PQ89865: An unauthenticated V5 client can abend SEC3 R=02010003 remotely against a V5 and V4.01 servers active in the same LPAR.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
An unauthenticated V5 client can abend SEC3 R=02010003
communicating remotely with a V5 server if a V4.01 server is
active in the same LPAR.  The client ends up going to BBOSSRPX,
and uses the 4.01 BGVT which PCs to BBOSSRVA, using the table
index (since the 4.01 daemon is active).  It should use the 5.0
BGVT and PC to BBOSSRPW.  Using the 4.01 BGVT index, it wants to
use the passticket which is not configured, abending EC3.

From the linkage stack in the dump you can see it is wanting the
second routine on the pc number.
in 502 BBOSSRPX is second on the pc.
in 401 BBOSSRVA is second on the pc.

Traceback:
    DSA Addr  Program Unit  PU Addr   PU Offset  Entry         E
Addr    E  Offset   Statement  Load Mod  Service  Status
    2C32B3F8  BBOSSRPX      335D46F8  +000000CC  BBOSSRPX
335D46F8  +000000CC              SUBPOOL2           Call
    2C32B2E8                3361BB20  +0000012E
SecurityManager::remote_useridpasstkt(char*)

3361BB20  +0000012E              SUBPOOL2           Call
    2C32A138                335E8E68  +0000359E
SecurityManager::createOutbound(ORB_Request*)

335E8E68  +0000359E              SUBPOOL2           Call
    2C329E10                328D9138  +00000B6C
ORB_Request::comm_outbound_ctl_sclt_request(ORB_Request::ORB

328D9138  +00000B6C              SUBPOOL2           Call
    2C329BF0                328D7018  +000012F8
ORB_Request::comm_outbound_request()

328D7018  +000012F8              SUBPOOL2           Call
    2C329360                32D91F08  +00000CD2
CORBA::Request::invoke()

32D91F08  +00000CD2              SUBPOOL2           Call
    2C329118                32C95270  +000003C8
ORBEJSBridge::invoke_request(JNIEnv_*,bboojorb*,char*,unsign

32C95270  +000003C8              SUBPOOL2           Call
    2C328F48                32C93648  +00000452
ORBEJSBridge::build_and_invoke_request(JNIEnv_*,bboojorb*,ch

32C93648  +00000452              SUBPOOL2           Call
    2C328D48                328FA488  +0000057A
Java_com_ibm_ws390_orb_ClientDelegate_jorbInvokeRequest

328FA488  +0000057A              SUBPOOL2           Call
    2C328C50                31B6EEC0  +0000012C
com/ibm/ws390/orb/ClientDelegate.jorbInvokeRequest(I.BIZI).B

31B6EEC0  +0000012C              SUBPOOL0           Call
    2C328B80                2CE88228  +00001584  EXECJAVA
2CE88228  +00001584              *PATHNAM           Call

Thus it PCed to BBOSSRVA instead of BBOSSRPX.

MD15364
Local fix
1. Client authentication should be enabled.  CSIV2 industry-wide
java client authentication mechanisms are userid/password, and
client certificates.
 OR
2. Disable passtickets, if you do not use this option.  They are
enabled by default.  Follow this path from admin console:
Security > Authentication Protocol > zSAS Transport > clear the
flag for "Userid Passticket"
Restart the app server.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: An unauthenticated V5 client can abend  *
*                      ABENDSEC3/ABENDEC3 R=02010003           *
*                      communicating remotely with a V5        *
*                      server if a V4.0.1 server is active in  *
*                      the same LPAR                           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
An unauthenticated V5 client can abend ABENDSEC3/ABENDEC3
R=02010003 communicating remotely with a V5 server if a V4.01
server is active in the same LPAR.  The client ends up going
to BBOSSRPX and uses the 4.01 BGVT which PCs to BBOSSRVA,
using the table index (since the 4.0.1 daemon is active).  It
should use the 5.0 BGVT and PC to BBOSSRPW.  Using the 4.0.1
BGVT index, it wants to use the passticket which is not
configured, abending EC3.

From the linkage stack in the dump you can see it is wanting
the second routine on the pc number.
in 502 BBOSSRPX is second on the pc.
in 401 BBOSSRVA is second on the pc.

Traceback:
DSA Addr  Program Unit  PU Addr   PU Offset  Entry
Addr    E  Offset   Statement  Load Mod  Service  Status
2C32B3F8  BBOSSRPX      335D46F8  +000000CC  BBOSSRPX
335D46F8  +000000CC              SUBPOOL2           Call
2C32B2E8                3361BB20  +0000012E
SecurityManager::remote_useridpasstkt(char*)

3361BB20  +0000012E              SUBPOOL2           Call
2C32A138                335E8E68  +0000359E
SecurityManager::createOutbound(ORB_Request*)

335E8E68  +0000359E              SUBPOOL2           Call
2C329E10                328D9138  +00000B6C
ORB_Request::comm_outbound_ctl_sclt_request(ORB_Request::OR)

328D9138  +00000B6C              SUBPOOL2           Call
2C329BF0                328D7018  +000012F8
ORB_Request::comm_outbound_request()

328D7018  +000012F8              SUBPOOL2           Call
2C329360                32D91F08  +00000CD2
CORBA::Request::invoke()

32D91F08  +00000CD2              SUBPOOL2           Call
2C329118                32C95270  +000003C8
ORBEJSBridge::invoke_request(JNIEnv_*,bboojorb*,char*,unsig)

32C95270  +000003C8              SUBPOOL2           Call
2C328F48                32C93648  +00000452
ORBEJSBridge::build_and_invoke_request(JNIEnv_*,bboojorb*,c)

32C93648  +00000452              SUBPOOL2           Call
2C328D48                328FA488  +0000057A
Java_com_ibm_ws390_orb_ClientDelegate_jorbInvokeRequest

328FA488  +0000057A              SUBPOOL2           Call
2C328C50                31B6EEC0  +0000012C
com/ibm/ws390/orb/ClientDelegate.jorbInvokeRequest(I.BIZI)

31B6EEC0  +0000012C              SUBPOOL0           Call
2C328B80                2CE88228  +00001584  EXECJAVA
2CE88228  +00001584              *PATHNAM           Call
Problem conclusion
Make sure that the BGVT pointer is based on the BACB rather
than the ECVTBCBA table. This fix assumes that variable
daemon_group_name has been defined and it's not null.

APAR PQ89865 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

www.ibm.com/software/webservers/appserv/zos_os390/library.html

APAR PQ89865 requires the daemon_group_name environment
variable to be set in order for an application client to use
passticket security. As a result, the following change will be
made to the infocenter:

In the article entitled "Administration application settings as
they compare to the Version 5 administrative console settings"
The following text will be added:

A restriction for the "Userid passticket allowed" setting
requires any application client wishing to communicate
with a server configured to use passticket to set the
daemon_group_name variable.  This can be done by adding the
following statement to the client shell script or
setupCmdLine.sh in the $WAS_HOME\bin directory:

export daemon_group_name=<GROUP NAME>

APAR PQ89865 is associated with SERVICE LEVEL W502020 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ89865
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-06-08
Closed date 2004-12-15
Last modified date 2005-01-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ89945

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ96100    UP04/12/21 P F412

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ89865.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89865
IBM Group: Software Group
Modified date: Jan 5, 2005