PQ85631: ICSF fails at W502000 because of validation failure | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When running with Global Security enabled using ICSF, server fails during validation because we are picking p an unauthenticated id, default WSGUEST. . With com.ibm.ws.security.*=all=enabled tracing turned on, we can see the following in the job output . FunctionName: com.ibm.ws.security.server.lm.ICSFLoginModule SourceId: com.ibm.ws.security.server.lm.ICSFLoginModule Category: DEBUG ExtendedMessage: Using credential token for authentication Trace: 2004/01/26 08:54:29.755 01 t=A87870 c=UNK key=P2 (13007002) FunctionName: com.ibm.ws.security.icsf.ICSFServerObject SourceId: com.ibm.ws.security.icsf.ICSFServerObject Category: ENTRY ExtendedMessage: ICSFServerObject.validate Trace: 2004/01/26 08:54:29.775 01 t=A87870 c=UNK key=P2 (13007002) FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: DEBUG ExtendedMessage: CELL_SECURITY_ENABLED = true Trace: 2004/01/26 08:54:29.807 01 t=A87870 c=UNK key=P2 (13007002) FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: DEBUG ExtendedMessage: Using SAF Registry. Create credential with a private cred Trace: 2004/01/26 08:54:29.809 01 t=A87870 c=UNK key=P2 (13007002) FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: EXIT ExtendedMessage: ContextManagerImpl.getProperty( com.ibm.security.SAF.unauthenticated) returns WSGUEST Trace: 2004/01/26 08:54:29.816 01 t=A87870 c=UNK key=P2 (13007002) FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: DEBUG ExtendedMessage: getDefaultOSCred Validating unauthenticated userId WSGUEST with SAFLocal fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Customers using Integrated * * Cryptographic Services Facility (ICSF) * * as their authentication mechanism may * * get the following message on their MVS * * console: * * ICH408I USER(WSGUEST ) GROUP(WSGUESTG) * * NAME(WAS DEFAULT USER) administrator * * CL(EJBROLE ) INSUFFICIENT ACCESS * * AUTHORITY ACCESS INTENT(READ ) ACCESS * * ALLOWED(NONE) * * where WSGUEST is the unauthenticated * * ID. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem was due to an incorrect initialization of the user registry when the ICSF Server Object was instaintiated. We were not able to get the correct user registry to obtain the current credentials; therefore we used the unauthenticated credentials instead. This id can be seen in the SYSPRINT when java security traces are enabled: FunctionName: com.ibm.ws.security.server.lm.ICSFLoginModule SourceId: com.ibm.ws.security.server.lm.ICSFLoginModule Category: DEBUG ExtendedMessage: Using credential token for authentication Trace: 2004/01/26 08:54:29.755 01 t=A87870 c=UNK key=P2 FunctionName: com.ibm.ws.security.icsf.ICSFServerObject SourceId: com.ibm.ws.security.icsf.ICSFServerObject Category: ENTRY ExtendedMessage: ICSFServerObject.validate Trace: 2004/01/26 08:54:29.775 01 t=A87870 c=UNK key=P2 FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: DEBUG ExtendedMessage: CELL_SECURITY_ENABLED = true Trace: 2004/01/26 08:54:29.807 01 t=A87870 c=UNK key=P2 FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: DEBUG ExtendedMessage: Using SAF Registry. Create credential with a private cred Trace: 2004/01/26 08:54:29.809 01 t=A87870 c=UNK key=P2 FunctionName: com.ibm.ws.security.auth.ContextManagerImpl SourceId: com.ibm.ws.security.auth.ContextManagerImpl Category: EXIT ExtendedMessage: ContextManagerImpl.getProperty( com.ibm.security.SAF.unauthenticated) returns WSGUEST Trace: 2004/01/26 08:54:29.816 01 t=A87870 c=UNK key=P2 FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: DEBUG ExtendedMessage: getDefaultOSCred Validating unauthenticated userId WSGUEST with SAFProblem conclusion Modified the ICSF Server Object to correctly initialize the user registry. APAR PQ85631 is associated with SERVICE LEVEL W502005 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ85631.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85631
IBM Group: Software Group
Modified date: Apr 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.