PQ89073: SERVANT REGION IS ENDED UNEXPECTEDLY. SECJ0208E MESSAGES IN JOB LOG ACCOMPANY THE FAILURE.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
A WebSphere for z/OS version 5.0 servant region ends
unexpectedly.
The following messages appear in the job log:
BBOO0220E SECJ0208E: An unexpected exception occurred when
attempting to authenticate the server's id during security
initialization. The exception is Internal Error. Thread Id
reset on request exit. Some methods may have not reset thread
identities, contact your IBM support.
BBOO0220E SECJ0208E: An unexpected exception occurred when
attempting to authenticate the server's id during security
initialization. The exception is Fatal Error. Killing thread
because security Identity on thread cannot be reset.
  With tracing activated: ras_trace_detail=(3,4,E) and
com.ibm.ws.security.*=all=enabled, it is evident that the server
OPI control block has been freed. This generates
RunAsxxxx errors, such as
RunAsBuildUToken,
RunAsFreeCred,
RunAsSetSpecCred,
RunAsGetPrincipal and so on.
The RunAsBuildUToken errors are reported by message
BBOS0111E UTOKEN handling function RunAsBuildUtoken failed in
request                   with  SAF Return Code (hex): 0, RACF
Return Code (hex): 0, and RACF Reason Code (hex): 0.
In this message since the return codes are zero and the request
is all spaces, we can infer that the OPI has been freed.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Various symptoms occur because the OPI  *
*                      for the server credential has been      *
*                      deleted. Among them: 1) ABEND 0C4 in    *
*                      BOSSOUT 2) BBOO0220E SECJ0208E: An      *
*                      unexpected exception occurred when      *
*                      attempting to authenticate the          *
*                      server's id during security             *
*                      initialization. 3) BBOS0107E            *
*                      Credential handling function            *
*                      <function name> failed. Various RunAs   *
*                      functions may fail. The server may run  *
*                      for quite a while after the server OPI  *
*                      is deleted before symptoms of a         *
*                      failure appear.                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
There are several ways to delete an OPI using
RunAs::freeCredential(). A problem can occur if an OPI is
deleted and then re-used. If an outbound request fails, its
credentials (including the OPI) will be deleted before the
failed request is re-driven. An OPI can also be deleted if its
reference count becomes zero. There are problems with handling
the reference count for the server credential, which should
not be deleted except when the servant region ends. One
likely cause of msg. BBOS0107E for a failure in
RunAsSpecLatentCred, RunAsFreeCred, RunAsGetPrincipal, or
RunAsBuildUtoken is a missing OPI.
Problem conclusion
Several fixes are included. Code is added to
WSCredentialImpl.finalize() to protect the server credential
from being freed. Code is also added to
referenceNSC() and freeNSC() to not change the
reference count for the server's OPI, and to not free it.
Code to delete a cloned NSC token is moved from bboocomm.cpp
to bbooejsb.cpp, so the OPI is not deleted until after the
request is re-driven (if needed). Code in bbooorsx.mac
that copies a native security context from the SR to the CR is
modified to only do so if security is enabled. Code is added
to ContextManagerImpl.buildLocalOSSubject() to mark the server
credential, so it is protected from being deleted by destroy()
and finalize() operations. Code is added to
WSLocalzOSExtensionImpl.getLocalOSOwnSubject() to
save and re-use the server subject obtained from the context
manager.

APAR PQ89073 is associated with SERVICE LEVEL W502011 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ89073
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-05-19
Closed date 2004-06-16
Last modified date 2004-07-02

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ89288 PQ89483

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ89659    UP04/06/22 P F406

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ89073.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89073
IBM Group: Software Group
Modified date: Jul 2, 2004