PQ60996: SEND ACEE TO SAF PRODUCT WHEN ENVRIN FLAG NOT SET IN RCVT | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer is running servlet using EJB Roles for authorization. He's using res-auth=container and has enable sync to os in order to use the client id that is entered on the challenge from the web container as the identity to verify against the roles and used to send to the resource manager. . The client's id is to be set in a ENVRIN structure when the proper bit is set in the RCVT which says ENVRIN is supported. TopSecret does support this, but does not set the bit properly. So we do not pass an ENVRIN or ACEE so the server's identity is used for the check. . This apar is to plug this hole until the TopSecret fix is available. We need to pass an ACEE with the clients credentials.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 * **************************************************************** * PROBLEM DESCRIPTION: EJB Roles authorization is based on * * Server identity instead of client * * identity as a result of the RCVTXFAR * * bit not being set. * **************************************************************** * RECOMMENDATION: * **************************************************************** The customer was running a servlet using EJB Roles authorization. The customer is using res-auth=container and has sync to os thread enabled. The customer wants to use the client id, that is entered on the challenge from the web container, as the identity to verify against the roles. That identity is also to be sent to the resource manager. The client's id should be set in a ENVRIN structure when the proper bit is set in the RCVT, which says ENVRIN is supported. The OEM security product, being used by the customer, does support this but does not set the bit properly. Therefore, we do not pass an ENVRIN or ACEE, so the server's identity is used for the check. The intent of this apar is to correct the problem that resulted from the OEM product not setting the RCVTXFAR bit properly. We need to pass an ACEE with the client's credentials to the FASTAUTH check.Problem conclusion Support has been modified such that if the RCVTXFAR is not on, the ACEE will be used for the FASTAUTH check. Code was added to create the ACEE and hang it off of the active OPI for future use. APAR PQ60996 is associated with SERVICE LEVEL W401064 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ66413 Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60996
IBM Group: Software Group
Modified date: Jun 5, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.