PQ81809: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This APAR addresses defects in WebSphere Application Server V5.0 for z/OS.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: APAR PQ81809 addresses various defects * * in WebSphere Application Server V5.0 * * for z/OS. * **************************************************************** * RECOMMENDATION: * **************************************************************** APAR PQ81809 addresses the following defects in WebSphere Application Server V5.0 for z/OS: (MD18731) Add Node and Remove Node via the Admin Console fail when security is enabled. The symptom as appears in the Remove Node stack trace in removeNode.log is: SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.net.SocketException: SSL implementation not available; targetException=java.lang.IllegalArgumentException: Error opening socket: java.net.SocketException: SSL implementation not available . at org.apache.soap.transport.http.SOAPHTTPConnection. send(Unknown Source) The cause is that the Add Node and Remove Node functions run under the WebSphere Asynchronous Administration Task user id as specified in the z/OS WebSphere Customization Dialog's Security Domain Configuration section, and that user id does not have an SSL keyring that is required when global security is enabled. (MD18734) The Data Replication Service may cease to function if JVM garbage collection takes too long to complete. It is possible in a severely resource-constrained system that JVM garbage collection takes more time than the internal Data replication connection staleness check interval.If this occurs, the Replicator will decide that its connection has ceased to function and it will mark this connection as down. When the client attempts to send or receive using this connection next,an IllegalStateException is thrown by the underlying broker once for every send or receive attempt. This causes the client to then attempt to connect to an alternate replicator and this process may be incorrectly repeated once for every Illegal State Exception that is caught. This behaviour results in an inconsistent state where in replication done by all the data replication clients in the jvm fails, and the recovery logic is unable to recover from this state. (MD18737) When the Recovery Node property is enabled the symlinks for the servers are created in incorrect primordial root. The symlinks are created in the root matching the other servers, rather than the Node, that was enabled as the Recovery Node. This creates problems if your HFS is not shared, as the path for the symlink will not be found and the following error will be seen on the MVS Operator Console when an attempt at restarting the server out of place is made. IEE132I START COMMAND DEVICE ALLOCATION ERROR Recovery Nodes are set in the following manner through the Administrative Console, using the recoveryNode = true custom property. (Administrative Console > System Administration > Node Agents > nodeagents > File Synchronization Service > Custom Properties) If Node1's primordial root is: /WebSphere/Node1, and Node2's primordial root is /WebSphere/Node2 and if Node1 is the recoveryNode, the symlinks for Node2 will be created in /WebSphere/Node2, but the should have been created in /WebSphere/Node1. (MD18742) The message ADMS0016I: Configuration synchronization failed will be found on the MVS Operator Console if a sync is attempted and there is a variable of the form: $(VAR)/path or $VAR/path the standard form ${VAR} (Note the curly braces) will work. The transformer was unable to resolve variable of the form: $(VAR)/path or $VAR/path and would through a null pointer exception. The standard for using curly braces worked: ${VAR}. The other two, while valid caused a failure. (MD18743) NotSerializableException occurs for CFExtendProperties class. During EJB passivation, a NotSerializableException occurred when passivate processing attempted to serialize a datasource pointed to by the EJB. During the serialization of the datasource, the WAS ConnectionManager was serialized and during this processing it was determined that the MCFExtendedProperties contained in the ConnectionManager was not serializable thus causing the exception that occurred. Further examination of the ConnectionManager, also showed that the SecurityHelper pointed to by the ConnectionManager is also not serializable. (WS14965.02) WeSphere V5.0 for z/OS GA Dynacache does not support cache replication with multiple Servants per Controller. This support is being added by this feature. (WS15621.01) This is the runtime portion of multi-node (multiple cell) support. Customers wish to run multiple cells within a single z/OS system and isolate them from one another for security purposes. (WS15621.02) It is not possible to completely isolating cells which are controlled by different organization in an enterprise. This is an issue in particular when using EJBROLE profiles to protect J2EE roles and naming and administrative preset roles. There are a number of areas in which isolation between cells on a SYSPLEX cannot be set up easily in SAF. - EJBROLE fixed roles - there are preset role names for administration such as administrator, configurator, et al, and also naming such as CosNamingRead, CosNamingWrite, et al. These cannot be separated when SAF authorization is chosen. - EJBROLE application defined roles There is a need to be able to separate the test and production domains for roles within a sysplex. - PASSTICKET it is a longstanding request to be able to have different passtickets for test and production. - APPL profiles, if customers wish to use APPL profiles, to protect websphere access, they need to separate sets of users. (WS17156.03) Controller region