PQ74463: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
This APAR addresses defects in WebSphere Application Server
V5.0 for z/OS.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: APAR PQ74463 addresses various defects  *
*                      in WebSphere Application Server V5.0    *
*                      for z/OS.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
APAR PQ74463 addresses the following defects in
WebSphere Application Server V5.0 for z/OS:

(MD16100) Client support is needed for the
TAG_ALTERNATE_IIOP_ADDRESS component in an IOR IIOP profile.

(MD16302) CPU time data is not provided in the J2EE container
SMF records.

(MD16458) During security configuration, multiple SSL keyrings
may be specified for the server. However, SSL only supports one
keyring per process. If multiple keyrings are specified, current
processing picks one and attempts to use it, and if there is a
problem with it, SSL initialization fails  No attempt is made to
use any other keyrings specified. The customer would see a
message stating that SSL initialization failed.

(MD16475.1) Install changes are needed to support the following.
Security configuration does not address the following issues:
 -The APPL class profile for WebSphere can be set up as UACC
  read. The default user is set as up as a Restricted User, this
  would not enable the server to do an init_acee and therefore
  fail during server startup.
 -Updates are needed such that when SAF authorization is
  selected the configuration group and wsadmin both will have
  access to CosNaming profiles in SAF and Administrator
  profiles.
 -The CA certificate must be made to expire after it is likely
  that the certificates generated by the CA certificate.

(MD16594) The administrative console enabling security requires
Server Identity and Password for Local OS Server. This
information should not be required. The customization dialog
generates user identities for controller and servant processes
(both base and ND) that do not have passwords associated with
them. The WebSphere Local OS registry configuration asks for a
server id and password during configuration.  The requirement
for an administrator to authenticate the server identity on the
WebSphere Administrative console is unnecessary since the server
has an identity established by the STARTED profile.
The first administrative user should not be required to log in
as a server identity, the administrator on z/OS needs a distinct
identity.

(MD16594.1) Using the administrative console, navigate to:
Security > User Registries > Local OS.
There are the userid and password fields on the detail view.
On z/OS, the userid and password for a local OS registry are
not wanted.  The identity can be determined from the started
task id.  The administrator is configured using the dialog.
The server identities don't actually have pw.  Thus, these
2 fields should be removed from the view.

(MD16615) The administrative console can not be used with SSL
when request URL starts with http://. When a request URL
contains http:// it is redirected to an https URL, as is
required to be the case with the administrative console
application when security is active, after the redirect takes
place the port number of the original request is assigned to
the redirected request after it is received, instead of the
port number which is associated with the https protocol, and
the request cannot be dispatched.

(MD16827) When turning security on through the administrative
console using LDAP, a user validation error is encountered on a
validated user. On the administrative console, navigate to:
Security > Global Security.  Select "LDAP" from the drop-down
list for the field "Active User Registry". Click button "Apply".
Exception java.io.NotSerializableException will result. In
com.ibm.ws.console.security.ConnectToRuntime.authenticate()
method, AdminServiceImpl.invoke() is used for "checkPassword"
passing the SSLConfig object via JMX redirect to control
process from the servant process.  Such an implementation
requires the SSLConfig object be serializable to be marshalled
over the JMX connector.  However, the WCCM object SSLConfig is
not serializable.  Thus, it caused the exception.

(MD16878) BBODCPY1 gets return code 4 on ND install.
After submitting BBODCPY1, the following error message
appear in the job output:
CAN NOT SPECIFY DUPLICATE MEMBER NAMES FOR
   SELECT/EXCLUDE/RENAME - DUPLICATE IS BBO5DMNZ

Here are the members being copied:
  C INDD=INPUT,OUTDD=OUTPUT
  S M=((BBO5DMN2,BBO5DMN,R))
  S M=((BBO5DMNZ,BBO5DMNZ,R))
  S M=((BBO5DCR,,R))
  S M=((BBO5DCRZ,,R))
  S M=((BBO5DSR,,R))
  S M=((BBO5DSRZ,,R))

For the line "S M=((BBO5DMNZ,BBO5DMNZ,R))", the dialog
should generate "S M=((BBO5DMNZ,,R))" when the output is
the same name.

(MD17012) Custom property detail view in the
webui.securitycenter should not display the "Required" and
"Validation Expression" fields. These 2 fields are for internal
use only and should not be shown on the view.

