PQ84414: INTEROP PROBLEM PASSING ASSERTED IDENTITY FROM WEBSPHERE ON DISTRIBUTED TO WEBSPHERE Z/OS USING LOCAL OS AND CSIV2 SECURITY

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer was running WebSphere Application Server 5.0.2 on
distributed. On the Websphere distributed system there is
a Web application with a servlet that invokes an EJB
running in WebSphere Application Server for z/os.  The
local os registry is used on both platforms, and the
active protocol is specified as CSIv2.  When the CSIv2
Outbound Transport on distributed and the CSIv2 Inbound
Transport on z/OS are both specified as Basic-Auth support,
Websphere for z/os uses the distributed application server's
user id, instead of the id authenticated by the servlet.
This can be verified by calling the getCallerPrincipal() in
the EJB on Websphere for z/os.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: A CORBA::NO_PERMISSION exception was    *
*                      received when running an EJB in a zOS   *
*                      server that was invoked from a          *
*                      WebSphere Distributed Web Application   *
*                      servlet. Message SECJ0053E may also     *
*                      appear in the z/OS servant job log.     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The z/OS target server and the WebSphere Distributed middle
server were configured to use CSIv2 Basic Authentication and
Asserted Identities on LocalOS. The WebSphere Distributed server
was running a web application that used a servlet to invoke an
EJB on the z/OS system. When the EJB was invoked on the z/OS
system, the getCallerPrincipal() API returned the userid of the
server on the WebSphere Distributed system instead of the userid
being asserted. There may also be a failure if method role
checking is being performed and the userid of the server is not
authorized for the method. This would result in message
SECJ0053E in the target server and a CORBA::NO_PERMISSION
returned to the client.
Problem conclusion
The init_acee that is used for a userid only login creates an
ACEE and RACO but does not set the owning userid. As a result,
the userid of the asserter remains as the owning userid. This id
is retreived from the OPI in the ORB bridge and passed to the
java code to use as the identity to run methods. The solution
is to issue a setSAFUserId for the asserted identity so that
the correct identity is used in subsequent processing.

APAR PQ84414 is associated with SERVICE LEVEL W502003 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ84414
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-02-09
Closed date 2004-02-26
Last modified date 2004-04-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ85594    UP04/03/02 P F403

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ84414.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ84414
IBM Group: Software Group
Modified date: Apr 3, 2004