PQ84414: INTEROP PROBLEM PASSING ASSERTED IDENTITY FROM WEBSPHERE ON DISTRIBUTED TO WEBSPHERE Z/OS USING LOCAL OS AND CSIV2 SECURITY | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer was running WebSphere Application Server 5.0.2 on distributed. On the Websphere distributed system there is a Web application with a servlet that invokes an EJB running in WebSphere Application Server for z/os. The local os registry is used on both platforms, and the active protocol is specified as CSIv2. When the CSIv2 Outbound Transport on distributed and the CSIv2 Inbound Transport on z/OS are both specified as Basic-Auth support, Websphere for z/os uses the distributed application server's user id, instead of the id authenticated by the servlet. This can be verified by calling the getCallerPrincipal() in the EJB on Websphere for z/os.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: A CORBA::NO_PERMISSION exception was * * received when running an EJB in a zOS * * server that was invoked from a * * WebSphere Distributed Web Application * * servlet. Message SECJ0053E may also * * appear in the z/OS servant job log. * **************************************************************** * RECOMMENDATION: * **************************************************************** The z/OS target server and the WebSphere Distributed middle server were configured to use CSIv2 Basic Authentication and Asserted Identities on LocalOS. The WebSphere Distributed server was running a web application that used a servlet to invoke an EJB on the z/OS system. When the EJB was invoked on the z/OS system, the getCallerPrincipal() API returned the userid of the server on the WebSphere Distributed system instead of the userid being asserted. There may also be a failure if method role checking is being performed and the userid of the server is not authorized for the method. This would result in message SECJ0053E in the target server and a CORBA::NO_PERMISSION returned to the client.Problem conclusion The init_acee that is used for a userid only login creates an ACEE and RACO but does not set the owning userid. As a result, the userid of the asserter remains as the owning userid. This id is retreived from the OPI in the ORB bridge and passed to the java code to use as the identity to run methods. The solution is to issue a setSAFUserId for the asserted identity so that the correct identity is used in subsequent processing. APAR PQ84414 is associated with SERVICE LEVEL W502003 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ84414.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ84414
IBM Group: Software Group
Modified date: Apr 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.