PQ77186: BBOO0222I SECJ0305I: ROLE BASED AUTHORIZATION CHECK FAILED WHILEINVOKING METHOD QUERY:COM.IBM.WS.MANAGEMENT.DISCOVERY.SERVERINFO

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
When starting up an application server that does mbean
discovery the following security error message surfaces in the
node agent.

ICH408I USER(WSGUEST) GROUP(WSCLGPT ) NAME(WAS DEFAULT USER
  administrator CL(EJBROLE )
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

BBOO0222I SECJ0305I: Role based authorization check failed for
security name AHCPLEX/WSGUEST, accessId user:AHCPLEX/WSGUEST
while invoking method:
com.ibm.ws.management.discovery.ServerInfo on
resource Discovery and module Discovery.

javax.management.JMRuntimeException: ADMN0022E: Access denied
for the query operation on Discovery MBean due to insufficient
or empty credentials.

Other error messages that also surface:
.
BBOS0103E MSG_BBOSENUS_SEC_EJBROLES_CHECK_FAILED:  The requested
EJBROLESAUTHCHECK(RACROUTE) function User WSGUEST
not permitted to method admin-authz via Allowed roles
(operator,administrator,.)
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Upon server initialization the default  *
*                      z/OS userid is used, errantly, as the   *
*                      authenticated entity for RMI/IIOP calls *
*                      that emanate from the controller        *
*                      address space of the server. The target *
*                      of these calls fails the RMI/IIOP       *
*                      request because the default user does   *
*                      not pass an EJBROLE check.  The EJBROLE *
*                      failures usually occur in the           *
*                      controller of a node agent.             *
*                      The error:                              *
*                      BBOO0222I SECJ0305I: ROLE BASED         *
*                      AUTHORIZATION CHECK FAILED WHILE        *
*                      INVOKING METHOD                         *
*                      QUERY:COM.IBM.WS.MANAGEMENT.            *
*                      DISCOVERY.SERVERINFO                    *
*                       s typical.  This messages also         *
*                      appears at the MVS console.             *
*                      BBOO0222I SECJ0305I: Role based         *
*                      authorization check failed for          *
*                      security name WASRACFREALM/WSGUEST,     *
*                      accessId user:WASRACFREALM/WSGUEST      *
*                      while invoking method query:            *
*                      com.ibm.ws.management.                  *
*                      discovery.ServerInfo                    *
*                      on resource Discovery and               *
*                      module Discovery.                       *
*                      ICH408I USER(WSGUEST )                  *
*                      GROUP(SMADMIN1)                         *
*                      NAME(WAS DEFAULT USER    )              *
*                      administrator CL(EJBROLE )              *
*                      INSUFFICIENT ACCESS AUTHORITY           *
*                      ACCESS INTENT(READ   )                  *
*                      ACCESS ALLOWED(NONE   )                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
During server initialization of the controller, if global
security is enabled, the security runtime attempts to obtain and
cache a copy of the credential for the default z/OS identity. As
a side effect of obtaining this credential the
default id is made to be the identity that is used if RMI/IIOP
calls are made. The default id remains current until the first
inbound call is fielded by the controller and supplants the
default identity. During this window, if the controller
initiates an RMI/IIOP call the default user is used for
authorization checks in the target of the call. In many cases
the default id fails to pass EJBROLE checks. The following
message is typical.
BBOO0222I SECJ0305I: Role based
authorization check failed for
security name WASRACFREALM/WSGUEST,
accessId user:WASRACFREALM/WSGUEST
while invoking method query:
com.ibm.ws.management.discovery.ServerInfo
on resource Discovery and module Discovery.
ICH408I USER(WSGUEST ) GROUP(SMADMIN1)
NAME(WAS DEFAULT USER    )
administrator CL(EJBROLE )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ   )
ACCESS ALLOWED(NONE   )
Problem conclusion
During server initialization when the credential for the default
z/OS identity is obtained, it is not made the current identity
for RMI/IIOP calls.

APAR PQ77186 is associated with SERVICE LEVEL W501000 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ77186
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-08-06
Closed date 2003-09-17
Last modified date 2003-10-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ80305    UP03/09/25 P F309

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ77186.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ77186
IBM Group: Software Group
Modified date: Oct 3, 2003