PQ87163: Adminconsole ids without EJBROLE administrator generates many ICH408I, SECJ0321E, BBOO0220E, BBOS0037E, BBOS0105E messages | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description The adminconsole application has a set of 4 EJBROLEs which can be used to protect various adminconsole features from unauthorized use: * administrator * configurator * operator * monitor If an adminconsole user logs on using a userid that does not have READ permission to EJBROLE administrator, any mouse click within the adminconsole application at the browser generates an excessive number of messages for each of the EJBROLEs that the userid does not have. <1> The following messages appear on the system console over and over for each missing EJBROLE: ICH408I USER(NJAYNER ) GROUP(SYS1 ) NAME(NJAYNER) administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) +BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/NJAYNER, and role name Ljava.lang.String;@12af2a9. <2> The following messages appear over and over in the deployment manager's servant region JES Message Log for each missing EJBROLE: ICH408I USER(NJAYNER ) GROUP(SYS1 ) NAME(NJAYNER) administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) +BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/NJAYNER, and role name .Ljava.lang.String;@644032ac. <3> The following messages appear over and over in the deployment manager's servant region JES System Message log for each missing EJBROLE: BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/NJAYNER, and role name .Ljava.lang.String;@7c6bb249. <4> The following messages appear over and over in the deployment manager's SYSOUT data set (or in the WebSphere Error Log) for each EJBROLE: BossLog: { 0037} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbossejb.cpp+569 ... BBOS0105E MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED: SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function failed and could not be performed for UserID NJAYNER using Role Name administrator and Class Name EJBROLE BossLog: { 0038} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbossejb.cpp+572 ... BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED: RACF Return Code (hex): 8 (RACROUTE) - The user or group is not authorized BossLog: { 0039} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbosslog.cpp+137 ... BBOS0008E RACAUTH of class, SOMDOBJS, failed with SAF Return Code=00000008, RACF Return Code=00000008, RACF Reason Code=00000000. <5> The following messages appear over and over in the deployment manager's SYSPRINT for each EJBROLE: Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbosslog.cpp at line: 137 error message: BBOS0008E RACAUTH of class, SOMDOBJS, failed with SAF Return Code=00000008, RACF Return Code=00000008, RACF Reason Code=00000000. Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbossejb.cpp at line: 569 error message: BBOS0105E MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED: SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function failed and could not be performed for UserID NJAYNER using Role Name operator and Class Name EJBROLE Trace: 2004/04/05 19:47:40.842 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbossejb.cpp at line: 572 error message: BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED: RACF Return Code (hex): 8 (RACROUTE) - The user or group is not authorized Trace: 2004/04/05 19:47:40.851 01 t=8DE6E8 c=5.6 key=P8 (13007002) FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/NJAYNER, and role name ■Ljava.lang.String;@1acff2b1. <6> Messages SECJ0321E does not display the list of EJBROLEs being checked correctly - it shows as "[Ljava.lang.String;@767a32b2"Local fix The ICH408I messages can be suppressed by setting custom property com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress=true within the adminconsole application. The path to this property within adminconsole is as follows: Security-> User Registries-> Local OS-> Custom Properties-> modify property com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress's value from "false" to "true". Click OK. Click "Save". Check box for "Synchronize changes with Nodes" and click "Save". All the other messages can be eliminated if the userid is given read access to the set of four EJBROLEs: * administrator * configurator * operator * monitor The following RACF commands accomplish this: PERMIT administrator CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ) PERMIT configurator CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ) PERMIT operator CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ) PERMIT monitor CLASS(EJBROLE) ID(NJAYNER) ACCESS(READ) SETROPTS RACLIST(EJBROLE) REFRESH After these commands are issued the userid NJAYNER will no longer create all these messages. It should not be necessary to recycle any portion of WebSphere to enable this EJBROLE change. --- PLEASE NOTE: THIS EJBROLE WORKAROUND SHOULD NOT BE USED IF IT CONTRADICTS ANY USERID SECURITY POLICIES ESTABLISHED AT YOUR SITE. THIS WORKAROUND GIVES THE SPECIFIED adminconsole USER ID AUTHORITY TO PERFORM ALL adminconsole FUNCTIONS.