PQ81149: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
This APAR addresses defects in WebSphere Application Server
V5.0 for z/OS.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: APAR PQ81149 addresses various defects  *
*                      in WebSphere Application Server V5.0    *
*                      for z/OS.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
APAR PQ81149 addresses the following defects in
WebSphere Application Server V5.0 for z/OS:

(MD17530) WebContainer Applications using client certificate
authentication fails with HTTP error 403 on the browser.
A Web Application has been built with an authentication method
of client certificate. Global security is enabled. The Registry
is specified as LocalOS and SAF authorization and delegation
are turned on. com.ibm.security.SAF.authorization=true and
com.ibm.security.SAF.delegation=true. The application is run
and results in an HTTP 403 returned from the server to the
browser. One or more of the following error messages may appear
in the server error log : BBOS0008E, BBOS0105E, BBOS0037E,
BBOS0103E.

(MD17625) A programmatic login takes the user ID and password,
ignores the com.ibm.CORBA.validateBasicAuth property and creates
a BasicAuth credential. If the user ID or password is invalid,
the client program does not find out until the first
method request is attempted.

(MD17671) Trace Logs of new Server written to wrong directory.
When a new server is created using the default template, the
administrative console writes the trace logs to a different
directory.

(MD17769) The directory which contains javadoc describing public
WebSphere APIs was missing.

(MD17798) Authorization failures occur when using Local OS user
registry and WebSphere authorization. These failures are most
likely to occur when migrating an application from a WebSphere
Distributed platform to z/OS. The userids held in the WebSphere
authorization table may be in mixed, or lower case, while
local OS user registry users are always in uppercase. This
potential case differential causes authorization errors to
occur. Messages like the following are typical:
ExtendedMessage: SECJ0129E: Authorization failed for JAVAJOE
while invoking GET on default_host:/jsp_sec/guestPage.jsp,
Authorization failed, Not granted any of the required roles:
Administrator Manager VP

In this example the Local OS user registry user "JAVAJOE"
fails the authorization check even though the WebSphere
authorization table allows the user "javajoe".

(MD17836) InvocationTargetException received during the
restart of an already existing configuration. When a WebSphere
server starts, it reads the XA partner log and deserializes
some objects that were involved in XA transactions before the
server was shut down last.  It uses these objects to ensure that
all of the XA transactions were properly committed or
rolled back.

In certain cases, the application of a PTF could provide new
class definitions that are unable to deserialize the objects
that were written using the old class definitions.  This results
in an InvocationTargetException in the joblog of your
application servant region.  This exception will look similar
to the following:

deserializeWrapper caught the following exception, recovery will
  be halted com.ibm.ws390.tx.partnerLog.WS390XaRecUtil
  com.ibm.ws390.tx.partnerLog.WS390XaRecUtil
java.lang.reflect.InvocationTargetException:
java.io.InvalidClassException:
  com.ibm.ws.rsadapter.spi.WSManagedConnectionFactoryImpl;
  Local class not compatible:
  stream classdesc serialVersionUID=-5223603533727900186
  local class serialVersionUID=-4494979438626168109
at java.io.ObjectStreamClass.validateLocalClass
  (ObjectStreamClass.java:565)

(MD17901) HFS gets filled with tracing because trace.log is
specified in the server.xml.

<services xmi:type="traceservice:TraceService"
   xmi:id="TraceService_1" enable="true"
   startupTraceSpecification="*=all=disabled"
   traceOutputType="SPECIFIED_FILE" traceFormat="BASIC"
   memoryBufferSize="8">
 <traceLog xmi:id="TraceLog_1"
   fileName="${LOG_ROOT}/&DMSSNL./trace.log"
   rolloverSize="20" maxNumberOfBackupFiles="1"/>
</services>

This causes the trace to go to the HFS.

(MD17965) Remove "Web Services" (tech preview support) from the
dialog since Web Services is being delivered in Cumulative Fix
W502000.

(MD17988) The default timeout values for start/stop/delete
applicaton need to be increased. The new values should be 3
minutes instead of 50 seconds. This will prevent any timeout
messages shown on the administrative console during
installing/stopping/starting applications.

