PQ81949: SECURITY ERROR MESSAGES SURFACE DURING SERVER STARTUP OR APPLICATION RUNTIME AFTER ENABLING SYNC TO OS THREAD

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer had enabled Sync to OS Thread under z/OS Global
Security Options.  In addition, the customer had a db2
datasource defined.
.
During server startup various security error messages surface.
.
ICH408I USER(WSGUEST) GROUP(WAS5) NAME(WAS UNAUTH USER)

  /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/serve
  rs/appserver1/com/ibm/db2/jcc/DB2PooledConnection.class
  CL(DIRSRCH ) FID(01C8C3F9F3F1F50003150000000D0000)
  INSUFFICIENT AUTHORITY TO LOOKUP
  ACCESS INTENT(--X)  ACCESS ALLOWED(OTHER ---)
ICH408I
USER(WSGUEST) GROUP(WAS5) NAME(WAS UNAUTH USER     )
  /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/serve
  s/appserver1/COM/ibm/db2os390/sqlj/jdbc/DB2SQLJBTCConverter.
  class
  CL(DIRSRCH ) FID(01C8C3F9F3F1F50003150000000D0000)
  INSUFFICIENT AUTHORITY TO LOOKUP
  ACCESS INTENT(--X)  ACCESS ALLOWED(OTHER ---)
.
The problem occurs because the classloader is running under the
unauthenticated id WSGUEST while attempting to search for
db2 classes in
/WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/servers/
appserver1
directory.  Although the classes may not exist there, the
classloader attempts to search that directory since it is
located on the ws.ext.dirs variable in
control.jvm.options
servant.jvm.options
.
Since the hfs does not have read/execute permissions for other,
and the classloader is running as WSGUEST, the above security
messages surface.
.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Customer had enabled Sync to OS Thread  *
*                      under z/OS Global Security Options.     *
*                      In addition, the customer had a db2     *
*                      datasource defined.                     *
*                      During server startup various           *
*                      security error messages surface.        *
*                                                              *
*                      ICH408I USER(WSGUEST) GROUP(WAS5)       *
*                         NAME(WAS UNAUTH USER)                *
*                                                              *
*                      /WebSphere/SYSE/AppServer/config/cells  *
*                        /QA/nodes/node1/servers/appserver1    *
*                          /com/ibm/db2/jcc                    *
*                             /DB2PooledConnection.class       *
*                      CL(DIRSRCH )                            *
*                      FID(01C8C3F9F3F1F50003150000000D0000)   *
*                      INSUFFICIENT AUTHORITY TO LOOKUP        *
*                      ACCESS INTENT(--X)                      *
*                      ACCESS ALLOWED(OTHER ---)               *
*                      ICH408I                                 *
*                      USER(WSGUEST) GROUP(WAS5)               *
*                      NAME(WAS UNAUTH USER     )              *
*                      /WebSphere/SYSE/AppServer/config/cells  *
*                       /QA/nodes/node1/serves/appserver1/COM  *
*                         /ibm/db2os390/sqlj/jdbc              *
*                           /DB2SQLJBTCConverter.class         *
*                      CL(DIRSRCH )                            *
*                      FID(01C8C3F9F3F1F50003150000000D0000)   *
*                      INSUFFICIENT AUTHORITY TO LOOKUP        *
*                      ACCESS INTENT(--X)                      *
*                      ACCESS ALLOWED(OTHER ---)               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem occurs because the classloader is running under the
unauthenticated id WSGUEST while attempting to search for DB2
classes in
/WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/servers
   /appserver1
directory.  Although the classes may not exist there, the
classloader attempts to search that directory since it is
located on the ws.ext.dirs variable in:
  control.jvm.options
  servant.jvm.options

Since the hfs does not have read/execute permissions for other,
and the classloader is running as WSGUEST, the above security
messages surface.
Problem conclusion
Since the control.jvm.options and servant.jvm.options are
generated by the transformer using information from the
node-level variables.xml, to fix this, the
node-level variables.xml skeleton file will be updated to
remove "-DtraceSettingsFile" and replace "-Dws.ext.dirs:"'s
&ASWASH./config/cells/&ASCENL./nodes/&ASNONL./servers
  /${server_specific_name} with &ASWASH.

The transformer will generate "-DtraceSettingsFile" and set to
the part that was deleted from ws.ext.dirs with trace.dat at
the end.

APAR PQ81949 is associated with SERVICE LEVEL W502002 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ81949
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-12-09
Closed date 2004-02-12
Last modified date 2006-02-28

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ85128    UP04/02/20 P F402

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ81949.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81949
IBM Group: Software Group
Modified date: Feb 28, 2006