PQ86559: BBO* RACF profile is not customizable in the customization dialog. Need more info on default WAS RACF profile | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When running customization dialog, customers are allowed to change server short names from a default (ex. BBOS001) to their own name using a different prefix than BBO. However, the RACF commends in DATA(BBOWBRAC) were design to configure BBO* default RACF profile only. If server names do not start with BBO* prefix, we do not substitute or generate additional profiles. RACF job BBOWBRAC (or DATA(BBOWBRAK) where commends are already generated and customized) needs to be reviewed and action needs to be taken to generate custom RACF profile. One reason for generating default BBO* RACF profile and not allowing to customize this variable is as follows. When creating a new server through admin console, we assign a default short name for this server that will have BBO prefix and a unique number (ex. BBOS005). This naming convention allows for successful creation of a new server with all permission in RACF already defined. Note, the short name for the new server can be changed after it is created, but user needs to take extra step in ensuring the necessary RACF authorization are set. This apar is opened NOT to change the way we create RACF profiles, but instead to provide the users with better documentation on default WebSphere RACF profile. We plant to update InfoCenter with a document that will explain in details what I did in short in this apar text. In addition, we will update customization dialog help panels for server short names to indicate what the consequences are if BBO default prefix is changed. We are also planning to update DATA(BBOWBRAC) job with comments also explaining the above issue.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Further documentation of default * * WebSphere Application Server for z/OS * * RACF profiles is needed. * **************************************************************** * RECOMMENDATION: * **************************************************************** When running the Customization Dialog, customers are allowed to change server short names from a default (ex. BBOS001) to their own name using a prefix other than BBO. However, the RACF commands in DATA(BBOWBRAC) were designed to configure the BBO* default RACF profile only. If server names do not start with the BBO* prefix, additional profiles are not substituted or generated. Customers need to review and take action with the RACF job BBOWBRAC (or DATA(BBOWBRAK) where commands are already generated and customized) in order to generate custom RACF profiles.Problem conclusion The following changes to the WebSphere Application Server for z/OS Customization Dialog have been made as a result of this APAR. The change to Customization Dialog files BBOWBRAC and BBODBRAC will read as follows: -During installation, if you change the server short name to use a prefix other than the BBO* default, you must create your own non-default RACF SAF profile using the non-default prefix. For more information, see "Understanding System Authorization Facility profile names generated by the Customization Dialog" in the WebSphere Application Server Information Center located at http://publib.boulder.ibm.com/infocenter/wasinfo/. The change to Customization Dialog files BBOWHS31 and BBOWHC31 will read as follows: Server name (short) ... Note: When you define a server, its server short name receives a default prefix of BBO* and a corresponding RACF BBO* profile is created. During installation, if you change the server short nam to use a prefix other than BBO*, you must create your own non- default RACF profile using the non-default prefix. For more information, see "RACF server class profiles" and "Understanding System Authorization Facility profile names generated by the Customization Dialog" in the WebSphere Application Server Information Center located at http://publib.boulder.ibm.com/infocenter/wasinfo/. ... Changes to the WebSphere Application Server Information Center will be made as a result of this APAR. To access the latest online documentation, go to the product library page at: http://publib.boulder.ibm.com/infocenter/wasinfo/ The new article cins_cdsaf ("Understanding System Authorization Facility profile names generated by the Customization Dialog") will appear in the security section of the Information Center. The change to Information Center articles rins_defvar2def and rins_defvar4def will read as follows: Server name (short) ... Note: When you define a server, its server short name receives a default prefix of BBO* and a corresponding RACF BBO* profile is created. During installation, if you change the server short nam to use a prefix other than BBO*, you must create your own non- default RACF profile using the non-default prefix. See "RACF server class profiles" for information on creating your own RACF profile and "Understanding System Authorization Facility profile names generated by the Customization Dialog" for information on how the Customization Dialog manages SAF profiles. ... APAR PQ86559 is associated with SERVICE LEVEL W502015 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ89470 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ86559.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ86559
IBM Group: Software Group
Modified date: Feb 28, 2006
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.