PQ67291: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V4.0.1 FOR Z/OS AND OS/390.

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
This APAR addresses defects in WebSphere Application Server
V4.0.1 for z/OS and OS/390.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390                   *
****************************************************************
* PROBLEM DESCRIPTION: APAR PQ67291 addresses various problems *
*                      in WebSphere Application Server V4.0.1  *
*                      z/OS and OS/390.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
APAR PQ67291 addresses the following problems in
WebSphere Application Server V4.0.1 for z/OS and OS/390:

(MD14744) Message BBOU0736E Credential handling function
RunAsGetSpecCredRole failed in Routine RACROUTE with SAF Return
Code (hex): 4, RACF Return Code (hex): 270f, and RACF
Reason Code (hex): 270f is received. Examination of a dump will
show many apparently identical OPIs on the Used Identity Table.
They will have the same userid. If the code is operating
correctly, these OPIs should be re-used but this is not
happening. Eventually, there is a shortage of storage and the
above message is issued. The message gives little clue regarding
the nature of the problem.

(MD14770) ABEND0C4/ABENDS0C4 Reason Code 4 occurs in routine
BuildSEE because improper serialization on the RACO reuse stack.

(MD14835) The number of SSL handshake threads cannot be
configured. An external is needed to control the number of SSL
Handshake threads in each control region.

(MD14836) Currently, the only external setting for the SSL
cipher suites is the SSL Use COnfidentiality Only Option.
Otherwise, system SSL uses all installed cipher suites when
negotiating with the peer. A more advanced configuration option
is needed.

(MD14845) Assert fails when setReceived is called and finds a
subject already in the current thread. If this is the case the
following exception is thrown:

java.lang.IllegalArgumentException: boolean
expression false
at com.ibm.ejs.util.ASSERT.notFalse(ASSERT.
   java:19)
at com.ibm.ejs.util.ASSERT.isTrue(ASSERT.
   java:23)
at com.ibm.ws390.sec.WS390ThreadSecurity.
   setReceived(WS390ThreadSecurity.java:133)
at com.ibm.ws390.sec.WS390SecurityManager.
   connectReceivedCredential(
   WS390SecurityManager.java:118)
at com.ibm.ws390.rmi.corba.ORBEJSBridge.
   invoke(ORBEJSBridge.java:349)

In the commit of a transaction started on WebSphere AE, the
container on 390 is invoked as a sync. object and drives
ejbstore. Ejbstore drives the code to get a datasource and to
get a connection. The get of a connection drives the method
allocateConnection in WS390AppServerConnectionManager.
The call to getCurrentSubjectwithUtoken deternines that there
is no subject on the thread that is running, so it puts the
server subject on the thread.
Then after the call to getCurrentSubjectwithUtoken,
AllocateConnection invokes pushSubject, and then later invokes
popSubject.  When the container exit processing for the tran,
the server subject is still associated with the thread.  The
next time a method is invoked on the thread using the normal
invoke processing in the ORBEJSBridge, the security code checks
the subject on the thread and finds a subject already on the
thread.

(MD14899) The TRACEALL modify command accepts input that is not
valid (e.g. 12345 where only 0, 1, 2, or 3 is valid). The parser
only checks the first digit for validity.  However, other
following digits may be used in setting the trace mask.

(MD14916) Tracing for the getStreamCacheElement method in
com.ibm.ws390.sm.mm.StreamCacheMgr class shows "ENTRY" for both
entry and exit.

(84342) Form-based login fails with web security
version 1 when running session-in-memory. When running
with security version 1, the login always fails as if
an invalid user ID and/or password were entered,
even if valid credentials were supplied.
Problem conclusion
APAR PQ67291 provides the following problem resolution:

(MD14744) The main problem fixed was a problem passing the
userid to ExtractIdOpi (bbossuia.mac). Some routines were
passing the userid, others a pointer to the userid. The routine
was modified to accept a pointer to the userid, and all callers
were modified as necessary to match. Minor problems with
parameter passing in these routines were also fixed.

(MD14770) Support has been modfied to correct the serialization
of the RACO reuse stack by changing the stack push and pop
routines to use a CDS instead of a CS with the second field
being a sequence number that gets incremented during the
pushRACO function.

(MD14835) A new environment variable,
SSL_HANDSHAKE_THREAD_COUNT, has been defined to control the
number of threads created in a control region. The default is 3,
which is the original fixed value.

(MD14836) Two environment variables have been added to allow
users to configure the SSL V3 cipher suites. These environment
variables should be added to the server's current.env file.

SSL_SERVER_V3CIPHERS - Overrides existing setting and sets
V3 ciphers for all protocols on the server.
BBOC_HTTP_SSL_V3CIPHERS - Sets the cipher suite for HTTPS
connections only.
Either or both envars may be set on a server.

Format of input to the envar must be in one of the following
formats :
- The exact string to be sent to system SSL, per the system
  SSL documentation.
  Example :  SSL_SERVER_V3CIPHERS=0A09
- A list of ciphers separated by commas.
  Example : SSL_SERVER_V3CIPHERS=0A,09

 Both envars were added to the existing list displayed
 in the SYSOUT.

