PQ67291: THIS APAR ADDRESSES DEFECTS IN WEBSPHERE APPLICATION SERVER V4.0.1 FOR Z/OS AND OS/390. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This APAR addresses defects in WebSphere Application Server V4.0.1 for z/OS and OS/390.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 * **************************************************************** * PROBLEM DESCRIPTION: APAR PQ67291 addresses various problems * * in WebSphere Application Server V4.0.1 * * z/OS and OS/390. * **************************************************************** * RECOMMENDATION: * **************************************************************** APAR PQ67291 addresses the following problems in WebSphere Application Server V4.0.1 for z/OS and OS/390: (MD14744) Message BBOU0736E Credential handling function RunAsGetSpecCredRole failed in Routine RACROUTE with SAF Return Code (hex): 4, RACF Return Code (hex): 270f, and RACF Reason Code (hex): 270f is received. Examination of a dump will show many apparently identical OPIs on the Used Identity Table. They will have the same userid. If the code is operating correctly, these OPIs should be re-used but this is not happening. Eventually, there is a shortage of storage and the above message is issued. The message gives little clue regarding the nature of the problem. (MD14770) ABEND0C4/ABENDS0C4 Reason Code 4 occurs in routine BuildSEE because improper serialization on the RACO reuse stack. (MD14835) The number of SSL handshake threads cannot be configured. An external is needed to control the number of SSL Handshake threads in each control region. (MD14836) Currently, the only external setting for the SSL cipher suites is the SSL Use COnfidentiality Only Option. Otherwise, system SSL uses all installed cipher suites when negotiating with the peer. A more advanced configuration option is needed. (MD14845) Assert fails when setReceived is called and finds a subject already in the current thread. If this is the case the following exception is thrown: java.lang.IllegalArgumentException: boolean expression false at com.ibm.ejs.util.ASSERT.notFalse(ASSERT. java:19) at com.ibm.ejs.util.ASSERT.isTrue(ASSERT. java:23) at com.ibm.ws390.sec.WS390ThreadSecurity. setReceived(WS390ThreadSecurity.java:133) at com.ibm.ws390.sec.WS390SecurityManager. connectReceivedCredential( WS390SecurityManager.java:118) at com.ibm.ws390.rmi.corba.ORBEJSBridge. invoke(ORBEJSBridge.java:349) In the commit of a transaction started on WebSphere AE, the container on 390 is invoked as a sync. object and drives ejbstore. Ejbstore drives the code to get a datasource and to get a connection. The get of a connection drives the method allocateConnection in WS390AppServerConnectionManager. The call to getCurrentSubjectwithUtoken deternines that there is no subject on the thread that is running, so it puts the server subject on the thread. Then after the call to getCurrentSubjectwithUtoken, AllocateConnection invokes pushSubject, and then later invokes popSubject. When the container exit processing for the tran, the server subject is still associated with the thread. The next time a method is invoked on the thread using the normal invoke processing in the ORBEJSBridge, the security code checks the subject on the thread and finds a subject already on the thread. (MD14899) The TRACEALL modify command accepts input that is not valid (e.g. 12345 where only 0, 1, 2, or 3 is valid). The parser only checks the first digit for validity. However, other following digits may be used in setting the trace mask. (MD14916) Tracing for the getStreamCacheElement method in com.ibm.ws390.sm.mm.StreamCacheMgr class shows "ENTRY" for both entry and exit. (84342) Form-based login fails with web security version 1 when running session-in-memory. When running with security version 1, the login always fails as if an invalid user ID and/or password were entered, even if valid credentials were supplied.Problem conclusion APAR PQ67291 provides the following problem resolution: (MD14744) The main problem fixed was a problem passing the userid to ExtractIdOpi (bbossuia.mac). Some routines were passing the userid, others a pointer to the userid. The routine was modified to accept a pointer to the userid, and all callers were modified as necessary to match. Minor problems with parameter passing in these routines were also fixed. (MD14770) Support has been modfied to correct the serialization of the RACO reuse stack by changing the stack push and pop routines to use a CDS instead of a CS with the second field being a sequence number that gets incremented during the pushRACO function. (MD14835) A new environment variable, SSL_HANDSHAKE_THREAD_COUNT, has been defined to control the number of threads created in a control region. The default is 3, which is the original fixed value. (MD14836) Two environment variables have been added to allow users to configure the SSL V3 cipher suites. These environment variables should be added to the server's current.env file. SSL_SERVER_V3CIPHERS - Overrides existing setting and sets V3 ciphers for all protocols on the