Fix (APAR): XD_Business grid_03-05-2007_6.0.2_cumulative_Fix Status: Fix Product: XDV6 Release: 6.0.2.0 Operating System: All operating systems Supersedes Fixes: PK24302,PK28106,PK28814,PK31087,PK35827,PK37358,PK40085,PK39587 Pre-requisite Fixes: Exclusive-requisite Fixes: CMVC Defect: PK40380 Byte size of APAR: 981131 Date: 2007-03-18 Abstract: This update fixes the following problems: (LREE) Long Running Execution Environment fails to start when Java 2 Security is enabled. LREE fails to execute jobs when class loader policy is set to Parent Last. Description/symptom of problem: When Java 2 Security is enabled the LREE application fails to start with warning code SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. LREE application also fails to execute Batch and CI jobs when the Class Loader policy is set to Parent Last. Directions to apply fix: Fix applies to Editions: Release: 6.0 6.1 ___ ___ Application Server (Express or Base) ___ ___ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer X__ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.0.2.5 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy 6.0.2-WS-XD-IFPK40380.pak (for XD 6.0.2 on WAS ND 6.0.2) or 6.0.2-WS-WXD-IFPK40380.pak (for XD 6.0.2 on WAS ND 6.1) file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (6.0.2.0-WS-XD-IFPK40380.pak file which was copied into the maintenance directory). 7) Install the maintenance package. The ifix updates: /lib/batchruntime.jar /lib/gridendpointselector.jar /lib/gridapis.jar /installableApps/LongRunnngScheduler.ear /installableApps/LREE.ear 8) This ifix requires that the LongRunningScheduler.ear and LREE.ear applications be re-installed. a) backup your configuration using the backupConfig command. For instructions refer to: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp search for "backupConfig" b) uninstall the LongRunningScheduler.ear and LREE.ear applications from the cell. c) install the LongRunningScheduler.ear and LREE.ear applications located in /installableApps. For instructions refer to: http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r0/index.jsp search for "Installing the long-running scheduler application EAR file" and "Installing the execution environment" 9) Start the Long Running Scheduler and LREE servers. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (6.0.2.0-WS-XD-IFPK40380.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to re-apply fix: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: 1) From IFIX PK37358 : This iFix changes the content of the LREE CHECKPOINTREPOSITORY tables. The meaning of the data in the STEPNAME and BATCHDATASTREAMNAME columns has changed. These columns compose part of the table key. Therefore, jobs which are in restartable state before application of the iFix WILL NOT BE RESTARTABLE after application of the iFix. Such jobs should be purged from the LongRunningScheduler and LREE databases. 2) From IFIX PK35827 : Normally, when WAS security is enabled, the submitters name is expected to be in job requests as part of the credentials supplied when a job is submitted. The scheduler should then pass on this name to the Long-Running Execution Environment (LREE). The Long-Running Execution Environment uses this submitter name to authenticate the submitter and get his security credentials. These credentials then need to be loaded on the job submitting user thread for successful submission of the job. Currently, users do not have the option to choose if a job will or will not run under user credential. In order to enable users to change this behavior, a new custom property, "RunUnderUserCredential", is being introduced at the Dynamic Cluster definition level. The custom property will allow users to enable or disable the ability of jobs to run under user credential. To run jobs under user credentials, users will have to explicitly define the new custom property. If the custom property is not defined or if it is defined and the it's value is set to "false", jobs will not run under user credential. In order to run jobs under user credentials, users will have to create the custom property and set set it's value to "true". The following steps describe how to create the custom property to enable or disable jobs to run under user credential: - Login to WAS administrative console. - On the left panel expand Servers and click on Dynamic Cluster. - On the Dynamic Cluster panel click on the dynamic cluster where the LREE is installed. - On the LREE dynamic cluster panel, under "Additional Properties", click on "Custom Properties". - On the dynamic cluster custom propeties panel click on "New". General properties panel will appear. - Type "RunUnderUserCredential" in the Name field. - Type "true" or "false" in the Value field to enable or disable jobs to run under user credential. - Click "Ok". - Save the configuration. - Stop and start the server where LREE is installed. Note: If the custom property is not defined, jobs will not run under user credential. 3) After applying the IFIX users don't need to change LREE or LRS was.policy file. But they do need to add these 3 permissions in their application's was.policy file: permission com.ibm.websphere.security.WebSphereRuntimePermission "accessRuntimeClasses"; permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"; permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential";