PQ81149: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This APAR addresses defects in WebSphere Application Server V5.0 for z/OS.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: APAR PQ81149 addresses various defects * * in WebSphere Application Server V5.0 * * for z/OS. * **************************************************************** * RECOMMENDATION: * **************************************************************** APAR PQ81149 addresses the following defects in WebSphere Application Server V5.0 for z/OS: (MD17530) WebContainer Applications using client certificate authentication fails with HTTP error 403 on the browser. A Web Application has been built with an authentication method of client certificate. Global security is enabled. The Registry is specified as LocalOS and SAF authorization and delegation are turned on. com.ibm.security.SAF.authorization=true and com.ibm.security.SAF.delegation=true. The application is run and results in an HTTP 403 returned from the server to the browser. One or more of the following error messages may appear in the server error log : BBOS0008E, BBOS0105E, BBOS0037E, BBOS0103E. (MD17625) A programmatic login takes the user ID and password, ignores the com.ibm.CORBA.validateBasicAuth property and creates a BasicAuth credential. If the user ID or password is invalid, the client program does not find out until the first method request is attempted. (MD17671) Trace Logs of new Server written to wrong directory. When a new server is created using the default template, the administrative console writes the trace logs to a different directory. (MD17769) The directory which contains javadoc describing public WebSphere APIs was missing. (MD17798) Authorization failures occur when using Local OS user registry and WebSphere authorization. These failures are most likely to occur when migrating an application from a WebSphere Distributed platform to z/OS. The userids held in the WebSphere authorization table may be in mixed, or lower case, while local OS user registry users are always in uppercase. This potential case differential causes authorization errors to occur. Messages like the following are typical: ExtendedMessage: SECJ0129E: Authorization failed for JAVAJOE while invoking GET on default_host:/jsp_sec/guestPage.jsp, Authorization failed, Not granted any of the required roles: Administrator Manager VP In this example the Local OS user registry user "JAVAJOE" fails the authorization check even though the WebSphere authorization table allows the user "javajoe". (MD17836) InvocationTargetException received during the restart of an already existing configuration. When a WebSphere server starts, it reads the XA partner log and deserializes some objects that were involved in XA transactions before the server was shut down last. It uses these objects to ensure that all of the XA transactions were properly committed or rolled back. In certain cases, the application of a PTF could provide new class definitions that are unable to deserialize the objects that were written using the old class definitions. This results in an InvocationTargetException in the joblog of your application servant region. This exception will look similar to the following: deserializeWrapper caught the following exception, recovery will be halted com.ibm.ws390.tx.partnerLog.WS390XaRecUtil com.ibm.ws390.tx.partnerLog.WS390XaRecUtil java.lang.reflect.InvocationTargetException: java.io.InvalidClassException: com.ibm.ws.rsadapter.spi.WSManagedConnectionFactoryImpl; Local class not compatible: stream classdesc serialVersionUID=-5223603533727900186 local class serialVersionUID=-4494979438626168109 at java.io.ObjectStreamClass.validateLocalClass (ObjectStreamClass.java:565) (MD17901) HFS gets filled with tracing because trace.log is specified in the server.xml. <services xmi:type="traceservice:TraceService" xmi:id="TraceService_1" enable="true" startupTraceSpecification="*=all=disabled" traceOutputType="SPECIFIED_FILE" traceFormat="BASIC" memoryBufferSize="8"> <traceLog xmi:id="TraceLog_1" fileName="${LOG_ROOT}/&DMSSNL./trace.log" rolloverSize="20" maxNumberOfBackupFiles="1"/> </services> This causes the trace to go to the HFS. (MD17965) Remove "Web Services" (tech preview support) from the dialog since Web Services is being delivered in Cumulative Fix W502000. (MD17988) The default timeout values for start/stop/delete applicaton need to be increased. The new values should be 3 minutes instead of 50 seconds. This will prevent any timeout messages shown on the administrative console during installing/stopping/starting applications. (MD18027) The Filetransfer Application is unable to start. Sync does not occur. The following message is found in the logs: ExtendedMessage: SRVE0147E: No Virtual Host defined for web module: WebSphere Admin File Transfer Application the Web Application will not be loaded. The Filetransfer application shipped with an incorrect default binding of admin_host rather than default_host. This can be corrected by updating the application using the Administrative Console, to generate the proper bindings. With the Application unable to start, sync could not occur. This error could also occur if the ++HOLD information for W501000 was not followed with respect to Filetransfer. (MD18035) Initialization of Deployment Manager fails during initialization unless SAF authorization is used. The control region abends with an A03 abend. Symptoms include the following failures: BBOO0220E NMSV0602E: Naming Service unavailable. A communications error occurred. BBOO0223I Exception javax.naming.CommunicationException: Could not obtain an initial context due to a communication failure BBOO0220E SECJ0281E: Error creating user registry object. The caller Subject is first retrieved in an attempt to access the Name Space during server initialization. This occurs before the security server has been initialized. The logic for getting the caller's Subject, if WebSphere authorization is used on z/OS causes a creation of the security server object. Security Server initialization requires access to the Name Space, whose initialization began this process. In fact, during this time frame, naming authorization is not enabled. (MD18065) CNTR0020E: Non-application exception occurred while processing method <method name> on bean <bean id>. Exception Data: InvalidBeanOStateException(current = COMMITTING_IN_METHOD,expected = IN_METHOD | TX_IN_METHOD | DESTROYED) The following stack trace would be seen if event