PQ89010: IF ALL 4 EJBROLES ARE DEFINED & AN ID HAS READ ACCESS TO ONLY 1 OF THEM,AUDIT SECJ0321E MESSAGES APPEAR WH 04/05/20 PTF PECHANGE

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Apar 
PQ87163 addressed some SECJ0321E audit messages, but not
all. 
PQ87163 does fully address ICH4018I (or equivalent SAF
product messages), BBOS0105E, BBOS0037E. The SECJ0321E will not
adverseley affect the server, they are simply AUDIT messages.
.
Aside from the AUDIT messages, functionally 
PQ87163 is OK and
the PE can be safely bypassed.
.
This apar will complete the removal of the SECJ0321E messages
as follows:
.
In WebSphere V5 when Global Security is on and all 4 of the
EJBROLES are defined, ie,
* administrator *
* configurator  *
* monitor       *
* operator      *
.
then if the userid used to login to the admin console to perform
console tasks has READ access to only 1 of these 4 roles then
the following audit messages appear in the servant,
.
BBOO0220E SECJ0321E: Role based authorization is caller in role
failed for security name xxxxx/aaa, accessId user:xxxxx/aaa,
and role name administrator.
.
They appear for the 3 roles that the userid does not have READ
access to. With java security tracing turned on you will see,
.
Trace: 2004/05/14 14:36:47.438 01 t=AD04E0 c=1.5 key=P8
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: AUDIT
ExtendedMessage: SECJ0321E: Role based authorization is caller
in role failed for security name xxxxx/aaa, accessId user:xxxxx/
aaa...
.
The important thing to note is that this is an "AUDIT" message,
this apar will change the code to make this a "DEBUG" message so
it will never be printed out to the servant log unless websphere
java security tracing is turned on.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: If an administrative console user logs  *
*                      on using a userid that does not have    *
*                      READ permission to EJBROLE              *
*                      administrator, an excessive number of   *
*                      messages are generated for each of the  *
*                      roles that the userid cannot access.    *
*                      APAR 
PQ87163 in PTF UQ88257 was         *
*                      originally taken to address various     *
*                      excessive messages, but failed to do    *
*                      so for this case.                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The administrtive console application has a set of 4 EJBROLEs
which can be used to protect various adminconsole features from
unauthorized use:

administrator
configurator
operator
monitor

If an administrative console user logs on using a userid that
does not have READ permission to EJBROLE administrator, then an
unnecessary number of audit messages, like the ones shown below,
are being generated:
Trace: 2004/05/14 14:36:47.438 01 t=AD04E0 c=1.5 key=P8
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: AUDIT
ExtendedMessage: SECJ0321E: Role based authorization is caller
in role failed for security name xxxxx/aaa, accessId user:xxxxx/
aaa, and role name administrator.
BBOO0220E SECJ0321E: Role based authorization is caller in role
failed for security name xxxxx/aaa, accessId user:xxxxx/aaa,
and role name administrator.
Problem conclusion
Code was modified to only display an AUDIT message when the
userid does not have read access to any of 4 admin roles.

APAR PQ89010 is associated with SERVICE LEVEL W502010 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ89010
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE YesPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-05-18
Closed date 2004-06-02
Last modified date 2004-07-02

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ89158    UP04/06/09 P F406 

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ89010.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89010
IBM Group: Software Group
Modified date: Jul 2, 2004