PK30496: WEBSPHERE FOR Z/OS SECURITY METHOD SAFREGISTRYIMPL.ISVALIDUSER()RETURNS TRUE FOR A REVOKED USERID. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description The customer has implemented a Trust Association Interceptor (TAI) which asserts to WAS Z/OS that incoming requests belong to a valid RACF userid. Later in processing, WAS throws an exception because the RACF userid (IBMUSER in this case) has been revoked. . A security trace (com.ibm.ws.security.*=all=enabled) shows . BBOS0108E Credential handling function RunAsGetSpecCredAuth failed in Routine IRRSIA00 with SAF Return Code (hex): 8, RACF Return Code (hex): 8, and RACF Reason Code (hex): 1c. . Trace: 2006/05/29 13:01:54.210 01 t=7B6E88 c=310.2 key=P8 FunctionName: com.ibm.ws.security.registry.zOS.SAFRegistryImpl SourceId: com.ibm.ws.security.registry.zOS.SAFRegistryImpl Category: ERROR ExtendedMessage: SECJ0055E: Authentication failed for IBMUSER. The user id may not exist, the account could have expired or disabled. . The ID asserted by the TAI does exist in the user registry, but the it cannot be authenticated successfully.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V6.1.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: SAFRegistryImpl.isValid() returns true * * for revoked users. * **************************************************************** * RECOMMENDATION: * **************************************************************** Determining if a user is valid is on z/OS is done using the getpwent service. However getpwent returns information for revoked users. In order to detect that during an ID assertion login, we have to attempt to create an ACEE. A new custom property was introduced to force WAS to build a RACO/ACEE instead of calling getpwent.Problem conclusion A new custom property called force.credential.creation.for.validation was added at the registry level to force the creation of an ACEE or find the ACEE of the user from the cache during ID assertion logins to prevent obtaining information for users that have been revoked. APAR PK30496 requires changes WebSphere Application Server for z/OS V6.1.0 documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/was/library/ The V6.1.0 WebSphere Application Server for z/OS Information Center article "Local operating system settings" will be updated to include the following descriptions of the new custom property: force.credential.creation.for.validation property. Setting this property will force the creation of an access control environment elements (ACEE) or find the ACEE of the user from the cache during ID assertion login to prevent obtaining information for users that have been revoked. Forcing the creation of credentials all the time will cause a decrease in performance. APAR PK30496 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.9 of WebSphere Application Server V6.1.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PK26104 APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Document Information |
Current web document: swg1PK30496.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK30496
IBM Group: Software Group
Modified date: Jul 4, 2007
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.