PQ77186: BBOO0222I SECJ0305I: ROLE BASED AUTHORIZATION CHECK FAILED WHILEINVOKING METHOD QUERY:COM.IBM.WS.MANAGEMENT.DISCOVERY.SERVERINFO | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When starting up an application server that does mbean discovery the following security error message surfaces in the node agent. ICH408I USER(WSGUEST) GROUP(WSCLGPT ) NAME(WAS DEFAULT USER administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) BBOO0222I SECJ0305I: Role based authorization check failed for security name AHCPLEX/WSGUEST, accessId user:AHCPLEX/WSGUEST while invoking method: com.ibm.ws.management.discovery.ServerInfo on resource Discovery and module Discovery. javax.management.JMRuntimeException: ADMN0022E: Access denied for the query operation on Discovery MBean due to insufficient or empty credentials. Other error messages that also surface: . BBOS0103E MSG_BBOSENUS_SEC_EJBROLES_CHECK_FAILED: The requested EJBROLESAUTHCHECK(RACROUTE) function User WSGUEST not permitted to method admin-authz via Allowed roles (operator,administrator,.)Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Upon server initialization the default * * z/OS userid is used, errantly, as the * * authenticated entity for RMI/IIOP calls * * that emanate from the controller * * address space of the server. The target * * of these calls fails the RMI/IIOP * * request because the default user does * * not pass an EJBROLE check. The EJBROLE * * failures usually occur in the * * controller of a node agent. * * The error: * * BBOO0222I SECJ0305I: ROLE BASED * * AUTHORIZATION CHECK FAILED WHILE * * INVOKING METHOD * * QUERY:COM.IBM.WS.MANAGEMENT. * * DISCOVERY.SERVERINFO * * s typical. This messages also * * appears at the MVS console. * * BBOO0222I SECJ0305I: Role based * * authorization check failed for * * security name WASRACFREALM/WSGUEST, * * accessId user:WASRACFREALM/WSGUEST * * while invoking method query: * * com.ibm.ws.management. * * discovery.ServerInfo * * on resource Discovery and * * module Discovery. * * ICH408I USER(WSGUEST ) * * GROUP(SMADMIN1) * * NAME(WAS DEFAULT USER ) * * administrator CL(EJBROLE ) * * INSUFFICIENT ACCESS AUTHORITY * * ACCESS INTENT(READ ) * * ACCESS ALLOWED(NONE ) * **************************************************************** * RECOMMENDATION: * **************************************************************** During server initialization of the controller, if global security is enabled, the security runtime attempts to obtain and cache a copy of the credential for the default z/OS identity. As a side effect of obtaining this credential the default id is made to be the identity that is used if RMI/IIOP calls are made. The default id remains current until the first inbound call is fielded by the controller and supplants the default identity. During this window, if the controller initiates an RMI/IIOP call the default user is used for authorization checks in the target of the call. In many cases the default id fails to pass EJBROLE checks. The following message is typical. BBOO0222I SECJ0305I: Role based authorization check failed for security name WASRACFREALM/WSGUEST, accessId user:WASRACFREALM/WSGUEST while invoking method query: com.ibm.ws.management.discovery.ServerInfo on resource Discovery and module Discovery. ICH408I USER(WSGUEST ) GROUP(SMADMIN1) NAME(WAS DEFAULT USER ) administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )Problem conclusion During server initialization when the credential for the default z/OS identity is obtained, it is not made the current identity for RMI/IIOP calls. APAR PQ77186 is associated with SERVICE LEVEL W501000 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ77186.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ77186
IBM Group: Software Group
Modified date: Oct 3, 2003
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.