PQ81117: AUTHORIZATION FAILURE DURING THE EXECUTION OF THE FILE TRANSFER IN AN ND ENVIRONMENT WHEN EJBROLE AUTHORIZATION IS NOT CHOSEN | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Since migrating from W500103 to W501000, the customer experienced the SYSLOG being flooded with the following messages: " BBOO0222I SECJ0305I: Role based authorization check failed for security name <null>, accessId NO_CRED_NO_ACCESS_ID while invoking method propagateNotifications: Ljavax.management.Notification; on resource NotificationService and module NotificationService. " ... or "BBOO0222I SECJ0305I: Role based authorization check failed for security name <null>, accessId NO_CRED_NO_ACCESS_ID while invoking method getRepositoryEpoch on resource ConfigRepository and moduleConfigRepository. " And, the nodeagent is unable to synchronize: " BBOO0220E ADMS0005E: Unable to generate synchronization request: javax.management.JMRuntimeException: ADMN0022E: Access denied for the getRepositoryEpoch operation on ConfigRepository MBean due to insufficient or empty credentials. at com.ibm.ws.management.connector.soap.SOAPConnectorClient.handLocal fix Customer migrated to level W501002 and changed to EJBROLES (defined and activated CLASS and ROLES for EJBs in RACF and set required com.ibm.saf properties to true). Having done all this the problem has disappeared. The message: "BBOS0127I CSIv2 GSSUP security has been configured but will not be used because the security realm name is not available." is no longer issued.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Authorization failure during the * * execution of the file * * transfer application in an ND * * environment when EJBROLE * * authorization is not chosen. * **************************************************************** * RECOMMENDATION: * **************************************************************** Synchronization of data in a Network Deployment environment between deployment manager .and node agents cannot complete successfully, either when an LDAP or Custom Registry is the active registry, or SAF authorization is not chosen for a Local OS registry. the error symptom in the Server region address space is as follows:SECJ0129E: Authorization failed for xxxxxx while invoking GET on default_host: /FileTransfer/transfer/cells/PLEX1Network/ admin-authz.xml23874.tmp, Authorization failed, Not granted any of the required roles: administrator operator configurator monitor. where xxxxx represents the server's userid. The server id is actually in the admin-authz.xml file (an administrator in the console users). However,the facility for mapping roles to users for the file transfer application is not being performed.Problem conclusion Modified the WSAccessManager to read the list of the installed administrative applications during server startup, unless localOS registry and SAF authorization are supported. During authorization, check is made as to whether the current active application is one of the ones in the adminApps list. If so, the role based authorizer is used to check if the current user is in role. APAR PQ81117 is associated with SERVICE LEVEL W502000 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ81117.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81117
IBM Group: Software Group
Modified date: Jan 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.