(MD18027) The Filetransfer Application is unable to start. Sync
does not occur. The following message is found in the logs:

ExtendedMessage: SRVE0147E: No Virtual Host defined for web
module: WebSphere Admin File Transfer Application the Web
Application will not be loaded.

The Filetransfer application shipped with an incorrect
default binding of admin_host rather than default_host.
This can be corrected by updating the application using the
Administrative Console, to generate the proper bindings.
With the Application unable to start, sync could not occur.
This error could also occur if the ++HOLD information for
W501000 was not followed with respect to Filetransfer.

(MD18035) Initialization of Deployment Manager fails during
initialization unless SAF authorization is used. The control
region abends with an A03 abend. Symptoms include the following
failures:
BBOO0220E NMSV0602E: Naming Service unavailable.
   A communications error occurred.
BBOO0223I Exception javax.naming.CommunicationException:
   Could not obtain an initial context due to a communication
   failure
BBOO0220E SECJ0281E: Error creating user registry object.

The caller Subject is first retrieved in an attempt to access
the Name Space during server initialization. This occurs
before the security server has been initialized.

The logic for getting the caller's Subject, if WebSphere
authorization is used on z/OS causes a creation of the
security server object.

Security Server initialization requires access to the Name
Space, whose initialization began this process.

In fact, during this time frame, naming authorization is not
enabled.

(MD18065) CNTR0020E: Non-application exception occurred while
processing method <method name> on bean <bean id>.
Exception Data:
InvalidBeanOStateException(current =
COMMITTING_IN_METHOD,expected =
IN_METHOD | TX_IN_METHOD | DESTROYED)

The following stack trace would be seen if event tracing is
active for class com.ibm.ejs.util.tran.SyncDriver. It is a
subset of the trace.

Trace: 2003/10/03 21:19:48.537 01 t=8E03B8 c=2.7 key=P8
  FunctionName: com.ibm.ejs.util.tran.SyncDriver
  SourceId: com.ibm.ejs.util.tran.SyncDriver
  Category: EVENT
 ExtendedMessage: afterCompletion failed; com.ibm.ejs.ras.
  TraceComponent@2e5a9e75, java.lang.NullPointerException
at com.ibm.rmi.javax.rmi.CORBA.Util.stopKeepAliveThread(
 Util.java:680)

Another exception/message that would be seen in the Job Log
without tracing active would be:

CNTR0020E: Non-application exception occurred while processing
method <method name> on bean <bean id>. Exception Data:
InvalidBeanOStateException(current = COMMITTING_IN_METHOD,
expected = IN_METHOD | TX_IN_METHOD | DESTROYED)
at com.ibm.ejs.container.StatefulBeanO.postInvoke
(StatefulBeanO.java:590)
at com.ibm.ejs.container.EJSContainer.postInvoke
(EJSContainer.java:2861)

(MD18084) When global security is enabled, the JMS Event Broker
will try to load the WASPrincipalDirectory class. The broker
cannot load trace and security context classes and a
ClassNotFoundException is thrown.

The JMS Event Broker cannot load the WASPrincipalDirectory
when security is enabled. The WASPrincipaDirectory class also
contains other classes that cannot be loaded from the broker.
A ClassNotFoundException is thrown and the broker fails to
start.

(MD18088) Update BBOINST and BBOUNIN for new WebServices sample.

Dialog generated job BBOINST and BBOUNIN needs to get updated
to pick up the new WebServices sample that comes with v5.02.

(
PQ78791) Message BBOS0108E for function RunAsGetSpecCredRole
does not display the failed RACROUTE request. This is the msg:
BBOS0108E Credential handling function RunAsGetSpecCredRole
failed in Routine RACROUTE with SAF Return Code (hex): 4,
RACF Return code (hex): 8, and RACF Reason Code (hex): 0.

If SAF finds a problem when it tries to get a credential for a
user id associated to a role, WebSphere issues message
BBOS0108E. This message contains the request that failed,
RACROUTE, but it does not specify the request type that failed.
Problem conclusion
APAR PQ81149 fixes various defects in WebSphere Application
Server V5.0 for z/OS.

