PQ81949: SECURITY ERROR MESSAGES SURFACE DURING SERVER STARTUP OR APPLICATION RUNTIME AFTER ENABLING SYNC TO OS THREAD | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer had enabled Sync to OS Thread under z/OS Global Security Options. In addition, the customer had a db2 datasource defined. . During server startup various security error messages surface. . ICH408I USER(WSGUEST) GROUP(WAS5) NAME(WAS UNAUTH USER) /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/serve rs/appserver1/com/ibm/db2/jcc/DB2PooledConnection.class CL(DIRSRCH ) FID(01C8C3F9F3F1F50003150000000D0000) INSUFFICIENT AUTHORITY TO LOOKUP ACCESS INTENT(--X) ACCESS ALLOWED(OTHER ---) ICH408I USER(WSGUEST) GROUP(WAS5) NAME(WAS UNAUTH USER ) /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/serve s/appserver1/COM/ibm/db2os390/sqlj/jdbc/DB2SQLJBTCConverter. class CL(DIRSRCH ) FID(01C8C3F9F3F1F50003150000000D0000) INSUFFICIENT AUTHORITY TO LOOKUP ACCESS INTENT(--X) ACCESS ALLOWED(OTHER ---) . The problem occurs because the classloader is running under the unauthenticated id WSGUEST while attempting to search for db2 classes in /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/servers/ appserver1 directory. Although the classes may not exist there, the classloader attempts to search that directory since it is located on the ws.ext.dirs variable in control.jvm.options servant.jvm.options . Since the hfs does not have read/execute permissions for other, and the classloader is running as WSGUEST, the above security messages surface. .Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Customer had enabled Sync to OS Thread * * under z/OS Global Security Options. * * In addition, the customer had a db2 * * datasource defined. * * During server startup various * * security error messages surface. * * * * ICH408I USER(WSGUEST) GROUP(WAS5) * * NAME(WAS UNAUTH USER) * * * * /WebSphere/SYSE/AppServer/config/cells * * /QA/nodes/node1/servers/appserver1 * * /com/ibm/db2/jcc * * /DB2PooledConnection.class * * CL(DIRSRCH ) * * FID(01C8C3F9F3F1F50003150000000D0000) * * INSUFFICIENT AUTHORITY TO LOOKUP * * ACCESS INTENT(--X) * * ACCESS ALLOWED(OTHER ---) * * ICH408I * * USER(WSGUEST) GROUP(WAS5) * * NAME(WAS UNAUTH USER ) * * /WebSphere/SYSE/AppServer/config/cells * * /QA/nodes/node1/serves/appserver1/COM * * /ibm/db2os390/sqlj/jdbc * * /DB2SQLJBTCConverter.class * * CL(DIRSRCH ) * * FID(01C8C3F9F3F1F50003150000000D0000) * * INSUFFICIENT AUTHORITY TO LOOKUP * * ACCESS INTENT(--X) * * ACCESS ALLOWED(OTHER ---) * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem occurs because the classloader is running under the unauthenticated id WSGUEST while attempting to search for DB2 classes in /WebSphere/SYSE/AppServer/config/cells/QA/nodes/node1/servers /appserver1 directory. Although the classes may not exist there, the classloader attempts to search that directory since it is located on the ws.ext.dirs variable in: control.jvm.options servant.jvm.options Since the hfs does not have read/execute permissions for other, and the classloader is running as WSGUEST, the above security messages surface.Problem conclusion Since the control.jvm.options and servant.jvm.options are generated by the transformer using information from the node-level variables.xml, to fix this, the node-level variables.xml skeleton file will be updated to remove "-DtraceSettingsFile" and replace "-Dws.ext.dirs:"'s &ASWASH./config/cells/&ASCENL./nodes/&ASNONL./servers /${server_specific_name} with &ASWASH. The transformer will generate "-DtraceSettingsFile" and set to the part that was deleted from ws.ext.dirs with trace.dat at the end. APAR PQ81949 is associated with SERVICE LEVEL W502002 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ81949.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81949
IBM Group: Software Group
Modified date: Feb 28, 2006
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.