PQ89010: IF ALL 4 EJBROLES ARE DEFINED & AN ID HAS READ ACCESS TO ONLY 1 OF THEM,AUDIT SECJ0321E MESSAGES APPEAR WH 04/05/20 PTF PECHANGE | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Apar PQ87163 addressed some SECJ0321E audit messages, but not all. PQ87163 does fully address ICH4018I (or equivalent SAF product messages), BBOS0105E, BBOS0037E. The SECJ0321E will not adverseley affect the server, they are simply AUDIT messages. . Aside from the AUDIT messages, functionally PQ87163 is OK and the PE can be safely bypassed. . This apar will complete the removal of the SECJ0321E messages as follows: . In WebSphere V5 when Global Security is on and all 4 of the EJBROLES are defined, ie, * administrator * * configurator * * monitor * * operator * . then if the userid used to login to the admin console to perform console tasks has READ access to only 1 of these 4 roles then the following audit messages appear in the servant, . BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name xxxxx/aaa, accessId user:xxxxx/aaa, and role name administrator. . They appear for the 3 roles that the userid does not have READ access to. With java security tracing turned on you will see, . Trace: 2004/05/14 14:36:47.438 01 t=AD04E0 c=1.5 key=P8 FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: SECJ0321E: Role based authorization is caller in role failed for security name xxxxx/aaa, accessId user:xxxxx/ aaa... . The important thing to note is that this is an "AUDIT" message, this apar will change the code to make this a "DEBUG" message so it will never be printed out to the servant log unless websphere java security tracing is turned on.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: If an administrative console user logs * * on using a userid that does not have * * READ permission to EJBROLE * * administrator, an excessive number of * * messages are generated for each of the * * roles that the userid cannot access. * * APAR PQ87163 in PTF UQ88257 was * * originally taken to address various * * excessive messages, but failed to do * * so for this case. * **************************************************************** * RECOMMENDATION: * **************************************************************** The administrtive console application has a set of 4 EJBROLEs which can be used to protect various adminconsole features from unauthorized use: administrator configurator operator monitor If an administrative console user logs on using a userid that does not have READ permission to EJBROLE administrator, then an unnecessary number of audit messages, like the ones shown below, are being generated: Trace: 2004/05/14 14:36:47.438 01 t=AD04E0 c=1.5 key=P8 FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: SECJ0321E: Role based authorization is caller in role failed for security name xxxxx/aaa, accessId user:xxxxx/ aaa, and role name administrator. BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name xxxxx/aaa, accessId user:xxxxx/aaa, and role name administrator.Problem conclusion Code was modified to only display an AUDIT message when the userid does not have read access to any of 4 admin roles. APAR PQ89010 is associated with SERVICE LEVEL W502010 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ89010.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89010
IBM Group: Software Group
Modified date: Jul 2, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.