PQ65849: NEW FUNCTION | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as unreproducible in next release. Error description New FunctionLocal fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 * **************************************************************** * PROBLEM DESCRIPTION: New support is needed which provides a * * mechanism for defining roles * * (permissions) that does not require SAF * * EJBRoles (i.e. RACF). WebSphere * * Application Server V4.0.1 for z/OS and * * OS/390 uses SAF Registry for * * authenticating users, but some * * customers want to use existing * * registries to authorize users. * **************************************************************** * RECOMMENDATION: * **************************************************************** Custom User Registry support needs to be provided by the WebSphere Application Server V4.0.1 for z/OS and OS/390 product. A Custom User Registry is a way to use external registries to authenticate and authorize the users to the WebSphere V4.0.1 for z/OS runtime. In this configuration, J2EE permissions are not configured within the SAF system. Instead, they are provided via an XML file containing a Custom Registry Authorization Table.Problem conclusion Temporary fix Comments The Customer User Registry support provided by APAR PQ65849 provides a configuration option which allows a third party user registry to be provided for use with WebSphere for z/OS. In this configuration, J2EE permission are not configured within the SAF system. Instead they are provided via an XML file containing a Custom Registry Authorization Table. When using a custom user registry in a WebSphere for z/OS environment, the customer should be aware of the following: a. Authenticating remote EJB clients using a custom user registry is not supported. However, EJBs that are accessed from a Web application that is deployed in the same J2EE server as these EJBs can be administered within the domain of a custom user registry. b. It is recommended that EJBs not be exposed to remote clients from a J2EE server which is configured to make use of a non-SAF registry. c. When using single sign-on capability for an application, it is the responsibility of the administrator to ensure that all WebSphere for z/OS J2EE servers that are part of the sign-on domain are using the same registry (i.e., the same SAF User Registry or the same custom user registry). d. Identities associated as a result of the EJB methods runAs server and runAs RoleName will not support custom user registry identities. Instead, they will use a SAF identity and subsequent authorizations will be done using the EJBRole profile. APAR PQ65849 is associated with SERVICE LEVEL W401403 of WebSphere Application Server V4.0.1 for z/OS and OS/390. **** PE02/11/25 PTF IN ERROR. SEE APAR PQ68370 FOR DESCRIPTION
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ71162 Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ65849
IBM Group: Software Group
Modified date: Dec 10, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.