PQ93643: SHIP INTERNAL DEFECT FIXES FOR SERVICE LEVEL W502015.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Ship internal defect fixes for Service Level W502015.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: APAR PQ93643 addresses the following    *
*                      defect in WebSphere Application Server  *
*                      V5.0 for z/OS:                          *
*                                                              *
*                      (botp_
PQ85045) When JSPs that are       *
*                      escaped out of context root are         *
*                      included, the JspBatcCompiler was       *
*                      accepting them as valid documents.      *
*                                                              *
*                      (MD20395) A JMS startup failure can be  *
*                      caused by having the wrong jobname in   *
*                      the BBOTCPII member.                    *
*                                                              *
*                      (MD20397) Job BBOWCPYZ ended with a     *
*                      return code of 4:                       *
*                        IEB177I BBO5DMNZ WAS SELECTED BUT     *
*                            NOT FOUND IN ANY INPUT DATA SET   *
*                                                              *
*                      (MD20420)  ServletException in:         *
*                      /secure/layouts/addPropLayout.jsp       *
*                      null' on CSIv2 Authentication pages     *
*                                                              *
*                      (MD20439) Updates to Administrative     *
*                      Console CSIv2 Authentication Additional *
*                      Settings are ignored.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
APAR PQ93643 addresses the following defect in WebSphere
Application Server V5.0 for z/OS:

(botp_
PQ85045) JSP includes can use directory escapes to include
files outside of the context root of the webapp.  This is
contrary to the behavior of WebSphere Application Server
version 4.0.1 for z/OS and OS/390 and is not the expected
behavior. For example in the jsp include directive
<jsp:include page="{relativeURL | <%= expression %>}"
flush="true" /> the relative URL should not allow the file name
to go beyond the context root.

(MD20395) The JMS direct address port (&ASJDADDP) is opened from
an address space whose name is often, but not always,
&MQSSID.WEMP - for example, WMQXWEMP.  However, under
certain circumstances, other jobnames like WMQX123W are used.

Member BBOTCPII reserves the port to &MQSSID.WEMP explicitly,
which can cause a JMS startup failure:
 +CSQX218E +WMQX CSQXLSTT Listener unable to bind to port 5559
 address 0.0.0.0, TRPTYPE=TCP INDISP=QMGR, RC=0000006F

  (where 5559 is the port reserved in BBOTCPII.)

Instead, member BBOTCPII should reserve the direct address port
to generic OMVS like the follow:
  &ASJDADDP. TCP OMVS      ; JMS Server Direct Address port

(MD20397) The JMS proclib setup job BBOWCPYZ copies member
BBO5DMNZ into the customer's proclib, but BBO5DMNZ is not
generated by the customization process for JMS.  BBOWCPYZ will
fail if the customer uses a new <customer specified HLQ>.CNTL
data set for JMS customization.

Since the daemon's STEPLIB is not updated for JMS, the BBO5DMNZ
proc should not be copied by BBOWCPYZ.

(MD20420) On both of the CSIv2 Authentication pages in the
Administrative Console (Servers > Application Servers >
server name > Server Security >
CSIv2 Inbound Authentication and Servers > Application Servers >
server name > Server Security > CSIv2 Outbound Authentication),
the following message appears where the Additional Properties
links should be:

 ServletException in:/secure/layouts/addPropLayout.jsp  null'

(MD20439) The CSIv2 Inbound/Outbound Authentication Additional
Settings for Server Security - Servers > Application Servers >
servername > Server Security > CSIv2 Inbound Authentication
(or CSIv2 Outbound Authentication) > Additional Settings -
are not saved in the security.xml file.  In other words, updates
are accepted, but then ignored.
Problem conclusion
APAR PQ93643 fixes the following defect in WebSphere Application
Server V5.0 for z/OS.

(botp_
PQ85045) No check on the location of the included jsp was
made - this APAR corrects that.

(MD20395) Dialog JCL skeleton BBOTCPII will be updated to
reserve the direct address port to generic OMVS instead of
&MQSSID.WEMP.

(MD20397) Dialog skeleton BBOWCPYZ will be updated so that
BBO5DMNZ is not copied.

(MD20420) Code changed to properly initialize internal refId
variable.

(MD20439) Code was using a different technique to process the
values entered than is done for other security.xml Additional
Settings and it was not working.  The code was modified to use
the standard processing technique.

APAR PQ93643 is associated with SERVICE LEVEL W502015 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ93643
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-09-01
Closed date 2004-09-03
Last modified date 2004-10-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ92596

Modules/Macros
BBOBOA BBOCASYD BBOCCFMT BBOCESES BBOCGIOP BBOCHSES
BBOCHSSS BBOCHTTP BBOCLCLR BBOCLOCT BBOCLSPC BBOCOM
***This field was truncated. To obtain
the full apar record, please contact
your local support center.***    

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ92596    UP04/09/13 P F409

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ93643.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ93643
IBM Group: Software Group
Modified date: Oct 5, 2004