PQ98427: MODIFYING THE LTPA PASSWORD VIA ADMIN CONSOLE CAUSES SYNC TO FAIL AND BROKEN IMAGE FOR THE NODE STATUS.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
When the LTPA password is modified in the admin console,
attempting to save and synchronize this change will cause a
security exception:
BBOO0220E ADMS0005E: Unable to generate synchronization request:
javax.management.JMRuntimeException: ADMN0022E: Access denied
for the getRepositoryEpoch operation on ConfigRepository MBean
due to insufficient or empty credentials.
.
Also, the node status icon (System Administration > Nodes)
will be displayed as a broken image.  Further investigation
into the DM logs will also show security excpetions:
SECJ4034I: Token Login failed.    If the failure is due to an
expiring token, verify the system date and time of the WebSphere
nodes are synchronized or consider increasing the token timeout
value. Authentication mechanism system.
.
As well as:
SECJ0306E: No received or invocation credential exist on the
thread. The Role based authorization check will not have an
accessId of the caller to check. The parameters are: access
check method getRepositoryEpoch on resource ConfigRepository and
module ConfigRepository.
Local fix
1)  Copy the DMGR config side security.xml (the CELL level
    document) to the node side cell level (overwriting the
    older security.xml). It's a good idea to make a backup
    of the security.xml you are overwriting.
2)  In the node side bin directory, run the command:
       wsc2n.sh -X
    This kicks off the transformer tool which will propogate
    changes from the XML configuration files to the native
    environment files.
3)  Once wsc2n.sh finishes, restart the DMGR and NA.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Synchronization failed after the LTPA   *
*                      password was changed. Several messages  *
*                      are displayed in the server log.        *
*                                                              *
*                      BBOO0222I ADMS0016I: Configuration      *
*                      synchronization failed.                 *
*                                                              *
*                      BBOO0222I SECJ403I: Token Login failed. *
*                      If the failure is due to an expiring    *
*                      token, verify the system date and time  *
*                      of the WebSphere nodes are synchronized *
*                      or consider increasing the token        *
*                      timeout value.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The LTPA password was updated on the administrative console. The
'Apply' or 'OK' button was hit. When the changes were saved to
the master configuration and the 'Synchronize changes with
Nodes' box was checked, the synchronization failed with several
messages displayed in the server log.

The problem occured because the deployment manager used the
current administrator token created with the old LTPA keys to
send the sync request to the node agent. The node agent saved
the new keys in the runtime and then tried to decrypt the LTPA
token with the new keys. The decryption failed.
Problem conclusion
The problem was fixed by having all servers use the old LTPA
keys until the servers are restarted. This was accomplished by
updating the deployment manager to not send the message telling
the node agent to import the keys.

APAR PQ98427 is associated with SERVICE LEVEL W502024 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ98427
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-12-14
Closed date 2005-02-19
Last modified date 2005-03-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ98431

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UK00732    UP05/02/23 P F502

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ98427.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ98427
IBM Group: Software Group
Modified date: Mar 1, 2005