PQ65688: ICH408I SHOULD NOT BE ISSUED AS A RESULT OF A CONTROL CHECK ON A SESSION 'OWNER'.

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
SSL is not used in anyway yet we are seeing
security violations indicating that the Web Server userid
needs CONTROL access to CBIND resource CB.BIND.<servername>
This resource currently has a UACC of READ as outlined in
the install process. We do not want to give the WEB server
CONTROL access when it should only need READ. But the following
is generated when an application server is first started:
  ICH408I USER(xxxxxx ) GROUP(IMWEB ) NAME(IBM HTTP SERVER STC
  CB.BIND.PS9ASR1 CL(CBIND ) INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(CONTROL) ACCESS ALLOWED(READ )
where xxxxxx is the user id of a web server and and PS9ASR1
is the name of the WAS app server control region.
In this situation CONTROL access is not required and therefore
no warning message should be issued when access less than
CONTROL is used.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390                   *
****************************************************************
* PROBLEM DESCRIPTION: ICH408I should not be issued as a       *
*                      result of a control check.              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Local security checks CONTROL access for the owner of the
client side address space. If a authorization check failure
occurs a ICH408I message is issued that should not be.
Problem conclusion
The ICH408I message will be suppressed for the CONTROL check of
the session owner, and the local authorization checks will
exactly mimic the remote checks.

APAR PQ65688 is associated with SERVICE LEVEL W401402 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ65688
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-08-28
Closed date 2002-10-10
Last modified date 2002-11-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Fix information
Fixed component name WASKBASE
Fixed component ID 5655A9801

Applicable component levels
R401 PSY UQ70733    UP02/10/16 P F210

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ65688
IBM Group: Software Group
Modified date: Nov 3, 2002