runs out of storage if multiple large HTTP responses occur at once. (WS17438) Rollup of WebSphere Distributed code V5.0.2 base and ND. (WS17677) AlarmManager framework processes AlarmListener objects to periodically wake up, perform work and reset themselves. When a Servant Region is inactive (no active work being dispatched) these AlarmListener Objects continue to awake, determine that there is no work to do, and then reset themselves. In the view of WLM, this is still active work that is occuring in the Servant Regions, and therefore, the Servants are kept active by WLM. This consumes processor time when nothing is being done on behalf of a given application. (WS17709) JSSE needs to support certificates with keys created by hardware cryptography. (WS17710) NO_PERMISSION thrown when using NON-SAF registry while performing COS Naming requests. NON-SAF registry identities are not propogated from servant region to controller region. The server identity is sent instead and may not automatically be authorized to perform COS Naming requests. Added the ability to propogate NON-SAF identities from servant region to controller region. (WS17742) Support needs to be provided for Direct port broker SAF Authentication. The JMS Broker calls WebSphere for z/OS code to authenticate userid using an expensive security service. Java SAF APIs provide effecient way of authenticating a user.Problem conclusion APAR PQ81809 fixes various defects in WebSphere Application Server V5.0 for z/OS. (MD18731) The Customization Dialog is changed to generate RACF commands to create an SSL keyring owned by the Asynchronous Administration Task user id and to connect the set of Certificate Authority certificates to that keyring. (MD18734) The data replication recovery mechanism has been changed from being time-based to utilize a retry count mechanism. The IllegalStateException handler has been changed to drive the modified recovery mechanism. The staleness check interval has also been increased to more reasonable numbers keeping in mind the garbage collection time required by the jvm. (MD18737) The Transformer was changed to ensure the correct root is used when generating symbolic links. (MD18742) Transformer was modified to support these other types of variable substitution. (MD18743) The MCFExtendedProperties class will be changed to be serializable and the Connection Manager will be changed so the SecurityHelper it points to doesn't need to be serialized. (WS14965.02) The Replication engine has been moved to the Controller, so providing a single listener socket per Server. (WS15621.01) This code adds support to read environment variables security_zOS_domainType and security_zOS_domainName. If security_zOS_domainType is set to "cell qualified," the value in security_zOS_domainName is used as the APPL identifier and as a prefix in resource names for CBIND, SERVER, and EJBROLE. These environment variables are set by the configuration tools. (WS15621.02) A security domain prefix can be optionally used for the following SAF profiles: APPL - use domain name or default to CBS390 PTKTDATA - use domain name or default to CBS390 CBIND - uses domain name as qualifier EJBROLE - prepends domain name to role name The security domain configuration can also be used to separate SSL Certificate issuers between organizations. This change was implemented using updates to the runtime, transformer and updates to the configuration dialog. The customization process has been modified to substitute a step where a security domain is created, in lieu of independant security definitions being done in the Base, Deployment Manager, and Federate Node panels. The security customization is loaded first, and these values are used in generating the instructions. In addition, security setup jobs are always generated with full WebSphere customization by the install. (WS17156.03) In the controller create a single thread to process large HTTP responses. Servants will place the large http responses in the comm dataspace. The new thread in the controller will copy the response from the comm dataspace into a single instance buffer that the controller thread owns. Size of the buffer is controlled by environment variable protocol_http_large_data_response_buffer. (WS17438) Rollup of WebSphere Distributed code V5.0.2 base and ND. (WS17677) Code was modified to cause the AlarmManager to stop processing AlarmListener objects after work has departed from the Servant Region. Once work is recieved, the AlarmManager resumes its activities until work once again departs. (WS17709) WebSphere can now use the IBMJCE4758 cryptography provider to load certificates/keys created with hardware cryptography. The user checks the "Use Hardware Cryptography Token" check box for the SSL Repertoire that will be used for hardware cryptography keys, and sets the keyring to safkeyring:///<name_of_racf_keyring>, where <name_of_racf_keyring> is the name of the RACF Keyring that contains certificates/keys created using ICSF. (WS17710) NO_PERMISSION thrown when using NON-SAF registry while performing COS Naming requests. NON-SAF registry identities are not propogated from servant region to controller region. The server identity is sent instead and may not automatically be authorized to perform COS Naming requests. (WS17710) Added the ability to propogate NON-SAF identities from servant region to controller region. (WS17742) Changed WASPrincipalDirectory to use Java SAF APIs to authenticate a user. APAR PQ81809 is associated with SERVICE LEVEL W502000 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ81809.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81809
IBM Group: Software Group
Modified date: Jan 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.