PK61863: AN OTS TRANSACTION TO CICS WILL FAIL IN THE APPLICATION SERVER CONTROL REGION WITH A COMM_FAILURE. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When running an OTS transaction from a WebSphere application server to CICS with security enabled, the transaction will fail in the application server control region with the following error: BBOO0011W The function ZIOPChannelBridge::pending_inbound_response(ORB_Request *)+1086 received CORBA system exception CORBA::COMM_FAILURE. Error code is C9C26A37.Local fix Problem summary **************************************************************** * USERS AFFECTED: Users of WebSphere Application Server V6.1 * * for z/OS who are using SAF authorization * * and using CSIv2 to communicate with CICS * * 3.2. or later. * **************************************************************** * PROBLEM DESCRIPTION: For CSIv2 communication between * * WebSphere Application Server and CICS * * 3.2 or later, the CICS server is * * expecting a SAF identity to be sent * * by the WAS server. However, even * * though the WAS server is configured * * to use local OS with SAF authorization, * * the default configuration uses an * * internally generated identity as the * * server identity. Therefore, it was this * * identity that was being sent to CICS, * * and resulting in a COMM_FAILURE error * * as it was not being recognized as a * * valid user. * **************************************************************** * RECOMMENDATION: * **************************************************************** The default security configuration for WebSphere is to use an automatically generated server identity, and not the started task identity that is defined in the SAF product. As a result, when trying to communicate over CSIv2 to CICS, the communication fails because the server identity is not a valid one.Problem conclusion A new security custom property has been defined, where the name is "com.ibm.ws.security.zOS.useSAFidForTransaction" and the value should be set to "true" in order to use a SAF identity for transactional security even though the security configuration is set to use the automatically generated server identity. APAR PK61863 requires changes to documentation. . NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library A change to the z/OS version of the WebSphere Application Server Version 6.1 Information Center will be made available. The topic "Security custom properties" will be updated to include the following description of the new com.ibm.ws.security.zOS.useSAFidForTransaction security custom property: com.ibm.ws.security.zOS.useSAFidForTransaction This property is used to enable a server to use the user identity for the z/OS started task as the server identity when calling transactional methods, such as commit(), and prepare(), that require the server identity. This behavior occurs regardless of the server identity setting for that server. For example, you might have a server that is configured to use the automatically generated server identity, which is not an actual identity stored in a user repository. However, this server needs to communicate with CICS 3.2, and CICS 3.2 requires SAF identities. If this property is set to true, the server uses a SAF identity to communicate with CICS instead of the automatically generated identity. Default false APAR PK61863 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.17 of WebSphere Application Server V6.1 for z/OS. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Document Information |
Current web document: swg1PK61863.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK61863
IBM Group: Software Group
Modified date: Jul 2, 2008
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.