tracing is active for class com.ibm.ejs.util.tran.SyncDriver. It is a subset of the trace. Trace: 2003/10/03 21:19:48.537 01 t=8E03B8 c=2.7 key=P8 FunctionName: com.ibm.ejs.util.tran.SyncDriver SourceId: com.ibm.ejs.util.tran.SyncDriver Category: EVENT ExtendedMessage: afterCompletion failed; com.ibm.ejs.ras. TraceComponent@2e5a9e75, java.lang.NullPointerException at com.ibm.rmi.javax.rmi.CORBA.Util.stopKeepAliveThread( Util.java:680) Another exception/message that would be seen in the Job Log without tracing active would be: CNTR0020E: Non-application exception occurred while processing method <method name> on bean <bean id>. Exception Data: InvalidBeanOStateException(current = COMMITTING_IN_METHOD, expected = IN_METHOD | TX_IN_METHOD | DESTROYED) at com.ibm.ejs.container.StatefulBeanO.postInvoke (StatefulBeanO.java:590) at com.ibm.ejs.container.EJSContainer.postInvoke (EJSContainer.java:2861) (MD18084) When global security is enabled, the JMS Event Broker will try to load the WASPrincipalDirectory class. The broker cannot load trace and security context classes and a ClassNotFoundException is thrown. The JMS Event Broker cannot load the WASPrincipalDirectory when security is enabled. The WASPrincipaDirectory class also contains other classes that cannot be loaded from the broker. A ClassNotFoundException is thrown and the broker fails to start. (MD18088) Update BBOINST and BBOUNIN for new WebServices sample. Dialog generated job BBOINST and BBOUNIN needs to get updated to pick up the new WebServices sample that comes with v5.02. ( PQ78791) Message BBOS0108E for function RunAsGetSpecCredRole does not display the failed RACROUTE request. This is the msg: BBOS0108E Credential handling function RunAsGetSpecCredRole failed in Routine RACROUTE with SAF Return Code (hex): 4, RACF Return code (hex): 8, and RACF Reason Code (hex): 0. If SAF finds a problem when it tries to get a credential for a user id associated to a role, WebSphere issues message BBOS0108E. This message contains the request that failed, RACROUTE, but it does not specify the request type that failed.Problem conclusion APAR PQ81149 fixes various defects in WebSphere Application Server V5.0 for z/OS. (MD17530) The Application Server received a valid client certificate from the browser and successfully mapped it to a z/OS userid. However, when the SAF authorization was done later, the SAF NSC token was not available and the authorization failed. The NSC token was actually created when the certificate was mapped but it was never saved. The fix is to clone the current mapCertificate method and have it also return the NSC token. The token is then saved for later use in the authentication process. (MD17625) The code will check if the com.ibm.CORBA.validateBasicAuth property is set. By default the user ID and password is authenticated with the security server at the time of the request login. The result is either false with a WSLoginFailedException indicating that the user id and password is invalid, or true where the BasicAuth credential is returned to the caller of the request login. (MD17671) The webui code has been changed to remove the hard-coded newly server's trace log root and that fixed the problem. (MD17769) This defect ships the javadoc HTML files under the directory: web/apidocs (MD17798) The WebSphere user registry option that allows for case insensitive authorization checks when using WebSphere authorization has been extended to the Local OS user registry. This option is available when selecting a new or modifying an old user registry. When this option is selected, authorization checks will be performed without regard to case. This means that a local OS user registry user "JAVAJOE" will pass an authorization check if the WebSphere authorization table permits "javajoe". (MD17836) The default implementations of readObject and writeObject were overridden for the J2CXAResourceInfo object and all objects that it contains. The new implementation handles the case of deserializing older versions of the class. (MD17901) To correct this, the server.xml skeleton has been updated to change traceOutputType from "SPECIFIED_FILE" to "MEMORY_BUFFER". With this change, it still writes to ctrace. However, the output will go to a wrap around buffer instead of file in the HFS. The traceservice stanza now looks like: <services xmi:type="traceservice:TraceService" xmi:id="TraceService_1" enable="true" startupTraceSpecification="*=all=disabled" traceOutputType="MEMORY_BUFFER" traceFormat="BASIC" memoryBufferSize="8"> <traceLog xmi:id="TraceLog_1" fileName="${LOG_ROOT}/&DMSSNL./trace.log" rolloverSize="20" maxNumberOfBackupFiles="1"/> </services> (MD17965) The dialog has been updated to remove the Web Services (tech preview support) option from the dialog panels so that it will not be accessible to the user. (MD17988) The timeout values for starting/stopping/deleting applications have beem increased to 3 minutes the administative console can handle the notification timeout issues. (MD18027) The correct virtual host "default_host" binding is now used as the default. (MD18035) Support has been modified to avoid creating a new thread security context until the security server was initialized. Code was similarly changed for obtaining the invocation Subject. (MD18065) Updated z/OS Util class to override stopKeepAliveThread method. The override does nothing because startKeepAliveThread on z/OS does not start a keep alive thread. A keep alive thread is not required on z/OS. The nullPointerException during stopKeepAliveThread causes a state change in the Bean to not take place and in turn causes the InvalidBeanOStateException on subsequent requests. (MD18084) WASPrincipalDirectory has been modified such that no references are made to the trace and security context classes. The WASPrincipalDirectory class is instanced from the broker if security is already enabled, therefore there is no need to query the security context to verify if security is enabled. (MD18088) Dialog skeletons BBOINST and BBOUNIN will be updated to add the new WebServices samples. ( PQ78791) Added the request type EXTRACT to msg BBOS0108E for function RunAsGetSpecCredRole. APAR PQ81149 is associated with SERVICE LEVEL W502000 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ82899 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ81149.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ81149
IBM Group: Software Group
Modified date: Jan 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.