(MD17530) The Application Server received a valid client
certificate from the browser and successfully mapped it to a
z/OS userid. However, when the SAF authorization was done later,
the SAF NSC token was not available and the authorization
failed. The NSC token was actually created when the certificate
was mapped but it was never saved. The fix is to clone the
current mapCertificate method and have it also return the NSC
token. The token is then saved for later use in the
authentication process.

(MD17625) The code will check if the
com.ibm.CORBA.validateBasicAuth property is set. By default the
user ID and password is authenticated with the security server
at the time of the request login. The result is either false
with a WSLoginFailedException indicating that the user id and
password is invalid, or true where the BasicAuth credential is
returned to the caller of the request login.

(MD17671) The webui code has been changed to remove the
hard-coded newly server's trace log root and that fixed the
problem.

(MD17769) This defect ships the javadoc HTML files under the
directory: web/apidocs

(MD17798) The WebSphere user registry option that allows for
case insensitive authorization checks when using WebSphere
authorization has been extended to the Local OS user registry.
This option is available when selecting a new or modifying an
old user registry.  When this option is selected,
authorization checks will be performed without regard to case.
This means that a local OS user registry user "JAVAJOE" will
pass an authorization check if the WebSphere authorization
table permits "javajoe".

(MD17836) The default implementations of readObject and
writeObject were overridden for the J2CXAResourceInfo object and
all objects that it contains.  The new implementation handles
the case of deserializing older versions of the class.

(MD17901) To correct this, the server.xml skeleton has been
updated to change traceOutputType from "SPECIFIED_FILE" to
"MEMORY_BUFFER". With this change, it still writes to ctrace.
However, the output will go to a wrap around buffer instead of
file in the HFS.

The traceservice stanza now looks like:
<services xmi:type="traceservice:TraceService"
   xmi:id="TraceService_1" enable="true"
   startupTraceSpecification="*=all=disabled"
   traceOutputType="MEMORY_BUFFER" traceFormat="BASIC"
   memoryBufferSize="8">
 <traceLog xmi:id="TraceLog_1"
   fileName="${LOG_ROOT}/&DMSSNL./trace.log"
   rolloverSize="20" maxNumberOfBackupFiles="1"/>
</services>

(MD17965) The dialog has been updated to remove the Web Services
(tech preview support) option from the dialog panels so that it
will not be accessible to the user.

(MD17988) The timeout values for starting/stopping/deleting
applications have beem increased to 3 minutes the administative
console can handle the notification timeout issues.

(MD18027) The correct virtual host "default_host" binding is
now used as the default.

(MD18035) Support has been modified to avoid creating a new
thread security context until the security server was
initialized. Code was similarly changed for obtaining the
invocation Subject.

(MD18065)  Updated z/OS Util class to override
stopKeepAliveThread method. The override does nothing because
startKeepAliveThread on z/OS does not start a keep alive thread.
A keep alive thread is not required on z/OS. The
nullPointerException during stopKeepAliveThread causes a state
change in the Bean to not take place and in turn causes the
InvalidBeanOStateException on subsequent requests.

(MD18084) WASPrincipalDirectory has been modified such that no
references are made to the trace and security context classes.
The WASPrincipalDirectory class is instanced from the broker if
security is already enabled, therefore there is no need to
query the security context to verify if security is enabled.

(MD18088) Dialog skeletons BBOINST and BBOUNIN will be updated
to add the new WebServices samples.

(
PQ78791) Added the request type EXTRACT to msg BBOS0108E for
function RunAsGetSpecCredRole.

APAR PQ81149 is associated with SERVICE LEVEL W502000 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ81149
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-11-19
Closed date 2003-12-07
Last modified date 2004-01-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ82899

Modules/Macros
BBOLRTU BBOUBINF BBOZ1327 BBOZ1486 BBOZ2651 BBOZ3842
BBOZ4258 H28W500J        

Publications Referenced
GA22791500        

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ82899    UP03/12/15 P F312

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ81149.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81149
IBM Group: Software Group
Modified date: Jan 3, 2004