PQ89865: An unauthenticated V5 client can abend SEC3 R=02010003 remotely against a V5 and V4.01 servers active in the same LPAR. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description An unauthenticated V5 client can abend SEC3 R=02010003 communicating remotely with a V5 server if a V4.01 server is active in the same LPAR. The client ends up going to BBOSSRPX, and uses the 4.01 BGVT which PCs to BBOSSRVA, using the table index (since the 4.01 daemon is active). It should use the 5.0 BGVT and PC to BBOSSRPW. Using the 4.01 BGVT index, it wants to use the passticket which is not configured, abending EC3. From the linkage stack in the dump you can see it is wanting the second routine on the pc number. in 502 BBOSSRPX is second on the pc. in 401 BBOSSRVA is second on the pc. Traceback: DSA Addr Program Unit PU Addr PU Offset Entry E Addr E Offset Statement Load Mod Service Status 2C32B3F8 BBOSSRPX 335D46F8 +000000CC BBOSSRPX 335D46F8 +000000CC SUBPOOL2 Call 2C32B2E8 3361BB20 +0000012E SecurityManager::remote_useridpasstkt(char*) 3361BB20 +0000012E SUBPOOL2 Call 2C32A138 335E8E68 +0000359E SecurityManager::createOutbound(ORB_Request*) 335E8E68 +0000359E SUBPOOL2 Call 2C329E10 328D9138 +00000B6C ORB_Request::comm_outbound_ctl_sclt_request(ORB_Request::ORB 328D9138 +00000B6C SUBPOOL2 Call 2C329BF0 328D7018 +000012F8 ORB_Request::comm_outbound_request() 328D7018 +000012F8 SUBPOOL2 Call 2C329360 32D91F08 +00000CD2 CORBA::Request::invoke() 32D91F08 +00000CD2 SUBPOOL2 Call 2C329118 32C95270 +000003C8 ORBEJSBridge::invoke_request(JNIEnv_*,bboojorb*,char*,unsign 32C95270 +000003C8 SUBPOOL2 Call 2C328F48 32C93648 +00000452 ORBEJSBridge::build_and_invoke_request(JNIEnv_*,bboojorb*,ch 32C93648 +00000452 SUBPOOL2 Call 2C328D48 328FA488 +0000057A Java_com_ibm_ws390_orb_ClientDelegate_jorbInvokeRequest 328FA488 +0000057A SUBPOOL2 Call 2C328C50 31B6EEC0 +0000012C com/ibm/ws390/orb/ClientDelegate.jorbInvokeRequest(I.BIZI).B 31B6EEC0 +0000012C SUBPOOL0 Call 2C328B80 2CE88228 +00001584 EXECJAVA 2CE88228 +00001584 *PATHNAM Call Thus it PCed to BBOSSRVA instead of BBOSSRPX. MD15364Local fix 1. Client authentication should be enabled. CSIV2 industry-wide java client authentication mechanisms are userid/password, and client certificates. OR 2. Disable passtickets, if you do not use this option. They are enabled by default. Follow this path from admin console: Security > Authentication Protocol > zSAS Transport > clear the flag for "Userid Passticket" Restart the app server.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: An unauthenticated V5 client can abend * * ABENDSEC3/ABENDEC3 R=02010003 * * communicating remotely with a V5 * * server if a V4.0.1 server is active in * * the same LPAR * **************************************************************** * RECOMMENDATION: * **************************************************************** An unauthenticated V5 client can abend ABENDSEC3/ABENDEC3 R=02010003 communicating remotely with a V5 server if a V4.01 server is active in the same LPAR. The client ends up going to BBOSSRPX and uses the 4.01 BGVT which PCs to BBOSSRVA, using the table index (since the 4.0.1 daemon is active). It should use the 5.0 BGVT and PC to BBOSSRPW. Using the 4.0.1 BGVT index, it wants to use the passticket which is not configured, abending EC3. From the linkage stack in the dump you can see it is wanting the second routine on the pc number. in 502 BBOSSRPX is second on the pc. in 401 BBOSSRVA is second on the pc. Traceback: DSA Addr Program Unit PU Addr PU Offset Entry Addr E Offset Statement Load Mod Service Status 2C32B3F8 BBOSSRPX 335D46F8 +000000CC BBOSSRPX 335D46F8 +000000CC SUBPOOL2 Call 2C32B2E8 3361BB20 +0000012E SecurityManager::remote_useridpasstkt(char*) 3361BB20 +0000012E SUBPOOL2 Call 2C32A138 335E8E68 +0000359E SecurityManager::createOutbound(ORB_Request*) 335E8E68 +0000359E SUBPOOL2 Call 2C329E10 328D9138 +00000B6C ORB_Request::comm_outbound_ctl_sclt_request(ORB_Request::OR) 328D9138 +00000B6C SUBPOOL2 Call 2C329BF0 328D7018 +000012F8 ORB_Request::comm_outbound_request() 328D7018 +000012F8 SUBPOOL2 Call 2C329360 32D91F08 +00000CD2 CORBA::Request::invoke() 32D91F08 +00000CD2 SUBPOOL2 Call 2C329118 32C95270 +000003C8 ORBEJSBridge::invoke_request(JNIEnv_*,bboojorb*,char*,unsig) 32C95270 +000003C8 SUBPOOL2 Call 2C328F48 32C93648 +00000452 ORBEJSBridge::build_and_invoke_request(JNIEnv_*,bboojorb*,c) 32C93648 +00000452 SUBPOOL2 Call 2C328D48 328FA488 +0000057A Java_com_ibm_ws390_orb_ClientDelegate_jorbInvokeRequest 328FA488 +0000057A SUBPOOL2 Call 2C328C50 31B6EEC0 +0000012C com/ibm/ws390/orb/ClientDelegate.jorbInvokeRequest(I.BIZI) 31B6EEC0 +0000012C SUBPOOL0 Call 2C328B80 2CE88228 +00001584 EXECJAVA 2CE88228 +00001584 *PATHNAM CallProblem conclusion Make sure that the BGVT pointer is based on the BACB rather than the ECVTBCBA table. This fix assumes that variable daemon_group_name has been defined and it's not null. APAR PQ89865 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: www.ibm.com/software/webservers/appserv/zos_os390/library.html APAR PQ89865 requires the daemon_group_name environment variable to be set in order for an application client to use passticket security. As a result, the following change will be made to the infocenter: In the article entitled "Administration application settings as they compare to the Version 5 administrative console settings" The following text will be added: A restriction for the "Userid passticket allowed" setting requires any application client wishing to communicate with a server configured to use passticket to set the daemon_group_name variable. This can be done by adding the following statement to the client shell script or setupCmdLine.sh in the $WAS_HOME\bin directory: export daemon_group_name=<GROUP NAME> APAR PQ89865 is associated with SERVICE LEVEL W502020 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ89945 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ89865.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89865
IBM Group: Software Group
Modified date: Jan 5, 2005
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.