PQ81117: AUTHORIZATION FAILURE DURING THE EXECUTION OF THE FILE TRANSFER IN AN ND ENVIRONMENT WHEN EJBROLE AUTHORIZATION IS NOT CHOSEN

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Since migrating from W500103 to W501000, the
customer experienced the SYSLOG being flooded with the
following messages:
" BBOO0222I SECJ0305I: Role based authorization check failed
for security name <null>, accessId NO_CRED_NO_ACCESS_ID
while invoking method propagateNotifications:
Ljavax.management.Notification; on resource NotificationService
and module NotificationService. "
... or
"BBOO0222I SECJ0305I: Role based authorization check failed
for security name <null>, accessId NO_CRED_NO_ACCESS_ID
while invoking method getRepositoryEpoch on resource
ConfigRepository and moduleConfigRepository. "
   And, the nodeagent is unable to synchronize:
" BBOO0220E ADMS0005E: Unable to generate synchronization
request: javax.management.JMRuntimeException: ADMN0022E: Access
denied for the getRepositoryEpoch operation on ConfigRepository
MBean due to insufficient or empty credentials.
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.hand
Local fix
Customer migrated to level W501002 and changed to
EJBROLES (defined and activated CLASS and ROLES for EJBs
in RACF and set required com.ibm.saf properties to true).
Having done all this the problem has disappeared.
The message:  "BBOS0127I CSIv2 GSSUP security has
been configured but will not be used because the
security realm name is not available." is no longer issued.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Authorization failure during the        *
*                      execution of the file                   *
*                      transfer application in an ND           *
*                      environment when EJBROLE                *
*                      authorization is not chosen.            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Synchronization of data in a Network Deployment environment
between deployment manager .and node agents cannot complete
successfully, either when an LDAP or Custom Registry is the
active registry, or SAF authorization is not chosen for a
Local OS registry.

the error symptom in the Server region address space is as
follows:SECJ0129E: Authorization failed for xxxxxx while
invoking GET on default_host:
/FileTransfer/transfer/cells/PLEX1Network/
admin-authz.xml23874.tmp, Authorization failed, Not
granted any of the required roles: administrator operator
configurator monitor.

where xxxxx represents the server's userid.  The server id is
actually in the admin-authz.xml file
(an administrator in the console users).  However,the facility
for mapping roles to users for the file transfer application
is not being performed.
Problem conclusion
Modified the WSAccessManager to read the list of the
installed administrative applications during server startup,
unless localOS registry and SAF authorization are supported.

During authorization, check is made as to whether the current
active application is one of the ones in the adminApps list. If
so, the role based authorizer is used to check if the current
user is in role.

APAR PQ81117 is associated with SERVICE LEVEL W502000 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ81117
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-11-19
Closed date 2003-12-07
Last modified date 2004-01-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ82905    UP03/12/15 P F312

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ81117.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81117
IBM Group: Software Group
Modified date: Jan 3, 2004