PQ87163: Adminconsole ids without EJBROLE administrator generates many ICH408I, SECJ0321E, BBOO0220E, BBOS0037E, BBOS0105E messages

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
The adminconsole application has a set of 4 EJBROLEs which
can be used to protect various adminconsole features from
unauthorized use:
* administrator
* configurator
* operator
* monitor
If an adminconsole user logs on using a userid that does not
have READ permission to EJBROLE administrator, any mouse
click within the adminconsole application at the browser
generates an excessive number of messages for each of the
EJBROLEs that the userid does not have.
<1>
The following messages appear on the system console over and
over for each missing EJBROLE:
ICH408I USER(NJAYNER ) GROUP(SYS1    )
  NAME(NJAYNER)   administrator CL(EJBROLE )
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
+BBOO0220E SECJ0321E: Role based authorization is caller in role
  failed for security name WASRACFREALM/NJAYNER, accessId
  user:WASRACFREALM/NJAYNER, and role name
  Ljava.lang.String;@12af2a9.
<2>
The following messages appear over and over in the deployment
manager's servant region JES Message Log for each missing
EJBROLE:
ICH408I USER(NJAYNER ) GROUP(SYS1    ) NAME(NJAYNER)
  administrator CL(EJBROLE )
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
+BBOO0220E SECJ0321E: Role based authorization is caller in role
  failed for security name WASRACFREALM/NJAYNER, accessId
  user:WASRACFREALM/NJAYNER, and role name
  .Ljava.lang.String;@644032ac.
<3>
The following messages appear over and over in the deployment
manager's servant region JES System Message log for each missing
EJBROLE:
BBOO0220E SECJ0321E: Role based authorization is caller in role
  failed for security name WASRACFREALM/NJAYNER, accessId
  user:WASRACFREALM/NJAYNER, and role name
  .Ljava.lang.String;@7c6bb249.
<4>
The following messages appear over and over in the deployment
manager's SYSOUT data set (or in the WebSphere Error Log) for
each EJBROLE:
BossLog: { 0037} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
  SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
  ./bbossejb.cpp+569 ...
  BBOS0105E
  MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED:
  SAF Return Code (hex) : 8
  The requested FASTAUTHCHECK function failed and could not be
  performed for UserID NJAYNER using Role Name administrator and
  Class Name EJBROLE
BossLog: { 0038} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
  SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
  ./bbossejb.cpp+572 ...
  BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED:
  RACF Return Code (hex): 8
  (RACROUTE) - The user or group is not authorized
BossLog: { 0039} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
  SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
  ./bbosslog.cpp+137 ... BBOS0008E RACAUTH of class, SOMDOBJS,
  failed with SAF Return Code=00000008, RACF Return
  Code=00000008, RACF Reason Code=00000000.
<5>
The following messages appear over and over in the deployment
manager's SYSPRINT for each EJBROLE:
Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8
  (0000000A)
  Description: Log Boss/390 Error from filename: ./bbosslog.cpp
  at line: 137
  error message: BBOS0008E RACAUTH of class, SOMDOBJS, failed
  with SAF Return Code=00000008, RACF Return Code=00000008, RACF
  Reason Code=00000000.
Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8
  (0000000A)
  Description: Log Boss/390 Error from filename: ./bbossejb.cpp
  at line: 569
  error message: BBOS0105E
  MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED:
  SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function
  failed and could not be performed for UserID NJAYNER using
  Role Name operator and Class Name EJBROLE
Trace: 2004/04/05 19:47:40.842 01 t=8DE6E8 c=5.6 key=P8
  (0000000A)
  Description: Log Boss/390 Error
  from filename: ./bbossejb.cpp at line: 572
  error message: BBOS0037E
  MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED:
  RACF Return Code (hex): 8 (RACROUTE) -
  The user or group is not authorized
Trace: 2004/04/05 19:47:40.851 01 t=8DE6E8 c=5.6 key=P8
  (13007002)
  FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
  SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
  Category: AUDIT
  ExtendedMessage: SECJ0321E: Role based authorization
  is caller in role failed for security name
  WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/NJAYNER, and
  role name &#65517;Ljava.lang.String;@1acff2b1.
<6>
Messages SECJ0321E does not display the list of EJBROLEs being
checked correctly - it shows as "[Ljava.lang.String;@767a32b2"
Local fix
The ICH408I messages can be suppressed by setting custom
property
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress=true
within the adminconsole application.
The path to this property within adminconsole is as follows:
Security-> User Registries-> Local OS-> Custom Properties->
modify property
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress's value
from "false" to "true". Click OK. Click "Save". Check box for
"Synchronize changes with Nodes" and click "Save".
All the other messages can be eliminated if the userid is given
read access to the set of four EJBROLEs:
* administrator
* configurator
* operator
* monitor
The following RACF commands accomplish this:
PERMIT administrator CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ)
PERMIT configurator  CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ)
PERMIT operator      CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ)
PERMIT monitor       CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ)
SETROPTS RACLIST(EJBROLE) REFRESH
After these commands are issued the userid NJAYNER will no
longer create all these messages. It should not be necessary to
recycle any portion of WebSphere to enable this EJBROLE change.
---
PLEASE NOTE: THIS EJBROLE WORKAROUND SHOULD NOT BE USED IF IT
CONTRADICTS ANY USERID SECURITY POLICIES ESTABLISHED AT YOUR
SITE. THIS WORKAROUND GIVES THE SPECIFIED adminconsole USER ID
AUTHORITY TO PERFORM ALL adminconsole FUNCTIONS.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: If an administrative console user logs  *
*                      on using an userid that does not have   *
*                      READ permission to EJBROLE              *
*                      administrator, an excessive number of   *
*                      messages are generated for each of the  *
*                      roles that the userid cannot access.    *
*                                                              *
*                      <1>                                     *
*                      The following messages appear, more     *
*                      than once, on the system console for    *
*                      each missing EJBROLEs:                  *
*                      ICH408I USER(WSADMIN ) GROUP(SYS1    )  *
*                      NAME(WSADMIN) administrator             *
*                      CL(EJBROLE ) INSUFFICIENT ACCESS        *
*                      AUTHORITY ACCESS INTENT(READ   )        *
*                      ACCESS ALLOWED(NONE   )                 *
*                                                              *
*                      <2>                                     *
*                      The following messages appear, more     *
*                      than once, in the servant region JES    *
*                      Message Log for each missing EJBROLEs:  *
*                      BBOO0220E SECJ0321E: Role based         *
*                      authorization is caller in role failed  *
*                      for security name WASRACFREALM/WSADMIN, *
*                      accessId user:WASRACFREALM/WSADMIN, and *
*                      role name.Ljava.lang.String;@644032ac.  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The administrative console has a set of 4 EJBROLEs which
can be used to protect various administrative console features
from unauthorized use:
administrator
configurator
operator
monitor
If an administrative console user logs on using a userid that
does not have READ permission to EJBROLE administrator, any
mouse click within the administrative console at the browser
generates an excessive number of messages for each of the
EJBROLEs that the userid does not have.

