A fix is available
APAR status
Closed as program error.
Error description
During installation of the WLP HellowWorld sample (WLPBUNDLE), a CJSA transaction is attached to refresh the Liberty configuration state. This CJSA task is security checked against the region default userid, which does not have authority to the transaction, causing security violation message DFHXS1111 to be issued. The code being run for that operation is com.ibm.ws.config.xml.internal.ConfigRefresher$1. This is a Liberty internal function and does not require any CICS services. It should not be being run as a CICS task on a T8 TCB. The CICSExecutorService maintains a list of internal Liberty Runnable types which it ensures get executed on standard Java threads. There is a need to add com.ibm.ws.config.xml.internal.ConfigRefresher$1 to this list to prevent this extra CJSA task from running. Additional Symptom(s) Search Keyword(s): KIXREVDAM
Local fix
Grant temporary authority to the region default userid, allowing it to attach transaction CJSA.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: Security violation against the region * * default USERID to attach CJSA when * * installing a Liberty application bundle * **************************************************************** * RECOMMENDATION: * **************************************************************** A Liberty JVM server has been installed in CICS. A CICS bundle with a Liberty application is then installed into the JVM server. At the end of the installation process, Liberty executes com.ibm.ws.config.xml.internal.ConfigRefresher$1 to update its configuration. CICS then creates a CICS enabled thread for this which causes CJSA task to be attached and run using the default USERID. The default user does not have access to run CJSA then a security violation occurs. Failing to update the configuration prevents the installed bundle from being used.
Problem conclusion
CICSExecutorService.java has been changed to mark com.ibm.ws.config.xml.internal.ConfigRefresher$1 as a Liberty internal thread so that updating Liberty configuration is not executed in a CICS enabled thread.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI38459
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-04-06
Closed date
2015-06-13
Last modified date
2015-07-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI28509 PI45194
Modules/Macros
DFJ@H356
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R90D PSY UI28509
UP15/06/25 P F506
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
17 July 2015