the instructions.

In addition, security setup jobs are always generated with
full WebSphere customization by the install.

(WS17156.03) In the controller create a single thread to process
large HTTP responses. Servants will place the large http
responses in the comm dataspace. The new thread in the
controller will copy the response from the comm dataspace into
a single instance buffer that the controller thread owns.
Size of the buffer is controlled by environment variable
protocol_http_large_data_response_buffer.

(WS17438) Rollup of WebSphere Distributed code V5.0.2 base
and ND.

(WS17677) Code was modified to cause the AlarmManager to stop
processing AlarmListener objects after work has departed from
the Servant Region. Once work is recieved, the AlarmManager
resumes its activities until work once again departs.

(WS17709) WebSphere can now use the IBMJCE4758 cryptography
provider to load certificates/keys created with hardware
cryptography. The user checks the "Use Hardware Cryptography
Token" check box for the SSL Repertoire that will be used for
hardware cryptography keys, and sets the keyring to
safkeyring:///<name_of_racf_keyring>, where
<name_of_racf_keyring> is the name of the RACF Keyring that
contains certificates/keys created using ICSF.

(WS17710) NO_PERMISSION thrown when using NON-SAF registry while
performing COS Naming requests. NON-SAF registry identities are
not propogated from servant region to controller region. The
server identity is sent instead and may not automatically be
authorized to perform COS Naming requests.

(WS17710) Added the ability to propogate NON-SAF identities from
servant region to controller region.

(WS17742) Changed WASPrincipalDirectory to use Java SAF APIs to
authenticate a user.

APAR PQ81809 is associated with SERVICE LEVEL W502000 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ81809
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-12-06
Closed date 2003-12-07
Last modified date 2004-01-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ82905    UP03/12/15 P F312

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ81809.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81809
IBM Group: Software Group
Modified date: Jan 3, 2004