(MD17026) TimeOut occurs attempting to get JMS Connection while
driving mdbss. It shows as with message BBOO0220E J2CA0045E:
Connection not available. This problem is caused by requesting
more server sessions than are currently set in the max server
session parameter in the connection factory settings. This
happens during a given mdb initialization and will block further
processing for the given mdb.

(MD17028) Two systems, not in the same sysplex but sharing the
same name, attempt to connect via local communications. The
connection fails and a ABENDS0C4/ABEND0C4 occurs trying to
double free security control blocks.

(MD17079) Using the WebSphere V5.0 for z/OS administrative
console, if you navigate to: Applications >
Enterprise Applications > Apache-SOAP Samples detail view and
select the Session Management link, you get error 500
java.lang.NullPointerException. The Session Management view is
processed by SessionManagerController.java.  In this class, the
last segment of the contextId is used as the application name to
select the application from the Applications collection. On
WebSphere AE the last part of the contextId is:
   "...:deployments:Apache-SOAP Samples"
But on was390, the last part of the contextId becomes:
.:deployments:Apache-SOAPfRiDaY20020913Samples"
A blank in an application name is translated to fRiDaY20020913.
This caused the failure to match the application from the
collection.  Hence, generated a NullPointerException.

(MD17090) Daemon fails with ABENDS053/ABEND053 R=00000112.
Daemon obtains a new system LX every time it is started.
Eventually the start of a daemon fails in BBODPCCR with abend
S053 reason code 00000112 because there are no more system LXs
available.

(MD17104) When restarting the servers on Node, via the
administrative console, the words of the informational message
do not reflect the fact the servers are restarting but they have
not necessarily completed successfully. The current message
reads:

The server processes on node {0} were restarted successfully

where {0} will be substituted by the node name

(MD17131) Warning WTRN0008W is seen during server restart.
Warning WTRN0008W is issued when an attempt to deserialize a
java object fails.  When the subordinate branch of a distributed
transaction is read from the RRS logs during restart, the
transaction service attempts to deserialize XAResources from the
persistent interest data, even if none exist.  In the case where
none exist, the WTRN0008W message is issued because there is
nothing to deserialize.

(MD17139) A non-z/OS client attempting to connect to a z/OS
server using CSIv2 mechanism GSSUP, may fail with a platform
specific connect() error. This would be due to an incorrect
realm name in the IOR. The connect() failure  would occur if
the client attempts to match the realm name in the target IOR
with a known  realm. If the client does not match realmnames,
there is no problem.  An IBM WebSphere 5.0 client failed with
the following error org.omg.CORBA.NO_PERMISSION: JSAS0240E:
Login failed. Verify the userid/password is correct.
minor code: 49424300 completed: No.
Problem conclusion
APAR PQ74463 fixes various defects in WebSphere Application
Server V5.0 for z/OS.

(MD16100) Client support was added for the
TAG_ALTERNATE_IIOP_ADDRESS component in an IOR IIOP profile.
This component provides alternative addresses which can be used
by the ORB to locate an object. Websphere does not include this
component in IORs that it builds, but with this APAR it will
support this component in IORs built by other ORBs.

(MD16302) Support was added to provided cpu time data in the
J2EE contianer SMF records.

This defect requires a change to documentation.
________________________________________________________________
WebSphere Application Server for z/OS V5
Operations and Administration
SA22-7912-00
________________________________________________________________
NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

www.ibm.com/software/webservers/appserv/zos_os390/library.html
________________________________________________________________
Appendix A. Auditing in WebSphere

pg. 133-134 (description changes for SM120JMQ, SM120JMR, and
SM120JMS records in the Subtype 5 Bean Method section):

Offset Offset Name  Length Format  Description
1616   650  SM120JMQ 8  binary  Average cpu time in
                                 microseconds.
1624   658  SM120JMR 8  binary  Minimum cpu time in
                                 microseconds.
1632   660  SM120JMS 8  binary  Maximum cpu time in
                                 microseconds.

pg. 127 under Subtype 1: Server activity section
              SM120WCP record
pg. 130 under Subtype 3: Server interval section
              SM120TEC record
text added to both record descriptions:

TOD clock format (bit 51=microseconds).