server. BBOC_HTTP_SSL_V3CIPHERS - Sets the cipher suite for HTTPS connections only. Either or both envars may be set on a server. Format of input to the envar must be in one of the following formats : - The exact string to be sent to system SSL, per the system SSL documentation. Example : SSL_SERVER_V3CIPHERS=0A09 - A list of ciphers separated by commas. Example : SSL_SERVER_V3CIPHERS=0A,09 Both envars were added to the existing list displayed in the SYSOUT. (MD14845) Support has been modified such that the call to throw an exception if a subject is found in the current thread has been removed. (MD14899) The parser has been modified to validate there is only individual trace values are one character in length. (MD14916) Tracing for the getStreamCacheElement method has been changed tracing to show "EXIT" on exit from the method. (84342) The http session identifier that is sent in a special security cookie must be prepended with an additional data item which is new to the HTTP session implementation associated with service level W401400. (84356) Service Level incremented to W401403. The following publications were revised as a result of defect PQ67291: ________________________________________________________________ WebSphere Application Server V4.0.1 for z/OS and OS/390 Installation and Customization GA22-7834-06 WebSphere Application Server V4.0.1 for z/OS and OS/390 Messages and Diagnosis GA22-7837-06 ________________________________________________________________ NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/zos_os390/ ________________________________________________________________ GA22-7834-06, Appendix A, pg. 396 (new information) |--------------------------------------------------------------| |Environment variable |DM | SM | Naming | IR | B. app | Client | | =<default> | | | | | | | |--------------------------------------------------------------| |BBOC_HTTP_SSL | | | | | O | | | _V3CIPHERS=string | | | | | | | |--------------------------------------------------------------| | ... | | | | | | | |--------------------------------------------------------------| |SSL_SERVER_V3CIPHERS | R | O | O | O | O | | | =string | | | | | | | |--------------------------------------------------------------| ________________________________________________________________ GA22-7834-06, Appendix A, pg. 401 (new information) |--------------------------------------------------------------| |Environment variable |... | SM | Naming | IR | Bus. app | ... | | =<default> | | | | | | | |--------------------------------------------------------------| |SSL_HANDSHAKE_THREAD |... | O | O | O | O | ... | | _COUNT=n | | | | | | | |--------------------------------------------------------------| ________________________________________________________________ GA22-7834-06, Appendix A, pg. 409 (new information) Defines the SSL Version 3 cipher suites that system SSL uses in the SSL handshake for an SSL connection. It overrides any server-wide setting set via the Administration Application. Specify a string as documented in "z/OS System Secure Sockets Layer Programming" (SC24-5901). Each cipher is represented by two characters (for example, "09" instead of "9"). Ciphers must be separated by commas. The default is an empty string, meaning no change is made to the cipher suites. Examples : SSL_SERVER_V3CIPHERS=09,0A,05 ________________________________________________________________ GA22-7834-06, Appendix A, pg. 433 (new information) SSL_HANDSHAKE_THREAD_COUNT=n Specifies the number of SSL handshake threads that are present in the control region. The default is 3. Example: SSL_HANDSHAKE_THREAD_COUNT=10 ________________________________________________________________ GA22-7834-06, Appendix A, pg. 433 (new information) Defines the SSL Version 3 cipher suites that system SSL uses in the SSL handshake for an SSL connection. It overrides any server-wide setting set via the Administration Application. Specify a string as documented in "z/OS System Secure Sockets Layer Programming" (SC24-5901). Each cipher is represented by two characters (for example, "09" instead of "9"). Ciphers must be separated by commas. The default is an empty string, meaning no change is made to the cipher suites. Examples : SSL_SERVER_V3CIPHERS=09,0A,05 ________________________________________________________________ GA22-7837-06, Appendix A, pg. 411 (new information) BBOU0825E USER INPUT CIPHER OR CIPHER SUITE, string, IS NOT VALID. Explanation: WebSphere for z/OS detected that a user-specified cipher or cipher string was not valid. Either there was an error in the string or the cipher is not in the list of installed ciphers. Processing continues with the default cipher suite. User Response: Verify that there are no syntax errors. Check the SSL documentation for a list of valid ciphers. ________________________________________________________________ APAR PQ67291 is associated with SERVICE LEVEL W401403 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ67291
IBM Group: Software Group
Modified date: Nov 3, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.