PQ95751: EJB REQUEST FROM SYSPLEX A TO ANOTHER EJB ON SYSPLEX B RESULTS IN ASSERTION OF IDENTITY OF WSGUEST REGARDLESS OF ID SPECIFIED. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description If the user decides to use their own identity (IE: XYZ), and is expecting it to be passed across SYSPLEXes, the default unauthenticated ID WSGUEST is what is actually being passed. The id authenticated to the EJB is known on both servers so it should be asserted. A check of the principal on the calling server confirms the authenticated user. Also please note that asserting an identity within the same sysplex works fine. No CBIND or initACEE errors where encountered. . V510 fix for this is in W510004 (PQ91257/MD19954).Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Two problems occur on a server's * * equest to a target server. Both errors * * esult in BBOS0118E displayed in the * * first server's log. The message * * indicates that the request resulted in * * a CORBA::NO_PERMISSION exception * * at the target server. Minor codes * * c9c24006 and c9c24113 are associated * * with the exception. * * * * When minor code c9c24006 is received : * * * * The target server log contains error * * messages BBOS0008E, BBOS0036E, and * * BBOS0037E. * * * * RACF errors are displayed on the * * console of the target server system. * * ICH408I USER(WSGUEST ) GROUP(WSCLGP ) * * NAME(WAS DEFAULT USER) * * CB.BIND.* CL(CBIND ) * * INSUFFICIENT ACCESS AUTHORITY * * FROM CB.BIND.* (G) * * ACCESS INTENT(READ ) ACCESS * * ALLOWED(NONE ) * * BBOS0002E CBIND CHECK FAILED WITH SAF * * RETURN CODE=00000008, * * RACF RETURN CODE=00000008, RACF * * REASON CODE=00000000. * * * * When minor code c9c24113 is received * * there are no other external errors. * **************************************************************** * RECOMMENDATION: * **************************************************************** A server received a request from a client. In order to complete the request the server initiated a request to another server. Both servers are configured with CSIv2 identity assertion and SSL with client certificates. Problem 1. The first server could not find a SAF identiy to assert so it sent the security context with the CSIv2 defined "Identity Token Type Anonymous" flag turned on.This means that the target server ill use its configured default identity or unauthenticated user as the identity on the request. The target server erformed a CBIND check on the default identity and it failed because the default identity did not have the required access to the CBIND profile. The server rejected the request and threw a CORBA::NO_PERMISSION with minor code c9c24006. Problem 2. The first server sent an asserted identity context over an SSL connection. The first server's personal certificate was sent over the socket as the asserter's identity. The second server did not find the certificate and attempted to use the configured default identity as the asserter's identity. The default identity did not have the required access to the CBIND profile and the server threw a CORBA:NO_PERMISSION with minor code c9c24113.Problem conclusion Problem 1. The first server should have used the SAF identity in the ontrol block provided but failed to do so because it did not recognize the particular control block type as having a valid AF identity. The code was changed to pick up the userid for this type. Problem 2. The second server failed to recognize that there was a client certificate on the session because it was using the wrong tag type to determine if there was a client certificate on the session. The code was changed to use the correct type. APAR PQ95751 is associated with SERVICE LEVEL W502018 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ95751.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ95751
IBM Group: Software Group
Modified date: Dec 2, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.