PQ95751: EJB REQUEST FROM SYSPLEX A TO ANOTHER EJB ON SYSPLEX B RESULTS IN ASSERTION OF IDENTITY OF WSGUEST REGARDLESS OF ID SPECIFIED.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
If the user decides to use their own identity (IE: XYZ), and
is expecting it to be passed across SYSPLEXes, the default
unauthenticated ID WSGUEST is what is actually being passed. The
id authenticated to the EJB is known on both servers so it
should be asserted.  A check of the principal on the calling
server confirms the authenticated user.

Also please note that asserting an identity within the same
sysplex works fine.
No CBIND or initACEE errors where encountered.
.
V510 fix for this is in W510004 (PQ91257/MD19954).
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Two problems occur on a server's        *
*                       equest to a target server. Both errors *
*                       esult in BBOS0118E displayed in the    *
*                      first server's log. The message         *
*                      indicates that the request resulted in  *
*                      a CORBA::NO_PERMISSION exception        *
*                      at the target server. Minor codes       *
*                      c9c24006 and c9c24113 are associated    *
*                      with the exception.                     *
*                                                              *
*                      When minor code c9c24006 is received :  *
*                                                              *
*                      The target server log contains error    *
*                      messages BBOS0008E, BBOS0036E, and      *
*                      BBOS0037E.                              *
*                                                              *
*                      RACF errors are displayed on the        *
*                      console of the target server system.    *
*                      ICH408I USER(WSGUEST ) GROUP(WSCLGP  )  *
*                        NAME(WAS DEFAULT USER)                *
*                      CB.BIND.* CL(CBIND   )                  *
*                      INSUFFICIENT ACCESS AUTHORITY           *
*                      FROM CB.BIND.* (G)                      *
*                      ACCESS INTENT(READ   )  ACCESS          *
*                        ALLOWED(NONE   )                      *
*                      BBOS0002E CBIND CHECK FAILED WITH SAF   *
*                        RETURN CODE=00000008,                 *
*                        RACF RETURN CODE=00000008, RACF       *
*                        REASON CODE=00000000.                 *
*                                                              *
*                      When minor code c9c24113 is received    *
*                      there are no other external errors.     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A server received a request from a client. In order to complete
the request the server initiated a request to another server.
Both servers are configured with CSIv2 identity assertion and
SSL with client certificates.

Problem 1.
The first server could not find a SAF identiy to assert so it
sent the security context with the CSIv2 defined "Identity Token
Type Anonymous" flag turned on.This means that the target server
 ill use its configured default identity or unauthenticated
user as the identity on the request. The target server
 erformed a CBIND check on the default identity and it failed
because the default identity did not have the required access
to the CBIND profile. The server rejected the request and threw
a CORBA::NO_PERMISSION with minor code c9c24006.

Problem 2.
The first server sent an asserted identity context over an SSL
connection. The first server's personal certificate was sent
over the socket as the asserter's identity. The second server
did not find the certificate and attempted to use the configured
default identity as the asserter's identity.  The default
identity did not have the required access to the CBIND profile
and the server threw a CORBA:NO_PERMISSION with minor code
c9c24113.
Problem conclusion
Problem 1.
The first server should have used the SAF identity in the
 ontrol block provided but failed to do so because it did not
recognize the particular control block type as having a valid
 AF identity. The code was changed to pick up the userid for
this type.

Problem 2.
The second server failed to recognize that there was a client
certificate on the session because it was using the wrong tag
type to determine if there was a client certificate on the
session. The code was changed to use the correct type.

APAR PQ95751 is associated with SERVICE LEVEL W502018 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ95751
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-10-14
Closed date 2004-11-12
Last modified date 2004-12-02

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ95030    UP04/11/18 P F411

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ95751.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ95751
IBM Group: Software Group
Modified date: Dec 2, 2004