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: If an administrative console user logs * * on using an userid that does not have * * READ permission to EJBROLE * * administrator, an excessive number of * * messages are generated for each of the * * roles that the userid cannot access. * * * * <1> * * The following messages appear, more * * than once, on the system console for * * each missing EJBROLEs: * * ICH408I USER(WSADMIN ) GROUP(SYS1 ) * * NAME(WSADMIN) administrator * * CL(EJBROLE ) INSUFFICIENT ACCESS * * AUTHORITY ACCESS INTENT(READ ) * * ACCESS ALLOWED(NONE ) * * * * <2> * * The following messages appear, more * * than once, in the servant region JES * * Message Log for each missing EJBROLEs: * * BBOO0220E SECJ0321E: Role based * * authorization is caller in role failed * * for security name WASRACFREALM/WSADMIN, * * accessId user:WASRACFREALM/WSADMIN, and * * role name.Ljava.lang.String;@644032ac. * **************************************************************** * RECOMMENDATION: * **************************************************************** The administrative console has a set of 4 EJBROLEs which can be used to protect various administrative console features from unauthorized use: administrator configurator operator monitor If an administrative console user logs on using a userid that does not have READ permission to EJBROLE administrator, any mouse click within the administrative console at the browser generates an excessive number of messages for each of the EJBROLEs that the userid does not have. <1> The following messages appear on the system console over and over for each missing EJBROLE: ICH408I USER(WSADMIN) GROUP(SYS1 ) NAME(WSADMIN) administrator CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) <2> The following messages appear over and over in the deployment manager's servant region JES Message Log for each missing EJBROLE: +BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/WSADMIN, accessId user:WASRACFREALM/WSADMIN, and role name .Ljava.lang.String;@644032ac. <3> The following messages appear over and over in the deployment manager's servant region JES System Message log for each missing EJBROLE: BBOO0220E SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/WSADMIN, accessId user:WASRACFREALM/WSADMIN, and role name .Ljava.lang.String;@7c6bb249. <4> The following messages appear over and over in the deployment manager's SYSOUT data set (or in the WebSphere Error Log) for each EJBROLE: BossLog: { 0037} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbossejb.cpp+569 ... BBOS0105E MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED: SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function failed and could not be performed for UserID WSADMIN using Role Name administrator and Class Name EJBROLE BossLog: { 0038} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbossejb.cpp+572 ... BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED: RACF Return Code (hex): 8 (RACROUTE) - The user or group is not authorized BossLog: { 0039} 2004/04/05 19:44:48.490 01 SYSTEM=SY1 SERVER=BBODMGR PID=0X03010341 TID=0X26C80E00 0X000014 c=4.3 ./bbosslog.cpp+137 ... BBOS0008E RACAUTH of class, SOMDOBJS, failed with SAF Return Code=00000008, RACF Return Code=00000008, RACF Reason Code=00000000. <5> The following messages appear over and over in the deployment manager's SYSPRINT for each EJBROLE: Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbosslog.cpp at line: 137 error message: BBOS0008E RACAUTH of class, SOMDOBJS, failed with SAF Return Code=00000008, RACF Return Code=00000008, RACF Reason Code=00000000. Trace: 2004/04/05 19:47:40.841 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbossejb.cpp at line: 569 error message: BBOS0105E MSG_BBOSENUS_SEC_REQUESTED_EJBROLES_CHECK_FUNCTION_FAILED: SAF Return Code (hex) : 8 The requested FASTAUTHCHECK function failed and could not be performed for UserID WSADMIN using Role Name operator and Class Name EJBROLE Trace: 2004/04/05 19:47:40.842 01 t=8DE6E8 c=5.6 key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bbossejb.cpp at line: 572 error message: BBOS0037E MSG_BBOSENUS_SEC_USER_OR_GROUP_NOT_AUTHORIZED: RACF Return Code (hex): 8 (RACROUTE) - The user or group is not authorized Trace: 2004/04/05 19:47:40.851 01 t=8DE6E8 c=5.6 key=P8 (13007002) FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: SECJ0321E: Role based authorization is caller in role failed for security name WASRACFREALM/NJAYNER, accessId user:WASRACFREALM/WSADMIN, and role name Ljava.lang.String;@1acff2b1. <6> Messages SECJ0321E does not display the list of EJBROLEs being checked correctly - it shows as " Ljava.lang.String;@767a32b2"Problem conclusion The code was modified to call RACROUTE REQUEST=FASTAUTH with MSGSUPP=YES to check if the userid has read access to the n-1 roles. The call to FASTAUTH with MSGSUPP=NO will be made only for the last role. When the userid does not have read access to any of the roles, only one message indicating that error will be displayed in the MVS console, and also in the SYSPRINT. APAR PQ87163 is associated with SERVICE LEVEL W502008 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments ž**** PE04/05/20 FIX IN ERROR. SEE APAR PQ89010 FOR DESCRIPTION
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ87163.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ87163
IBM Group: Software Group
Modified date: Jun 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.