PQ74463: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V5.0 FOR Z/OS. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This APAR addresses defects in WebSphere Application Server V5.0 for z/OS.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: APAR PQ74463 addresses various defects * * in WebSphere Application Server V5.0 * * for z/OS. * **************************************************************** * RECOMMENDATION: * **************************************************************** APAR PQ74463 addresses the following defects in WebSphere Application Server V5.0 for z/OS: (MD16100) Client support is needed for the TAG_ALTERNATE_IIOP_ADDRESS component in an IOR IIOP profile. (MD16302) CPU time data is not provided in the J2EE container SMF records. (MD16458) During security configuration, multiple SSL keyrings may be specified for the server. However, SSL only supports one keyring per process. If multiple keyrings are specified, current processing picks one and attempts to use it, and if there is a problem with it, SSL initialization fails No attempt is made to use any other keyrings specified. The customer would see a message stating that SSL initialization failed. (MD16475.1) Install changes are needed to support the following. Security configuration does not address the following issues: -The APPL class profile for WebSphere can be set up as UACC read. The default user is set as up as a Restricted User, this would not enable the server to do an init_acee and therefore fail during server startup. -Updates are needed such that when SAF authorization is selected the configuration group and wsadmin both will have access to CosNaming profiles in SAF and Administrator profiles. -The CA certificate must be made to expire after it is likely that the certificates generated by the CA certificate. (MD16594) The administrative console enabling security requires Server Identity and Password for Local OS Server. This information should not be required. The customization dialog generates user identities for controller and servant processes (both base and ND) that do not have passwords associated with them. The WebSphere Local OS registry configuration asks for a server id and password during configuration. The requirement for an administrator to authenticate the server identity on the WebSphere Administrative console is unnecessary since the server has an identity established by the STARTED profile. The first administrative user should not be required to log in as a server identity, the administrator on z/OS needs a distinct identity. (MD16594.1) Using the administrative console, navigate to: Security > User Registries > Local OS. There are the userid and password fields on the detail view. On z/OS, the userid and password for a local OS registry are not wanted. The identity can be determined from the started task id. The administrator is configured using the dialog. The server identities don't actually have pw. Thus, these 2 fields should be removed from the view. (MD16615) The administrative console can not be used with SSL when request URL starts with http://. When a request URL contains http:// it is redirected to an https URL, as is required to be the case with the administrative console application when security is active, after the redirect takes place the port number of the original request is assigned to the redirected request after it is received, instead of the port number which is associated with the https protocol, and the request cannot be dispatched. (MD16827) When turning security on through the administrative console using LDAP, a user validation error is encountered on a validated user. On the administrative console, navigate to: Security > Global Security. Select "LDAP" from the drop-down list for the field "Active User Registry". Click button "Apply". Exception java.io.NotSerializableException will result. In com.ibm.ws.console.security.ConnectToRuntime.authenticate() method, AdminServiceImpl.invoke() is used for "checkPassword" passing the SSLConfig object via JMX redirect to control process from the servant process. Such an implementation requires the SSLConfig object be serializable to be marshalled over the JMX connector. However, the WCCM object SSLConfig is not serializable. Thus, it caused the exception. (MD16878) BBODCPY1 gets return code 4 on ND install. After submitting BBODCPY1, the following error message appear in the job output: CAN NOT SPECIFY DUPLICATE MEMBER NAMES FOR SELECT/EXCLUDE/RENAME - DUPLICATE IS BBO5DMNZ Here are the members being copied: C INDD=INPUT,OUTDD=OUTPUT S M=((BBO5DMN2,BBO5DMN,R)) S M=((BBO5DMNZ,BBO5DMNZ,R)) S M=((BBO5DCR,,R)) S M=((BBO5DCRZ,,R)) S M=((BBO5DSR,,R)) S M=((BBO5DSRZ,,R)) For the line "S M=((BBO5DMNZ,BBO5DMNZ,R))", the dialog should generate "S M=((BBO5DMNZ,,R))" when the output is the same name. (MD17012) Custom property