(MD14845) Support has been modified such that the call to
throw an exception if a subject is found in the current thread
has been removed.

(MD14899) The parser has been modified to validate there is only
individual trace values are one character in length.

(MD14916) Tracing for the getStreamCacheElement method has
been changed tracing to show "EXIT" on exit from the method.

(84342) The http session identifier that is sent in a
special security cookie must be prepended with an additional
data item which is new to the HTTP session implementation
associated with service level W401400.

(84356) Service Level incremented to W401403.

The following publications were revised as a result
of defect PQ67291:
________________________________________________________________
WebSphere Application Server V4.0.1 for z/OS and OS/390
Installation and Customization
GA22-7834-06

WebSphere Application Server V4.0.1 for z/OS and OS/390
Messages and Diagnosis
GA22-7837-06
________________________________________________________________

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:


http://www.ibm.com/software/webservers/appserv/zos_os390/
________________________________________________________________

GA22-7834-06, Appendix A, pg. 396 (new information)

|--------------------------------------------------------------|
|Environment variable |DM | SM | Naming | IR | B. app | Client |
| =<default>          |   |    |        |    |        |        |
|--------------------------------------------------------------|
|BBOC_HTTP_SSL        |   |    |        |    | O      |        |
| _V3CIPHERS=string   |   |    |        |    |        |        |
|--------------------------------------------------------------|
| ...                 |   |    |        |    |        |        |
|--------------------------------------------------------------|
|SSL_SERVER_V3CIPHERS | R | O  | O      | O  | O      |        |
| =string             |   |    |        |    |        |        |
|--------------------------------------------------------------|
________________________________________________________________

GA22-7834-06, Appendix A, pg. 401 (new information)

|--------------------------------------------------------------|
|Environment variable |... | SM | Naming | IR | Bus. app | ... |
| =<default>          |    |    |        |    |          |     |
|--------------------------------------------------------------|
|SSL_HANDSHAKE_THREAD |... | O  | O      | O  | O        | ... |
| _COUNT=n            |    |    |        |    |          |     |
|--------------------------------------------------------------|
________________________________________________________________

GA22-7834-06, Appendix A, pg. 409 (new information)
Defines the SSL Version 3 cipher suites that system SSL uses in
the SSL handshake for an SSL connection. It overrides any
server-wide setting set via the Administration Application.
Specify a string as documented in "z/OS System Secure Sockets
Layer Programming" (SC24-5901). Each cipher is represented by
two characters (for example, "09" instead of "9").
Ciphers must be separated by commas.  The default is an empty
string, meaning no change is made to the cipher suites.

Examples :

SSL_SERVER_V3CIPHERS=09,0A,05
________________________________________________________________

GA22-7834-06, Appendix A, pg. 433 (new information)

SSL_HANDSHAKE_THREAD_COUNT=n
Specifies the number of SSL handshake threads that are present
in the control region. The default is 3.
Example: SSL_HANDSHAKE_THREAD_COUNT=10
________________________________________________________________

GA22-7834-06, Appendix A, pg. 433 (new information)

Defines the SSL Version 3 cipher suites that system SSL uses in
the SSL handshake for an SSL connection. It overrides any
server-wide setting set via the Administration Application.
Specify a string as documented in "z/OS System Secure Sockets
Layer Programming" (SC24-5901). Each cipher is represented by
two characters (for example, "09" instead of "9").
Ciphers must be separated by commas.  The default is an empty
string, meaning no change is made to the cipher suites.

Examples :
SSL_SERVER_V3CIPHERS=09,0A,05
________________________________________________________________

GA22-7837-06, Appendix A, pg. 411 (new information)

BBOU0825E USER INPUT CIPHER OR CIPHER SUITE, string, IS NOT
VALID.
Explanation: WebSphere for z/OS detected that a user-specified
cipher or cipher string was not valid. Either there was an error
in the string or the cipher is not in the list of installed
ciphers. Processing continues with the default cipher suite.
User Response: Verify that there are no syntax errors. Check the
SSL documentation for a list of valid ciphers.
________________________________________________________________

APAR PQ67291 is associated with SERVICE LEVEL W401403 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ67291
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-10-16
Closed date 2002-10-24
Last modified date 2002-11-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF EJSCCLAS EJSCCMSV EJSCCNFG EJSCJNUT EJSCJNWR
EJSCLOAD EJSCLOGR EJSCOEUT EJSCOSUT EJSCPLUG EJSCPLUT
EJSCPOOL EJSCPROP EJSCRULS EJSCSTUB EJSCSVHS EJSCVALD
EJSCVERS EJSCWSUT EJSJSVJR EJSJWBJR EJSJWC04 EJSLNLS
EJSTLDAT EJSXASIN EJSXJVMX      

Fix information
Fixed component name WASKBASE
Fixed component ID 5655A9801

Applicable component levels
R401 PSY UQ71162    UP02/10/31 P F210

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ67291
IBM Group: Software Group
Modified date: Nov 3, 2002