PQ78770: NUMBEROUS ICH408I WHEN USERID DOES NOT HAVE ADMIN ROLE

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Numberous ICH408I when userid does not have admin role. If a
userid is permitted to EJBROLE monitor profile, then numerous
ICH408I RACF messages will be issued to the SYSLOG when trying
to use the adminconsole GUI.  These ICH408I messages are no
access messages for the EJBROLE administrator, EJBROLE operator,
and EJBROLE configurator profiles as WAS/adminconsole tries to
determine what adminconsole resources the user is allowed to
see/access in the role of monitor.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: ICH408I messages are being displayed in *
*                      the MVS Console when userid does not    *
*                      have permission to the administrator,   *
*                      configurator or operator role.          *
*                      The text of the message is:             *
*                      ICH408I USER(WSADMIN ) GROUP(CBCFG1  )  *
*                      NAME(WAS ADMINISTRATOR   )              *
*                      administrator CL(EJBROLE )              *
*                      INSUFFICIENT ACCESS AUTHORITY           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If a userid is permitted to EJBROLE monitor role, but not to the
other three (administrator, configurator, operator) then
numerous ICH408I RACF messages will be issued to the SYSLOG when
trying to use the administrative console.
Problem conclusion
Created a new Custom Property in the administrative console that
will allow the customer to turn on or off these messages.
The property is located under:
Security -> User Registries -> Local OS ->
Custom Properties ->
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
The default value for this property is False (Do not suppress
any messages). The customer can turn this value to True to
suppress the ICH408I messages.
Note: SMF X'80' audit records will be generated as usual,
      regardless of the value of this new property.

The following WebSphere InfoCenter articles will be revised
as a result of defect PQ78770.
________________________________________________________________
NOTE: Periodically, we refresh the documentation on our
Web site, so these changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

www.ibm.com/software/webservers/appserv/zos_os390/library.html
________________________________________________________________

In "Local operating system user registry settings" in our
WebSphere Application Server InfoCenter the following
information has been added regarding the new custom security
property,
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.

Under Additional Properties, click Custom Properties.  Then,
under Custom Properties, you can set the following property:

com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress:

This property is located in the Administrative
Console under Security -> User Registries -> Local OS ->
Custom Properties ->
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
and allows the you to turn ICH408I messages on or off.
The default value for this property is "false", which
does not suppress messages. You can set this value to
"true" to suppress the ICH408I messages.  Note that
ICH408I messages still go to the SMF record regardless
of the specified value of this new property.

________________________________________________________________

In "Configuring local operating system registries"
in our WebSphere Application Server InfoCenter
there is a table documenting custom security
properties.

PROPERTY           DATA TYPE         VALID VALUES
--------           ---------         ----- ------
com.ibm.security.  Boolean           true or false
SAF.EJBROLE.Audit.
Messages.Suppress

The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
custom property allows you to turn on or off ICH408I RACF
messages generated when a customer attempts to access the
administrative console, and the user ID is permitted to
the EJBROLE monitor role but not to the administrator,
configurator, and operator roles.

APAR PQ78770 is associated with SERVICE LEVEL W502000 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ78770
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-09-23
Closed date 2003-12-07
Last modified date 2004-03-31

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ82899    UP03/12/15 P F312

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ78770.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ78770
IBM Group: Software Group
Modified date: Mar 31, 2004