PQ60567: FOR BMP BEANS, WITH CONNECTION MANAGEMENT TURNED ON, SERVER IDENTITY IS BEING INCORRECTLY PASSED TO DB2, SHOULD BE RUNAS | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When using BMP (Bean Managed Persistence) EJB Beans, with connection management turned on, the identity of the server is being passed to DB2 on the connection to DB2, rather than the 'runas' identity as desired.Local fix Problem summary **************************************************************** * USERS AFFECTED: Users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 with BMP beans * * or servlets that get connections to DB2, * * and with the Connection Management * * configuration extension enabled (through * * the System Management End User Interface * * (Administration and Operations * * applications), also known as the * * SM EUI). * **************************************************************** * PROBLEM DESCRIPTION: Customer received a SQLCODE of -30082 * * when they tried to get a connection. * * * * WebSphere was using the server * * identity to get JDBC connections to * * DB2, when it should have been using * * the RunAs identity (caller identity or * * Role identity). This happened when * * Connection Management was enabled for * * a server and when the DB2 datasource * * was configured in AAT as using * * "Container" Resource Authentication. * * * * One way of looking at this problem is * * that the DB2 connection was obtained * * as if the "Enable Setting OS thread ID * * to RunAs ID" setting for the J2EE * * server was not checked or enabled, and * * this happened in cases where this * * setting was, in fact, enabled. * **************************************************************** * RECOMMENDATION: * **************************************************************** If a customer with a BMP bean or servlet that obtains and uses JDBC connections to DB2 gets one of several possible error messages from DB2 indicating a lack of authority, the issue addressed by this APAR could be the underlying problem. Possible errors include a failure to get a connection at all, or an inability to access a certain row in a DB2 table. The problem could also be a user error, as the identity used to get a DB2 connection depends on a combination of app/servlet API coding, AAT resource reference and RunAs settings, and the SM EUI setting "Enable Setting OS thread ID to RunAs ID" (sync to thread). This topic is explained in the "Assembling J2EE Applications" publication: see Chapter 4, "A closer look at the J2EE server" under the subheadings "Connectors", then "Determining the user ID for resource authentication." Assuming that: 1) The user has configured DB2 datasource (resource) in AAT with resource authentication = container (not app or servlet) 2) The user has enabled "Enable Setting OS thread ID to RunAs ID " in the current server 3) Connection Management is enabled 4) Server identity (vs. RunAs identity) is being used to get the DB2 connection (the trace you have may or may not make you aware of this) ... it's very likely that the problem identified within this APAR is the problem. Keep in mind that conditions 1) and 2) should be met whenever attempting to get a connection to DB2 with the RunAs identity, whether or not Connection Management is enabled (since there is a lesser version of Connection Management just for DB2 JDBC connections). Once this APAR fix ships, users who don't do 1) or 2) when they want to use the RunAs identity to get a DB2 connection will have the same symptoms as users hitting the problem described within this APAR: they'll get server identity on their DB2 connection when they want RunAs identity.Problem conclusion Sync to Thread is now done correctly when getting a JDBC connection to DB2 in a BMP or servlet with Connection Management enabled. APAR PQ60567 is associated with SERVICE LEVEL W401056 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ65925 Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60567
IBM Group: Software Group
Modified date: Jun 5, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.