PQ85290: WITH MAKING USE OF THE NEW SECURITY DOMAIN FUNCTION IN W502000, MAY SEE SECURITY VIOLATION FOR THE SERVER CLASS WHEN SR STARTS

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
New function for the Security Domain is shipped in service level
W502000.  If you answered 'yes' to the customization dialog
panel option to take advantage of this new function on the
"Security Domain Configuration (1 of 2)" panel:
.
Use Security Domain Identifier in RACF Definitions:  Y
.
AND you have the WLM Dynamic Application Environment (DAE)
enabled (
OW54622), then WebSphere is incorrectly building the
security domain name into the SERVER profile name string for
the SERVER class check.  When a servant region (SR) starts, you
will see a message about a security violation.  For RACF, the
message appears as:
.
ICH408I USER(DMSR1   ) GROUP(WSCFG1  ) NAME(WAS DMGR SR
  CB.SM0CELL1.BBODMG.NDMCL1GR CL(SERVER  )
  INSUFFICIENT ACCESS AUTHORITY
  FROM CB.*.BBO*.* (G)
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
.
In this example SM0CELL1 is the security domain name.  The
server generic and specific names are BBODMGR and BBODMGR.
The userid for the servant region (SR) is DMSR1.  The cell
short name is NDMCL1.
.
The BBODBRAK job contains the correct PERMITs:
PERMIT CB.*.BBODMGR CLASS(SERVER) ID(DMSR1) ACC(READ)
PERMIT CB.*.BBODMGR.* CLASS(SERVER) ID(DMSR1) ACC(READ)
.
But it is not matching because the SERVER profile name
constructed by the WebSphere code, CB.SM0CELL1.BBODMG.NDMCL1GR,
contains BBODMG instead of BBODMGR.  It also overlayed the cell
short name into part of the string.
.
This apar is taken to correct the building of the profile name
used in the SERVER class check.
MD18923  502+
Local fix
Add another PERMIT statement for the incorrectly built profile
name until this apar ships.  Using the example in the error
description, the workaround PERMIT would be
PERMIT CB.*.BBODMG CLASS(SERVER) ID(DMSR1) ACC(READ)
PERMIT CB.*.BBODMG.* CLASS(SERVER) ID(DMSR1) ACC(READ)
.
Or if you do not intend to use the security domain function,
change the answer in the customization dialogs to N on the
"Security Domain Configuration (1 of 2)" panel:
.
Use Security Domain Identifier in RACF Definitions:  N
.
regenerate and rerun the jobs.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: If WLM Dynamic Application Environment  *
*                      (DAE) feature is used with the security *
*                      domain support, an incorrect server     *
*                      name is generated for CBIND checks.     *
*                      This will result in CBIND failures.     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If WLM DAE is used, the group name is added without allowing for
the security prefix. This will result in failure if the security
domain support is used. For example, the server name should be
generated as CB.TESTCELL.BBOS001.BBOC001.SY1 will instead be
CB.TESTCELL.BBOS00.SY1OC001.
Problem conclusion
Code in bbossrva.plx will be modified to remove the security
domain prefix, since it is not supposed to be used for SERVER
checks (this case). Callers of BBOSSRVA will be modified to
remove the security domain parameter.

APAR PQ85290 is associated with SERVICE LEVEL W502005 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ85290
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-02-27
Closed date 2004-03-26
Last modified date 2004-04-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ86666    UP04/03/31 P F403

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ85290.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85290
IBM Group: Software Group
Modified date: Apr 3, 2004