PQ85290: WITH MAKING USE OF THE NEW SECURITY DOMAIN FUNCTION IN W502000, MAY SEE SECURITY VIOLATION FOR THE SERVER CLASS WHEN SR STARTS | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description New function for the Security Domain is shipped in service level W502000. If you answered 'yes' to the customization dialog panel option to take advantage of this new function on the "Security Domain Configuration (1 of 2)" panel: . Use Security Domain Identifier in RACF Definitions: Y . AND you have the WLM Dynamic Application Environment (DAE) enabled ( OW54622), then WebSphere is incorrectly building the security domain name into the SERVER profile name string for the SERVER class check. When a servant region (SR) starts, you will see a message about a security violation. For RACF, the message appears as: . ICH408I USER(DMSR1 ) GROUP(WSCFG1 ) NAME(WAS DMGR SR CB.SM0CELL1.BBODMG.NDMCL1GR CL(SERVER ) INSUFFICIENT ACCESS AUTHORITY FROM CB.*.BBO*.* (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) . In this example SM0CELL1 is the security domain name. The server generic and specific names are BBODMGR and BBODMGR. The userid for the servant region (SR) is DMSR1. The cell short name is NDMCL1. . The BBODBRAK job contains the correct PERMITs: PERMIT CB.*.BBODMGR CLASS(SERVER) ID(DMSR1) ACC(READ) PERMIT CB.*.BBODMGR.* CLASS(SERVER) ID(DMSR1) ACC(READ) . But it is not matching because the SERVER profile name constructed by the WebSphere code, CB.SM0CELL1.BBODMG.NDMCL1GR, contains BBODMG instead of BBODMGR. It also overlayed the cell short name into part of the string. . This apar is taken to correct the building of the profile name used in the SERVER class check. MD18923 502+Local fix Add another PERMIT statement for the incorrectly built profile name until this apar ships. Using the example in the error description, the workaround PERMIT would be PERMIT CB.*.BBODMG CLASS(SERVER) ID(DMSR1) ACC(READ) PERMIT CB.*.BBODMG.* CLASS(SERVER) ID(DMSR1) ACC(READ) . Or if you do not intend to use the security domain function, change the answer in the customization dialogs to N on the "Security Domain Configuration (1 of 2)" panel: . Use Security Domain Identifier in RACF Definitions: N . regenerate and rerun the jobs.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: If WLM Dynamic Application Environment * * (DAE) feature is used with the security * * domain support, an incorrect server * * name is generated for CBIND checks. * * This will result in CBIND failures. * **************************************************************** * RECOMMENDATION: * **************************************************************** If WLM DAE is used, the group name is added without allowing for the security prefix. This will result in failure if the security domain support is used. For example, the server name should be generated as CB.TESTCELL.BBOS001.BBOC001.SY1 will instead be CB.TESTCELL.BBOS00.SY1OC001.Problem conclusion Code in bbossrva.plx will be modified to remove the security domain prefix, since it is not supposed to be used for SERVER checks (this case). Callers of BBOSSRVA will be modified to remove the security domain parameter. APAR PQ85290 is associated with SERVICE LEVEL W502005 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ85290.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85290
IBM Group: Software Group
Modified date: Apr 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.