PQ79022: WEBSPHERE CUSTOMIZATION IS MISSING CREATE OF CBS390 RACF APPL

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
RLIST APPL CBS390 ALL will show you if this APPL is defined.  If
it is, it was most likely defined because there was a generic
APPL profile which is set to UACC of NONE.  You can see if the
is a generic APPL profile with command RLIST APPL * ALL.  The
WebSphere groups require read access to CBS390.  This APAR is
include this setup into the Customization Dialog job for the
security setup, BBOWBRAC.
PERMIT CBS390 CLASS(APPL)
ID(CBCLGP CBADMGP CBCTL1 CBSR1 CBASR1 CBASR2 CBIVPGP CBIVPGP2)
ACCESS(READ)
.
Finally, refresh the class with this command:
.
SETROPTS CLASSACT(APPL)
.
The groups used in the PERMIT statement are the default groups.
If they have been customized, the customized values should be
substituted.  This is the use of the groups:
.
CBCLGP   - Default local and remote user ID System Management
           associates with servers
CBADMGP  - WebSphere administrators
CBCTL1   - WebSphere runtime and application server control
           regions
CBSR1    - WebSphere runtime server server regions
CBASR1   - CORBA IVP server server region
CBASR2   - J2EE IVP server server region
CBIVPGP  - CORBA IVP client
CBIVPGP2 - J2EE IVP client
.
The symptoms of this problem are Bootstrap phase 1 fails for
the Naming control region with message:
BBOU0003E CB SERIES CONTROL REGION NAMING01 ENDED ABNORMALLY,
REASON=C9C24089
indicating a user is not authorized.  The following message
also can be found in the WAS error log for the Naming server
control region (BBONM):
BBOU0096E initACEE (IRRSIA00) failed for MVS
Userid: CBGUEST , with SAF Return Code=8, RACF Return Code=8,
RACF Reason Code=32
Local fix
Manually issue the RDEFINE and/or PERMITs from the error
description.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 version 4.0.1 for z/OS and OS/390.           *
****************************************************************
* PROBLEM DESCRIPTION: The WebSphere Customization Dialog is   *
*                      missing the create of the CBS390 RACF   *
*                      APPL class profile.                     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The WebSphere groups require access to the APPL class profile
CBS390 if the APPL class is active. Starting the WebSphere
servers will fail if a generic profile exists (e.g. *) that
covers the CBS390 profile name, and if the WebSphere groups
do not have READ permission.
Problem conclusion
The Customization Dialog is modified to generate, on request,
  these RACF commands:
       RDEFINE APPL CBS390 UACC(READ)
       PERMIT CBS390 CLASS(APPL) ID(xxx) ACC(READ)
         where xxx represents the set of WebSphere user groups
       SETROPTS CLASSACT(APPL)
  The default is that these commands are not generated. The
  security panel has a new question:
    Use APPL profile to restrict access to WebSphere: Y/N
  and an updated help panel

The help text for the security panel will read as follows:

...
Use SSL client certificates
          With this option, both the server and client pass
          digital certificates to prove their identities to
          each other.

Use APPL profile to restrict access to WebSphere
          Specify "Y" to use an APPL profile that restricts
          WebSphere for z/OS access. Creating such profiles is
          recommended if the APPL class is already activated in
          your installation or if you have a generic APPL profil
          that causes failure of users with a CBS390 profile.

Test certificate authority label
...

APAR PQ79022 is associated with SERVICE LEVEL W401606 of
WebSphere Application Server version 4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ79022
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-09-30
Closed date 2003-11-21
Last modified date 2004-01-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ82447

Modules/Macros
BBODIRDL BBODRMAK BBOSETUP BBOUBINF BBOWBRAC BBOWCPYR
BBOWHSEC BBOWSEC BBOWVARS BBOZ0005 BBOZ0227 BBOZ0294
BBOZ0757 BBOZ0758 BBOZ0812 BBOZ0813 BBOZ0997 BBOZ1002
BBOZ1004          

Fix information
Fixed component name WASKBASE
Fixed component ID 5655A9801

Applicable component levels
R401 PSY UQ82447    UP03/12/03 P F312

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ79022
IBM Group: Software Group
Modified date: Jan 3, 2004