PQ78770: NUMBEROUS ICH408I WHEN USERID DOES NOT HAVE ADMIN ROLE | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Numberous ICH408I when userid does not have admin role. If a userid is permitted to EJBROLE monitor profile, then numerous ICH408I RACF messages will be issued to the SYSLOG when trying to use the adminconsole GUI. These ICH408I messages are no access messages for the EJBROLE administrator, EJBROLE operator, and EJBROLE configurator profiles as WAS/adminconsole tries to determine what adminconsole resources the user is allowed to see/access in the role of monitor.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: ICH408I messages are being displayed in * * the MVS Console when userid does not * * have permission to the administrator, * * configurator or operator role. * * The text of the message is: * * ICH408I USER(WSADMIN ) GROUP(CBCFG1 ) * * NAME(WAS ADMINISTRATOR ) * * administrator CL(EJBROLE ) * * INSUFFICIENT ACCESS AUTHORITY * **************************************************************** * RECOMMENDATION: * **************************************************************** If a userid is permitted to EJBROLE monitor role, but not to the other three (administrator, configurator, operator) then numerous ICH408I RACF messages will be issued to the SYSLOG when trying to use the administrative console.Problem conclusion Created a new Custom Property in the administrative console that will allow the customer to turn on or off these messages. The property is located under: Security -> User Registries -> Local OS -> Custom Properties -> com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress The default value for this property is False (Do not suppress any messages). The customer can turn this value to True to suppress the ICH408I messages. Note: SMF X'80' audit records will be generated as usual, regardless of the value of this new property. The following WebSphere InfoCenter articles will be revised as a result of defect PQ78770. ________________________________________________________________ NOTE: Periodically, we refresh the documentation on our Web site, so these changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: www.ibm.com/software/webservers/appserv/zos_os390/library.html ________________________________________________________________ In "Local operating system user registry settings" in our WebSphere Application Server InfoCenter the following information has been added regarding the new custom security property, com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress. Under Additional Properties, click Custom Properties. Then, under Custom Properties, you can set the following property: com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress: This property is located in the Administrative Console under Security -> User Registries -> Local OS -> Custom Properties -> com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress and allows the you to turn ICH408I messages on or off. The default value for this property is "false", which does not suppress messages. You can set this value to "true" to suppress the ICH408I messages. Note that ICH408I messages still go to the SMF record regardless of the specified value of this new property. ________________________________________________________________ In "Configuring local operating system registries" in our WebSphere Application Server InfoCenter there is a table documenting custom security properties. PROPERTY DATA TYPE VALID VALUES -------- --------- ----- ------ com.ibm.security. Boolean true or false SAF.EJBROLE.Audit. Messages.Suppress The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress custom property allows you to turn on or off ICH408I RACF messages generated when a customer attempts to access the administrative console, and the user ID is permitted to the EJBROLE monitor role but not to the administrator, configurator, and operator roles. APAR PQ78770 is associated with SERVICE LEVEL W502000 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ78770.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ78770
IBM Group: Software Group
Modified date: Mar 31, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.