Mustgather: Security problems with WebSphere Application Server z/OS V5
 Technote (troubleshooting)
 
Problem(Abstract)
MustGather for security problems with WebSphere® Application Server z/OS. Gathering this information before calling IBM support will help familiarize you with the troubleshooting process and save you time.
 
Resolving the problem
For both WebSphere® Application Server V4.0.1 and V5
  1. Identify your environment - client and server platform and software
  2. Description of your problem and symptoms including any exceptions.
  3. Description of the steps taken to reproduce your problem.
  4. The operations being performed when the problem happens, if known.
  5. If the problem is intermittent or consistent.
  6. Identify WebSphere Application Server version (V4 or V5?) and PTF’s
  7. List of fixes applied to WebSphere.
  8. Identify if programmatic logins are being use

If you have already contacted support, continue on to the component-specific MustGather information. Otherwise, click: Mustgather: Read first for WebSphere Application Server for z/OS

Required files for WebSphere version 4.0.x:

For instructions on how to send files to support: http://www-1.ibm.com/support/docview.wss?uid=swg21153852

1. XML export of the admin console. To get this, open the admin console, select Console > Export to a file.
2. All the logs in the <WSAS_ROOT>/logs directory for the period of time corresponding to the problem: stdout, stderr, tracefile, activity.log, etc.
3. The administrative server tracefile from the <WSAS_ROOT>/logs directory.
4. The approximate time the problem occurred.
5 The sas.server.props and sas.client.props files from the <WSAS_ROOT>/properties directory
6. The product.xml file for <WSAS_ROOT>/config directory.
If instructed to do so by support, take a security and SAS trace of the problem in addition to the information requested above.
a. Detach this file to the WebSphere/AppServer /classes directory.
seclogger40.jar

b. Run the administrative console, expand the topology frame and
highlight the application server which is going to be traced to display its properties, and click on the Services tab, click on the Trace Service in the services table, and click on the Edit Properties button.

c. Put the following in the Trace Specification field:
SASRas=all=enabled:com.ibm.ejs.security.*=all=enabled

d.Put a fully qualified hostname in the Trace Output field (e.g.,
C:\WebSphere\AppServer\logs\appsecuritytrace)

e. Click on the OK button and then press the Apply button, and make sure the application server is started.

f. Make a backup copy of the <WAS root>/bin/admin.config file, edit the original, and add or edit the following two lines:
com.ibm.ejs.sm.adminServer.traceString=
SASRas=all=enabled:com.ibm.ejs.security.*=all=enabled

com.ibm.ejs.sm.adminServer.traceOutput =<WSAS_ROOT>/logs/adminsecuritytrace

g. Stop WebSphere Application Server for z/OS

h. Delete or rename all the logs in <WSAS_ROOT>/logs directory. This ensures that the logs are fresh.

i. Start WebSphere Application Server and recreate the problem.

j. It is very important to make note of the time the problem occurs, the user ID, and the exact URL being invoked.

k. Send in the information from step 9, the admin security trace and the application server security trace along with the other required files discussed above.

Required files for WebSphere 5.x:
For instructions on how to send files to support:
http://www-1.ibm.com/support/docview.wss?uid=swg21153852

For WebSphere 5.0.2 and above:
Files corresponding to the time when the problem occurred. To get this, do the following:

1. Delete or rename the logs in the <WSAS_ROOT>/logs directory. If you are running the deployment manager (dmgr), also delete the logs in the <dmgr_WSAS_ROOT>/logs directory.

2. Start the deployment manager (if applicable), the node agent (if applicable), and the Application Server.

3. Recreate the problem. It is very important to note the approximate system time that the problem occurs, the user ID, and the URL being invoked.

* For WebSphere 5.0.0 or 5.0.1 only:

1. The JVM logs corresponding to the problem: SystemOut.log and SystemErr.log

2. All logs under the ffdc directory

3. security.xml, server.xml, and serverindex.xml files from <WSAS_ROOT>/config

If instructed to do so by support, take a security and SAS trace of the problem in addition to the information requested above.

* If SAS traces are requested by support, ORB tracing is usually also required. The instructions below include instructions for security, SAS and ORB tracing. If SAS tracing is not requested, you can eliminate the ORBRas=all=enabled and SASRas=all=enabled strings, as well as the CORBA arguments in the Generic JVM argument field.

* Problems with JAAS login require security and SAS tracing only.

1. Stop the application server and the nodeagent. Leave the deployment manager running.

2. Enable tracing on the app server, nodeagent, and deployment manager in the admin console.

a. For the application server, go to Servers > Application Servers> servername > Diagnostic Trace Service
b. For the node agent, go to System Administration > Node agents > Nodeagent server > Diagnostic Trace Service
c. For the deployment manager, go to System Administration > Deployment manager > Diagnostic Trace Service
For each process a through c above, specify this trace string and an output file name in Diagnostic Trace Service:

SASRas=all=enabled:com.ibm.ws.security.*=all=enabled:ORBRas=all=enabled

Also for each process a through c above do this:

Select Process Definition Java Virtual Machine and insert the following in the Generic JVM arguments field:
-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true

3. Save the changes and remember to synch with nodes.

4. Stop the deployment manager.

5. Delete or rename the existing logs in <install_root>/logs directories.

6. Start the deployment manager, node agent, and application server.

7. Recreate your problem. It is very important to note the time the problem occurs, the user ID, and the URL being invoked.

8. Follow instructions to send diagnostic information to IBM support.
For a listing of all technotes, downloads, and educational materials specific to the componentName component, search the WebSphere Application Server support site.
 
 
 


Document Information


Current web document: swg21199327.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 5.1
Software edition:
Reference #: 1199327
IBM Group: Software Group
Modified date: Jul 7, 2006