(MD16458) Support has been modified to attempt to open the
keyrings specified in a predetermined order (HTTP inbound, CSI
inbound, CSI outbound) until one is successful. A warning
message (BBOS0128W, which already exists) and trace entries
document which keyring is being used. If none of the keyrings
is successful, then SSL initialization fails. The warning
message text is:
BBOS0128W Multiple keyringnames were specified. Keyring %s
          was chosen.

(MD16475.1) Support was provided which modifies the Install
Dialog for RACF customization jobs as follows:
 - Grant APPL profile for CBS390 read permission.
 - Grant all of Config group administrative access and CosNaming
   access, if SAF authorization was desired.
   Note that this is now done during the WebSphere Base
    configuration process.
 - Added a 7 year expiration time to the CA certificate.

(MD16594) The administrative console enabling security requires
Server Identity and Password for Local OS Server. This
information should not be required. The customization dialog
generates user identities for controller and servant processes
(both base and ND) that do not have passwords associated with
them. The WebSphere Local OS registry configuration asks for a
server id and password during configuration.  The requirement
for an administrator to authenticate the server identity on the
WebSphere administrative console is unnecessary since the server
has an identity established by the STARTED profile.
The first administrative user should not be required to log in
as a server identity, the administrator on z/OS needs a distinct
identity.

(MD16594) When a local OS registry is configured as the active
one for security, the controller and servant region task level
userids will be used as the WebSphere server identity used for
startup and runAs server processing. The WAS administrator
defined by the customization process is granted authorization to
administrative and naming functions, regardless of whether SAF
authorization or WebSphere native authorizations are used.

(MD16594.1) In the administrative console, the userid and
passwords are removed for a local OS registry.  A read-only
field localOSType is added, with the following label, value,
and description:
   Local OS Type     SAS    Use the "Custom Properties" link
                            to configure the SAS.

(MD16616) HttpRequest.java has been changed to force the port
number to be obtained from the connection and not from the
browser-built header, which in the case of IE, is incorrect.

(MD16827) Support was modified to call the local MBeanServer's
invoke() method directly to avoid the serialization problem.
In addition, a similar change was made in the
com.ibm.ws.console.appmanagement.action.CheckSecurityAdmin.-
authenticate() method.

(MD16878) Dialog skeleton BBODWCPY1 has been updated to generate
(BBO5DMNZ,,R) when the output is the same name.

(MD17012) The "Required" and "Validation Expression" fields are
removed from the custom property view in the
webui.securitycenter component.

(MD17026) The server session pool topology has been modified to
honor the max server session pool size. In addition, the pool
dynamically dispatches server sessions and only create new
server sessions if and only if there are no free server
sessions and the max server session limit has not been reached.
Another enhancement is to allow each mdb use its own pool
instead of having a single pool as in the previous topology.
This decouples multiple mdbs having to wait on limited server
sessions and speeds up processing of messaging requests.

(MD17028) Support has been modified to zero security control
block pointer after cleaning it up.

(MD17079) Code was modified to obtain:
ConfigFileHelper.decodeContextUri(contextId)
which correctly returns ".../deployments/Apache-SOAP Samples".
Similar changes were made to AppBindingsController.java to
address similar problems for other additional properties
links on the same view.

(MD17090) Module bbodpccr has been updated to reuse the system
LX that was obtained the first time the daemon for the cell was
started.

(MD17104) Administrative console support has been modified such
that When restarting the servers on a node, the words of the
informational message now reads:

The server processes on node {0} are now stopped and are being
restarted.

where {0} will be substituted by the node name

(MD17131) Code was added to avoid deserializing XAResources from
the persistent interest data when no XAResources exist.

(MD17139) The code was changed so that the correct realm
name is resides in the CSIv2 tagged component portion of a
server's IOR.

APAR PQ74463 is associated with SERVICE LEVEL W500101 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ74463
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-05-22
Closed date 2003-06-20
Last modified date 2003-07-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ77804

Modules/Macros
BBOAXIAI BBOBOA BBOCCFMT BBOCCINJ BBOCCINS BBOCEIOP
BBOCGIOP BBOCHSES BBOCHSSS BBOCHTTP BBOCIOR BBOCIO
***This field was truncated. To obtain
the full apar record, please contact
your local support center.***    

Publications Referenced
SA22791200        

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ77804    UP03/06/25 P F306

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ74463.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ74463
IBM Group: Software Group
Modified date: Jul 3, 2003