detail view in the webui.securitycenter should not display the "Required" and "Validation Expression" fields. These 2 fields are for internal use only and should not be shown on the view. (MD17026) TimeOut occurs attempting to get JMS Connection while driving mdbss. It shows as with message BBOO0220E J2CA0045E: Connection not available. This problem is caused by requesting more server sessions than are currently set in the max server session parameter in the connection factory settings. This happens during a given mdb initialization and will block further processing for the given mdb. (MD17028) Two systems, not in the same sysplex but sharing the same name, attempt to connect via local communications. The connection fails and a ABENDS0C4/ABEND0C4 occurs trying to double free security control blocks. (MD17079) Using the WebSphere V5.0 for z/OS administrative console, if you navigate to: Applications > Enterprise Applications > Apache-SOAP Samples detail view and select the Session Management link, you get error 500 java.lang.NullPointerException. The Session Management view is processed by SessionManagerController.java. In this class, the last segment of the contextId is used as the application name to select the application from the Applications collection. On WebSphere AE the last part of the contextId is: "...:deployments:Apache-SOAP Samples" But on was390, the last part of the contextId becomes: .:deployments:Apache-SOAPfRiDaY20020913Samples" A blank in an application name is translated to fRiDaY20020913. This caused the failure to match the application from the collection. Hence, generated a NullPointerException. (MD17090) Daemon fails with ABENDS053/ABEND053 R=00000112. Daemon obtains a new system LX every time it is started. Eventually the start of a daemon fails in BBODPCCR with abend S053 reason code 00000112 because there are no more system LXs available. (MD17104) When restarting the servers on Node, via the administrative console, the words of the informational message do not reflect the fact the servers are restarting but they have not necessarily completed successfully. The current message reads: The server processes on node {0} were restarted successfully where {0} will be substituted by the node name (MD17131) Warning WTRN0008W is seen during server restart. Warning WTRN0008W is issued when an attempt to deserialize a java object fails. When the subordinate branch of a distributed transaction is read from the RRS logs during restart, the transaction service attempts to deserialize XAResources from the persistent interest data, even if none exist. In the case where none exist, the WTRN0008W message is issued because there is nothing to deserialize. (MD17139) A non-z/OS client attempting to connect to a z/OS server using CSIv2 mechanism GSSUP, may fail with a platform specific connect() error. This would be due to an incorrect realm name in the IOR. The connect() failure would occur if the client attempts to match the realm name in the target IOR with a known realm. If the client does not match realmnames, there is no problem. An IBM WebSphere 5.0 client failed with the following error org.omg.CORBA.NO_PERMISSION: JSAS0240E: Login failed. Verify the userid/password is correct. minor code: 49424300 completed: No.Problem conclusion APAR PQ74463 fixes various defects in WebSphere Application Server V5.0 for z/OS. (MD16100) Client support was added for the TAG_ALTERNATE_IIOP_ADDRESS component in an IOR IIOP profile. This component provides alternative addresses which can be used by the ORB to locate an object. Websphere does not include this component in IORs that it builds, but with this APAR it will support this component in IORs built by other ORBs. (MD16302) Support was added to provided cpu time data in the J2EE contianer SMF records. This defect requires a change to documentation. ________________________________________________________________ WebSphere Application Server for z/OS V5 Operations and Administration SA22-7912-00 ________________________________________________________________ NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: www.ibm.com/software/webservers/appserv/zos_os390/library.html ________________________________________________________________ Appendix A. Auditing in WebSphere pg. 133-134 (description changes for SM120JMQ, SM120JMR, and SM120JMS records in the Subtype 5 Bean Method section): Offset Offset Name Length Format Description 1616 650 SM120JMQ 8 binary Average cpu time in microseconds. 1624 658 SM120JMR 8 binary Minimum cpu time in microseconds. 