<1>
The following messages appear on the system console over and
over for each missing EJBROLE:
ICH408I USER(WSADMIN) GROUP(SYS1    ) NAME(WSADMIN)
administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

<2>
The following messages appear over and over in the deployment
manager's servant region JES Message Log for each missing
EJBROLE:
+BBOO0220E SECJ0321E: Role based authorization is caller in role
failed for security name WASRACFREALM/WSADMIN, accessId
user:WASRACFREALM/WSADMIN, and role name
.Ljava.lang.String;@644032ac.

<3>
The following messages appear over and over in the deployment
manager's servant region JES System Message log for each missing
EJBROLE:
BBOO0220E SECJ0321E: Role based authorization is caller in role
failed for security name WASRACFREALM/WSADMIN, accessId
user:WASRACFREALM/WSADMIN, and role name
.Ljava.lang.String;@7c6bb249.

<4>
The following messages appear over and over in the deployment
manager's SYSOUT data set (or in the WebSphere Error Log) for
each EJBROLE:
BossLog: { 0037} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
./bbossejb.cpp+569 ...
BBOS0105E
MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED:
SAF Return Code (hex) : 8
The requested FASTAUTHCHECK function failed and could not be
performed for UserID WSADMIN using Role Name administrator and
Class Name EJBROLE
BossLog: { 0038} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
./bbossejb.cpp+572 ...
BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED:
RACF Return Code (hex): 8
(RACROUTE) - The user or group is not authorized
BossLog: { 0039} 2004/04/05 19:44:48.490 01 SYSTEM=SY1
SERVER=BBODMGR  PID=0X03010341 TID=0X26C80E00 0X000014  c=4.3
./bbosslog.cpp+137 ... BBOS0008E RACAUTH of class, SOMDOBJS,
failed with SAF Return Code=00000008, RACF Return
Code=00000008, RACF Reason Code=00000000.

<5>
The following messages appear over and over in the deployment
manager's SYSPRINT for each EJBROLE:
Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8
(0000000A)
Description: Log Boss/390 Error from filename: ./bbosslog.cpp
at line: 137
error message: BBOS0008E RACAUTH of class, SOMDOBJS, failed
with SAF Return Code=00000008, RACF Return Code=00000008, RACF
Reason Code=00000000.
Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8
(0000000A)
Description: Log Boss/390 Error from filename: ./bbossejb.cpp
at line: 569
error message: BBOS0105E
MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED:
SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function
failed and could not be performed for UserID WSADMIN using
Role Name operator and Class Name EJBROLE
Trace: 2004/04/05 19:47:40.842 01 t=8DE6E8 c=5.6 key=P8
(0000000A)
Description: Log Boss/390 Error
from filename: ./bbossejb.cpp at line: 572
error message: BBOS0037E
MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED:
RACF Return Code (hex): 8 (RACROUTE) -
The user or group is not authorized
Trace: 2004/04/05 19:47:40.851 01 t=8DE6E8 c=5.6 key=P8
(13007002)
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: AUDIT
ExtendedMessage: SECJ0321E: Role based authorization
is caller in role failed for security name
WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/WSADMIN, and
role name  Ljava.lang.String;@1acff2b1.

<6>
Messages SECJ0321E does not display the list of EJBROLEs being
checked correctly - it shows as " Ljava.lang.String;@767a32b2"
Problem conclusion
The code was modified to call RACROUTE REQUEST=FASTAUTH
with MSGSUPP=YES to check if the userid has read access to the
n-1 roles. The call to FASTAUTH with MSGSUPP=NO will be made
only for the last role.
When the userid does not have read access to any of the roles,
only one message indicating that error will be displayed in
the MVS console, and also in the SYSPRINT.

APAR PQ87163 is associated with SERVICE LEVEL W502008 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
&#158;**** PE04/05/20 FIX IN ERROR. SEE APAR 
PQ89010  FOR DESCRIPTION
APAR information
APAR number PQ87163
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-04-05
Closed date 2004-05-07
Last modified date 2004-06-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ88257    UP04/05/13 P F405

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ87163.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ87163
IBM Group: Software Group
Modified date: Jun 3, 2004