PQ73046: WEBSPHERE FOR Z/OS DOES NOT PROPERLY SUPPORT THE USE OF RACF CLASS GEJBROLE. | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Userid TESTID has been permitted access to a RACF profile set up as follows: RDEFINE EJBROLE ARCHITECT UACC(NONE) RDEFINE EJBROLE SPECIALIST UACC(NONE) RDEFINE GEJBROLE Supervisors UACC(NONE) OWNER(OWNERID) + ADDMEM(ARCHITECT,SPECIALIST) APPLDATA('CICSUSER') PERMIT Supervisors CLASS(GEJBROLE) ID(OWNERID,TESTID) ACCESS(READ) An EJB has methods defined with RUNAS(ROLE) and the ROLE is ARCHITECT. The APPLDATA associated with role Supervisors is the ID authorized to connect to CICS. When one of these EJB methods is invoked to attempt to connect to CICS, the connect fails because the EJB container is unable to EXTRACT the APPLDATA from the GEJBROLE profile. The EJB container seems to look forLocal fix APPLDATA only in class EJBROLE. If an EJBROLE of ARCHITECT is defined as follows: RDEFINE EJBROLE ARCHITECT UACC(NONE) APPLDATA('CICSUSER') PERMIT ARCHITECT CLASS(EJBROLE) ID(TESTID,OWNERID) ACCESS(READ) then the methods running as role ARCHITECT now successfully connect. The lookup of APPLDATA should return CICSUSER if it is present on either the GEJBROLE Supervisors or EJBROLE ARCHITECT. APPLDATA only in class EJBROLE. If an EJBROLE of ARCHITECT is APPLDATA only in class EJBROLE. If an EJBROLE of ARCHITECT is Put APPLDATA on the EJBROLEs instead of on the GEJBROLEs.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 * **************************************************************** * PROBLEM DESCRIPTION: If EJBROLE mapping to a SAF userid is * * done using GEJBROLE profiles, the SAF * * userid in the APPLDATA for the GEJBROLE * * is not found. * **************************************************************** * RECOMMENDATION: * **************************************************************** The RACROUTE REQUEST=EXTRACT call in BBOSSITU.PLX, which obtains the APPLDATA for the requested EJBROLE, does not use options MATCHGN=YES and BRANCH=YES, which are needed if the extract search is to include GEJBROLE profiles. As a result, only EJBROLE profiles are searched.Problem conclusion The RACROUTE REQUEST=EXTRACT call in BBOSSITU.PLX was updated to include MATCHGN=YES and BRANCH=YES. APAR PQ73046 is associated with SERVICE LEVEL W401505 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ73046
IBM Group: Software Group
Modified date: Jun 5, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.