1632 660 SM120JMS 8 binary Maximum cpu time in microseconds. pg. 127 under Subtype 1: Server activity section SM120WCP record pg. 130 under Subtype 3: Server interval section SM120TEC record text added to both record descriptions: TOD clock format (bit 51=microseconds). (MD16458) Support has been modified to attempt to open the keyrings specified in a predetermined order (HTTP inbound, CSI inbound, CSI outbound) until one is successful. A warning message (BBOS0128W, which already exists) and trace entries document which keyring is being used. If none of the keyrings is successful, then SSL initialization fails. The warning message text is: BBOS0128W Multiple keyringnames were specified. Keyring %s was chosen. (MD16475.1) Support was provided which modifies the Install Dialog for RACF customization jobs as follows: - Grant APPL profile for CBS390 read permission. - Grant all of Config group administrative access and CosNaming access, if SAF authorization was desired. Note that this is now done during the WebSphere Base configuration process. - Added a 7 year expiration time to the CA certificate. (MD16594) The administrative console enabling security requires Server Identity and Password for Local OS Server. This information should not be required. The customization dialog generates user identities for controller and servant processes (both base and ND) that do not have passwords associated with them. The WebSphere Local OS registry configuration asks for a server id and password during configuration. The requirement for an administrator to authenticate the server identity on the WebSphere administrative console is unnecessary since the server has an identity established by the STARTED profile. The first administrative user should not be required to log in as a server identity, the administrator on z/OS needs a distinct identity. (MD16594) When a local OS registry is configured as the active one for security, the controller and servant region task level userids will be used as the WebSphere server identity used for startup and runAs server processing. The WAS administrator defined by the customization process is granted authorization to administrative and naming functions, regardless of whether SAF authorization or WebSphere native authorizations are used. (MD16594.1) In the administrative console, the userid and passwords are removed for a local OS registry. A read-only field localOSType is added, with the following label, value, and description: Local OS Type SAS Use the "Custom Properties" link to configure the SAS. (MD16616) HttpRequest.java has been changed to force the port number to be obtained from the connection and not from the browser-built header, which in the case of IE, is incorrect. (MD16827) Support was modified to call the local MBeanServer's invoke() method directly to avoid the serialization problem. In addition, a similar change was made in the com.ibm.ws.console.appmanagement.action.CheckSecurityAdmin.- authenticate() method. (MD16878) Dialog skeleton BBODWCPY1 has been updated to generate (BBO5DMNZ,,R) when the output is the same name. (MD17012) The "Required" and "Validation Expression" fields are removed from the custom property view in the webui.securitycenter component. (MD17026) The server session pool topology has been modified to honor the max server session pool size. In addition, the pool dynamically dispatches server sessions and only create new server sessions if and only if there are no free server sessions and the max server session limit has not been reached. Another enhancement is to allow each mdb use its own pool instead of having a single pool as in the previous topology. This decouples multiple mdbs having to wait on limited server sessions and speeds up processing of messaging requests. (MD17028) Support has been modified to zero security control block pointer after cleaning it up. (MD17079) Code was modified to obtain: ConfigFileHelper.decodeContextUri(contextId) which correctly returns ".../deployments/Apache-SOAP Samples". Similar changes were made to AppBindingsController.java to address similar problems for other additional properties links on the same view. (MD17090) Module bbodpccr has been updated to reuse the system LX that was obtained the first time the daemon for the cell was started. (MD17104) Administrative console support has been modified such that When restarting the servers on a node, the words of the informational message now reads: The server processes on node {0} are now stopped and are being restarted. where {0} will be substituted by the node name (MD17131) Code was added to avoid deserializing XAResources from the persistent interest data when no XAResources exist. (MD17139) The code was changed so that the correct realm name is resides in the CSIv2 tagged component portion of a server's IOR. APAR PQ74463 is associated with SERVICE LEVEL W500101 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ77804 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ74463.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ74463
IBM Group: Software Group
Modified date: Jul 3, 2003
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.