PQ60567: FOR BMP BEANS, WITH CONNECTION MANAGEMENT TURNED ON, SERVER IDENTITY IS BEING INCORRECTLY PASSED TO DB2, SHOULD BE RUNAS

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
When using BMP (Bean Managed Persistence) EJB Beans, with
connection management turned on, the identity of the server is
being passed to DB2 on the connection to DB2, rather than the
'runas' identity as desired.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: Users of WebSphere Application Server        *
*                 V4.0.1 for z/OS and OS/390 with BMP beans    *
*                 or servlets that get connections to DB2,     *
*                 and with the Connection Management           *
*                 configuration extension enabled (through     *
*                 the System Management End User Interface     *
*                 (Administration and Operations               *
*                 applications), also known as the             *
*                 SM EUI).                                     *
****************************************************************
* PROBLEM DESCRIPTION: Customer received a SQLCODE of -30082   *
*                      when they tried to get a connection.    *
*                                                              *
*                      WebSphere was using the server          *
*                      identity to get JDBC connections to     *
*                      DB2, when it should  have been using    *
*                      the RunAs identity (caller identity or  *
*                      Role identity). This happened when      *
*                      Connection Management was enabled for   *
*                      a server and when the DB2 datasource    *
*                      was configured in AAT as using          *
*                      "Container" Resource Authentication.    *
*                                                              *
*                      One way of looking at this problem is   *
*                      that the DB2 connection was obtained    *
*                      as if the "Enable Setting OS thread ID  *
*                      to RunAs ID" setting for the J2EE       *
*                      server was not checked or enabled, and  *
*                      this happened in cases where this       *
*                      setting was, in fact, enabled.          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If a customer with a BMP bean or servlet that obtains and uses
JDBC connections to DB2 gets one of several possible error
messages from DB2 indicating a lack of authority,  the issue
addressed by this APAR could be the underlying problem.
Possible errors include a failure to get a connection at all,
or an inability to access a certain row in a DB2 table.

The problem could also be a user error, as the identity used
to get a DB2 connection depends on a combination of app/servlet
API coding, AAT resource reference and RunAs settings, and the
SM EUI setting "Enable Setting OS thread ID to RunAs ID"
(sync to thread).

This topic is explained in the "Assembling J2EE Applications"
publication:  see Chapter 4, "A closer look at the J2EE server"
under the subheadings "Connectors", then "Determining the user
ID for resource authentication."

Assuming that:
1) The user has configured DB2 datasource (resource) in AAT with
   resource authentication = container (not app or servlet)
2) The user has enabled "Enable Setting OS thread ID to RunAs ID
    " in the current server
3) Connection Management is enabled
4) Server identity (vs. RunAs identity) is being used to get the
   DB2 connection (the trace you have may or may not make you
   aware of this)

... it's very likely that the problem identified within this
APAR is the problem.

Keep in mind that conditions 1) and 2) should be met whenever
attempting to get a connection to DB2 with the RunAs identity,
whether or not Connection Management is enabled (since there
is a lesser version of Connection Management just for DB2
JDBC connections).

Once this APAR fix ships, users who don't do 1) or 2) when
they want to use the RunAs identity to get a DB2 connection
will have the same symptoms as users hitting the problem
described within this APAR: they'll get server identity on
their DB2 connection when they want RunAs identity.
Problem conclusion
Sync to Thread is now done correctly when getting a JDBC
connection to DB2 in a BMP or servlet with Connection Management
enabled.

APAR PQ60567 is associated with SERVICE LEVEL W401056 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ60567
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-04-26
Closed date 2002-05-06
Last modified date 2002-06-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ65925

Modules/Macros
BBOUBINF BBOZ0812 BBOZ0813 BBOZ0977    

Fix information
Fixed component name WASKBASE
Fixed component ID 5655A9801

Applicable component levels
R401 PSY UQ65925    UP02/05/10 P F205

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60567
IBM Group: Software Group
Modified date: Jun 5, 2002