PQ85631: ICSF fails at W502000 because of validation failure

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
When running with Global Security enabled using ICSF, server
fails during validation because we are picking p an
unauthenticated id, default WSGUEST.
 .
With com.ibm.ws.security.*=all=enabled tracing turned on, we can
see the following in the job output
 .
FunctionName: com.ibm.ws.security.server.lm.ICSFLoginModule
   SourceId: com.ibm.ws.security.server.lm.ICSFLoginModule
   Category: DEBUG
   ExtendedMessage: Using credential token for authentication
Trace: 2004/01/26 08:54:29.755 01 t=A87870 c=UNK key=P2
(13007002)
   FunctionName: com.ibm.ws.security.icsf.ICSFServerObject
   SourceId: com.ibm.ws.security.icsf.ICSFServerObject
   Category: ENTRY
   ExtendedMessage: ICSFServerObject.validate
Trace: 2004/01/26 08:54:29.775 01 t=A87870 c=UNK key=P2
(13007002)
   FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
   SourceId: com.ibm.ws.security.auth.ContextManagerImpl
   Category: DEBUG
   ExtendedMessage: CELL_SECURITY_ENABLED = true
Trace: 2004/01/26 08:54:29.807 01 t=A87870 c=UNK key=P2
(13007002)
   FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
   SourceId: com.ibm.ws.security.auth.ContextManagerImpl
   Category: DEBUG
   ExtendedMessage: Using SAF Registry. Create credential with a
private cred
Trace: 2004/01/26 08:54:29.809 01 t=A87870 c=UNK key=P2
(13007002)
   FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
   SourceId: com.ibm.ws.security.auth.ContextManagerImpl
   Category: EXIT
   ExtendedMessage: ContextManagerImpl.getProperty(
com.ibm.security.SAF.unauthenticated) returns WSGUEST
Trace: 2004/01/26 08:54:29.816 01 t=A87870 c=UNK key=P2
(13007002)
   FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
   SourceId: com.ibm.ws.security.registry.UserRegistryImpl
   Category: DEBUG
   ExtendedMessage: getDefaultOSCred Validating unauthenticated
userId WSGUEST with SAF
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Customers using Integrated              *
*                      Cryptographic Services Facility (ICSF)  *
*                      as their authentication mechanism may   *
*                      get the following message on their MVS  *
*                      console:                                *
*                      ICH408I USER(WSGUEST ) GROUP(WSGUESTG)  *
*                      NAME(WAS DEFAULT USER) administrator    *
*                      CL(EJBROLE ) INSUFFICIENT ACCESS        *
*                      AUTHORITY ACCESS INTENT(READ ) ACCESS   *
*                      ALLOWED(NONE)                           *
*                      where WSGUEST is the unauthenticated    *
*                      ID.                                     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem was due to an incorrect initialization of the
user registry when the ICSF Server Object was instaintiated.
We were not able to get the correct user registry to obtain the
current credentials; therefore we used the unauthenticated
credentials instead.
This id can be seen in the SYSPRINT when java security traces
are enabled:
FunctionName: com.ibm.ws.security.server.lm.ICSFLoginModule
SourceId: com.ibm.ws.security.server.lm.ICSFLoginModule
Category: DEBUG
ExtendedMessage: Using credential token for authentication
Trace: 2004/01/26 08:54:29.755 01 t=A87870 c=UNK key=P2
FunctionName: com.ibm.ws.security.icsf.ICSFServerObject
SourceId: com.ibm.ws.security.icsf.ICSFServerObject
Category: ENTRY
ExtendedMessage: ICSFServerObject.validate
Trace: 2004/01/26 08:54:29.775 01 t=A87870 c=UNK key=P2
FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
SourceId: com.ibm.ws.security.auth.ContextManagerImpl
Category: DEBUG
ExtendedMessage: CELL_SECURITY_ENABLED = true
Trace: 2004/01/26 08:54:29.807 01 t=A87870 c=UNK key=P2
FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
SourceId: com.ibm.ws.security.auth.ContextManagerImpl
Category: DEBUG
ExtendedMessage: Using SAF Registry. Create credential with a
private cred
Trace: 2004/01/26 08:54:29.809 01 t=A87870 c=UNK key=P2
FunctionName: com.ibm.ws.security.auth.ContextManagerImpl
SourceId: com.ibm.ws.security.auth.ContextManagerImpl
Category: EXIT
ExtendedMessage: ContextManagerImpl.getProperty(
com.ibm.security.SAF.unauthenticated) returns WSGUEST
Trace: 2004/01/26 08:54:29.816 01 t=A87870 c=UNK key=P2
FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
SourceId: com.ibm.ws.security.registry.UserRegistryImpl
Category: DEBUG
ExtendedMessage: getDefaultOSCred Validating unauthenticated
userId WSGUEST with SAF
Problem conclusion
Modified the ICSF Server Object to correctly initialize the
user registry.

APAR PQ85631 is associated with SERVICE LEVEL W502005 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ85631
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-03-05
Closed date 2004-03-26
Last modified date 2004-04-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ86666    UP04/03/31 P F403

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ85631.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85631
IBM Group: Software Group
Modified date: Apr 3, 2004