PQ95235: DURING RIPPLESTART OF SERVERS IN A CLUSTER THE DMGR SERVER CR IDIS USED INSTEAD OF ADMIN ID CAUSING ERRORS AND MAY RESULT IN 0C4

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
With Global Security enabled the ripplestart operation causes
various security errors which may eventually cause an 0C4 abend
causing the start of the servers to fail.
.
The problem is that the deployment management controller ID is
used to start the servers instead of the admin ID. Some of the
errors observed are,
.
BBOO0222I SECJ0305I: Role based authorization check failed for
security name <null>, accessId NO_CRED_NO_ACCESS_ID while
invoking method getProcessType on resource Server and module
Server.
.
ICH408I USER(DMGRCR1 ) GROUP(CBFCNG1) NAME(WAS G#STEUSER -
TEST)
administrator CL(EJBROLE )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
.
BBOS0008E RACAUTH of class, EJBROLE, failed with SAF Return
Code=00000008, RACF Return Code=00000008, RACF Reaode=00000000.
.
The ripplestart may also result in an OC4 abend in some cases
where the start of the servers will fail. The abend is in
security module BBOSSMEP with traceback:
.
BBOSSMEP
EJBROLES::checkingRolesPermission
EJBROLES::isCallerInRole
Java_com_ibm_ws_security_core_SAFAuthorizationTableImpl_native_1
     SAFisGrantedAnyRole
com/ibm/ws/security/core/SAFAuthorizationTableImpl.
                                             callerAndUserInRole
com/ibm/ws/security/core/SAFAuthorizationTableImpl.
                                                isGrantedAnyRole
com/ibm/ws/security/role/RoleBasedAuthorizerImpl.checkAccess
com/ibm/ws/management/AdminServiceImpl.preInvoke
com/ibm/ws/management/AdminServiceImpl.invoke
com/ibm/ws/management/wlm/ClusterMgr.invokeMBean
com/ibm/ws/management/wlm/ClusterMgr.getAttributes
com/ibm/ws/management/wlm/ClusterMgr.loadClusterConfig
com/ibm/ws/management/wlm/ClusterMgr.loadRefreshClusters
com/ibm/ws/management/wlm/ClusterMgr.retrieveCluster
com/ibm/ws/management/AdminServiceImpl.invoke
com/ibm/ws/management/wlm/Cluster.refresh
com/ibm/ws/management/wlm/ClusterAdmin&#65423;RippleStarter.rippleStart
com/ibm/ws/management/wlm/ClusterAdmin&#65423;RippleStarter.run
.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Various symptoms occur when a ripple    *
*                      start is attempted. One symptom:        *
*                      ICH408I USER(WRONGID) GROUP(WRONGGR)    *
*                      NAME(USER) administrator CL(EJBROLE )   *
*                      INSUFFICIENT ACCESS AUTHORITY           *
*                      ACCESS INTENT(READ   )  ACCESS          *
*                      ALLOWED(NONE   )                        *
*                      Some customers receive                  *
*                      ABENDSOC4/ABENDOC4 in the Deployment    *
*                      Manager controller which is traced to   *
*                      BBOSSMEP.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem is one of re-using released storage. Ripple start
processing spawns a new thread to do the work, passing security
credentials including a control block managed by C++. The
original thread completes end of transaction processing, and
the storage is released. The spawned thread continues OK until
the freed storage is re-allocated, at which time the resulting
storage overlay can cause various problems.
Problem conclusion
Processing in the security code is modified to clone the
control block in Java storage and use the clone in the security
credentials.

APAR PQ95235 is associated with SERVICE LEVEL W502019 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ95235
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-10-01
Closed date 2004-11-19
Last modified date 2005-01-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ96886

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ95286    UP04/12/03 P F412

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ95235.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ95235
IBM Group: Software Group
Modified date: Jan 5, 2005