PQ60996: SEND ACEE TO SAF PRODUCT WHEN ENVRIN FLAG NOT SET IN RCVT

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer is running servlet using EJB Roles for authorization.
He's using res-auth=container and has enable sync to os
in order to use the client id that is entered on the challenge
from the web container as the identity to verify against the
roles and used to send to the resource manager.
.
The client's id is to be set in a ENVRIN structure when the
proper bit is set in the RCVT which says ENVRIN is supported.
TopSecret does support this, but does not set the bit
properly.  So we do not pass an ENVRIN or ACEE so the
server's identity is used for the check.
.
This apar is to plug this hole until the TopSecret fix is
available.  We need to pass an ACEE with the clients
credentials.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390                   *
****************************************************************
* PROBLEM DESCRIPTION: EJB Roles authorization is based on     *
*                      Server identity instead of client       *
*                      identity as a result of the RCVTXFAR    *
*                      bit not being set.                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The customer was running a servlet using EJB Roles
authorization. The customer is using res-auth=container and
has sync to os thread enabled. The customer wants to use the
client id, that is entered on the challenge from the web
container, as the identity to verify against the roles. That
identity is also to be sent to the resource manager.

The client's id should be set in a ENVRIN structure when the
proper bit is set in the RCVT, which says ENVRIN is supported.
The OEM security product, being used by the customer, does
support this but does not set the bit properly.  Therefore,
we do not pass an ENVRIN or ACEE, so the server's identity is
used for the check.

The intent of this apar is to correct the problem that resulted
from the OEM product not setting the RCVTXFAR bit properly. We
need to pass an ACEE with the client's credentials to the
FASTAUTH check.
Problem conclusion
Support has been modified such that if the RCVTXFAR is not on,
the ACEE will be used for the FASTAUTH check. Code was added to
create the ACEE and hang it off of the active OPI for future
use.

APAR PQ60996 is associated with SERVICE LEVEL W401064 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ60996
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-05-09
Closed date 2002-05-20
Last modified date 2002-06-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ66413

Modules/Macros
BBOSSMET BBOUBINF        

Fix information
Fixed component name WASKBASE
Fixed component ID 5655A9801

Applicable component levels
R401 PSY UQ66413    UP02/05/29 P F205

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60996
IBM Group: Software Group
Modified date: Jun 5, 2002